3. The Need for AAA services
• In present day networks many tools are available to
access and configure devices, locally or remotely
(Terminal, Telnet, EWS, SSH etc)
• It is desirable and useful to be able to limit who can
view/change settings of the system
• Verification is needed for:
– User authentication – will user have (any) device access?
– User authorization – once user has access, what level of
access will he has?
4. AAA services
• AAA security services - using usernames and/or
password to Authenticate user’s identity and
access (authorization) level and to record what
user has done.
• The AT - 8000S switches implement the
Authentication and Authorization.
5. Secure Switch Management
Local Authentication Data Flow
Device Database
UserID: bob
Password: ge55gep
attributes: xxxx
Device
UserID: bob
Password: ge55gep
Access-Accept
User Telnet to the Switch
User Console to the Switch
User SSH to the Switch
6. Secure Switch Management
Authentication Data Flow
User
Database
UserID: bob
Select UserID=bob
Device Password: ge55gep
Device-ID: 207.12.4.1
Bob
password=ge55gep
UserID: bob Access-Accept Timeout=3600
Password: ge55gep User-Name=bob RADIUS [other attributes]
[other attributes]
Server
User Telnet to the Switch
User Console to the Switch
User SSH to the Switch
7. RADIUS Basics
• Defined by IETF standard RFC2138 & RFC2139
http://www.faqs.org/rfcs/rfc2138.html
http://www.faqs.org/rfcs/rfc2139.html
• Requires Clients (normally a NAS, in our case a Switch) and servers
(often called RADIUS servers)
9. AAA – Databases
• Access security (AAA) services on the AT - 8000S uses the
following databases (or methods) for username and Password
validation:
– Local – Device database with the following fields: Username,
Password and Level of privilege (access)
– Enable - Device general password list for gaining privileged
(high) level access
– Line – Device password list for each specific line (console,
telnet and SSH) for gaining access
– RADIUS server – External database with the following fields:
Username, Password and Level of privilege (access)
– TACACS + - A security application that provides centralized
validation of users to gain access to a device (router or an
access server). To be addressed in a separate presentation
– (None) – no database is used (username and PW not needed)
10. AAA – Management interfaces
• Access security (AAA) services on the device can
be configured on 5 management interfaces:
– Console (ASCII terminal), telnet & SSH –
• Have their own line command mode.
• Lookup using any of the methods
• Are associated with one or more lookup methods using method
lists – or lists of databases
• Separate method lists for authentication and authorization
– HTTP & HTTPS
• Do not have a line command mode
• Lookup using only in local, RADIUS, TACACS+ or “none” methods
• Associated directly to one or more methods (not through a list)
• Lookup only for authentication (includes authorization lookup)
• One more interface is the 802.1x which is an access
(not management) control
– This issue will be covered in separate presentation.
11. AAA – Methods Lists
• Methods lists contain one or more databases (methods)
• Methods lists are defined separately for Authentication
and Authorization verification
• User can define many lists for each type
• Each method list is assigned a list-name.
• “Default” method list is a unique list which exists on the
device. This list can be configured by user like any other
list (but not removed).
• Console, Telnet and SSH are associated separately to one
authentication method-list and one authorization method-
list
12. AAA – Methods Lists
• Authentication methods lists can contain one or
more of the following methods: enable, line,
local, RADIUS, TACACS+ and “none”.
• Authorization methods list can contain one or
more of the following methods: enable, line,
RADIUS, TACACS+ and “none” (but not local
database)
13. AAA – “Default” Method List
• System has 2 method lists named “default”: one for login and
one for enable (authorization)
• This is the method list which applies to the lines – unless user
defines otherwise.
• At system startup the default method list is different for
console or network (telnet, SSH) connections:
– For login default method list is:
• Console_Default : None
• Network_Default : Local
– For enable default method list is:
• Console_Default : Enable None
• Network_Default : Enable
– http : Local
– https : Local
– dot1x :
• If user modifies the “default” list (via CLI) the same method
list applies for both console and network connections. Via
web management both defaults can be changed separately
14. AAA – Method Rules
• Method lists containing only 1 method:
– If username and/or PW are verified by DB - user is
granted access or the level of access required
– If the method specified is “none” - user is granted
access or the level of access required without
having to provide a Username or PW.
– If username and/or PW are not accepted by DB –
access or access level is denied
– If database is unavailable (or not configured) -
access or access level is denied
15. AAA – Method Rules
• Method lists containing a list of methods:
– If username and/or PW are verified by current DB - user is
granted access or the level of access required
– If username and/or PW do not exist on current DB – access
or access level is denied (does not check next DB) – even if
“none” is the next method on the list
– If current methods is unavailable (or not configured) –
verification process is attempted on next methods on list
– If all methods are unavailable (checked one by one) -
access or access level is denied, unless “none” method is
part of the list
16. AAA Configuration
• When using separate security server, the device
has to be configured with the RADIUS/TACACS+
server parameters and attributes
• Configure the databases (on device or
RADIUS/TACACS server) with the relevant
Username and/or PW
• Define the method lists for authentication and
authorization using AAA commands
• Apply the method lists to a particular line (line
command mode), if required
• If needed, apply the methods directly to the
HTTP/HTTPS services
17. AAA Process
• When a particular line attempts to access the
device, user authentication (or access level) is
performed by checking the method list attached
to that line.
• User authentication and authorization occurs in
the order the methods are listed in the relevant
list
• User will be authenticated by the first method on
the list, and only if the first option cannot be
reached - by next methods listed.
• If the first (or current) methods is functioning
properly – but user is not authenticated (entry
does not exit), next methods are not used
18. AAA
1. Creating passwords (and users) databases
• Local, enable, line, RADIUS, TACACS+, none
2. Assign databases to methods
• One or more database to each method (or none)
3. Attaching methods to line
Console Local Pwd
Regis login Enable Pwd
rating telnet Method Line Pwd
the enable
system ssh Radius Pwd
None
http
https
19. AAA (1)
DataBase console(config)# username XXX password YYY level 15
User name password level
local: Local1 loc1 1
Local15 loc15 15
console(config)# enable password level 15 YYY
User name password level
enable: ----- en1 1
----- en15 15
console(config)# line console/telnet/ssh
console(config-line)# password YYY
line:
User name password level
----- linec (for console) -----
----- linet (for telnet) -----
----- lines (for ssh) -----
20. AAA cont’
Assign database to methods:
console(config)# aaa authentication login log_tel enable none
login/enable method name Database in use
login log_cons line none
login log_tel enable none
login log_ssh local
console(config)# aaa authentication enable en_cons local
login/enable method name Database in use
enable en_cons local
enable en_tel line
enable en_ssh Radius enable none
21. AAA cont’
• Attaching methods to line:
console(config)# line console
console(config-line)# login authentication log_cons
console(config-line)# enable authentication en_cons
console(config-line)#
console(config)# line telnet
console(config-line)# login authentication log_tel
console(config-line)# enable authentication en_tel
console(config-line)#
console(config)# line ssh
console(config-line)# login authentication log_ssh
console(config-line)# enable authentication en_ssh
console(config-line)#
console(config)#
console(config)# ip http authentication local none
console(config)# ip https authentication radius local
22. AAA cont’
• console# show authentication methods DB – local
User name password level
• Login Authentication Method Lists
• ------------------------------------------- Local1 loc1 1
• Console_Default : None Local15 loc15 15
• Network_Default : Local
• log_ssh : Local
• log_tel : Enable None
• log_cons : Line None DB – enable
User name password level
• Enable Authentication Method Lists ----- en1 1
• ----------------------------------
• Console_Default : Enable None ----- en15 15
• Network_Default : Enable
• en_ssh : Radius Enable None
• en_tel : Line DB – line
• en_cons : Enable None
User password level
name
• Line Login Method List Enable
Method List ---- linec (for console) -----
• ---------- ------------------------ -----------------
-- ---- linet (for telnet) -----
• Console log_cons en_cons
• Telnet log_tel en_tel ---- lines (for ssh) -----
• SSH log_ssh en_ssh
• http : Local None
• https : Radius Local
24. AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
25. AT - 8000S – Line Mode
• Use the following Global Mode command to
enter the command line mode of
console/telnet/ssh:
line {console | telnet | ssh}
Example – entering telnet line mode:
console# con
console(config)# line telnet
console(config-line)#
26. AT - 8000S – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
27. AAA – Line Password
• Use the following Line Configuration Mode command to
specify a password for a line. To remove the password, use
the no form of this command:
password password [encrypted]
no password
encrypted - Encrypted password you enter, copied from
another device configuration.
28. AAA – Line Password
• Notes:
– Each line (console, telnet, ssh) is configured with its own
password and only that PW will apply for that line.
– Each line has only 1 PW – entering a new PW will cancel
previous one
– There is no “show” command to view line PW
29. AT - 8000S – Line PW Example
• Example
– configuring a PW for each of the lines (console; telnet and SSH)
console(config)# line console
console(config-line)# password PW_Console
console(config-line)# exit
console(config)# line telnet
console(config-line)# password PW_Telnet
console(config-line)# exit
console(config)# line SSH
console(config-line)# password PW_SSH
console(config-line)#
30. AAA – Enable Password
• Use the following Global Mode command to set a local
password for different privilege levels. Use the no form of
this command to remove the password requirement.
enable password [ level level ] password [encrypted]
no enable password [ level level ]
• level - Level for which the password applies. If not specified
the level is 15.
• Encrypted - Encrypted password you enter, copied from
another device configuration
31. AAA – Enable Password
• Notes:
– Only 1 PW can be defined for each level (new PW settings for a level will
erase previous entry)
– Only levels 15 and 1 are implemented in current version
– There is no “show” command to view enable PW
– If enable is the method used for login (authentication), the user
must enter the PW for level 1. If user will use PW for level 15 –
access will be denied.
32. AAA – Local User Name
• Use the following Global Mode command to establish a
username-based authentication system. Use the no form
to remove a user name:
username name [password password] [Level level] [encrypted]
no username name
• name & password - The name and authentication
password of the user.
• level - Specifies the user level. If not specified the
privilege level is 15.
33. Enable & User Example
• Example
– Configuring enable PW level 15 and level 1
– Configuring local DB user name and PW
console(config)#
console(config)# enable password level 15 high
console(config)# enable password level 1 low
console(config)# username david password david level 15
console(config)# username george password george level 1
console(config)#
34. AAA - RADIUS Server
• Use the following Global Mode command to specify a RADIUS
server host. To delete the specified host, use the no form of
command:
radius-server host ip-address [auth-port auth-port-number]
[timeout timeout] [retransmit retries] [deadtime deadtime] [key
key-string] [source source] [priority priority] [usage type]
no radius-server host ip-address
35. RADIUS – Global Parameters
• Each of the parameters in the radius server host
command can be used as individual commands to
configure Global Radius configuration (Applied to a
server if host command did not include this parameter):
radius-server key
radius-server retransmit (default 3)
radius-server source-ip (default 0.0.0.0)
radius-server timeout (default 3)
radius-server deadtime (default 0)
• “no” form of command can be used with each command
type to return value to default
36. AT - 8000S - Radius Example
• Example
– Configuring a radius server with IP 10.1.1.100 port 1645 and
priority 1
– Defining Global retransmit value of 5
console(config)#
console(config)# radius-server host 10.1.1.100 auth-port 1645 priority 1
console(config)# radius-server retransmit 5
37. AT - 8000S – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
38. Login Authentication Method
• Use the following Global Mode command to define
authentication methods lists at login. use the no form of this
command to erase defined name
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name}
• default - The device’s default list of methods. Using the
“no” option on “default” returns it to the device default
• list-name - name of a (user defined) list of authentication
methods which can be activated when a user logs in.
40. Login Authentication Method
• The additional methods in a list (if such were defined) are used
only if the previous method returns an error, not if it denies
login. To ensure that the login succeeds even if all methods
return an error (but not if they denied access), specify none as
the final method.
• The default and optional list names defined with the aaa
authentication login command are attached to a line using the
login authentication command (line mode)
41. Enable Authentication Method
• Use the following Global Mode command to set
Authorization when the user attempts to access a higher
privilege level. To remove a list (or return “default” list to
original setting) use the no form of this command:
aaa authentication enable {default | list-name} method1
[method2...]
no aaa authentication enable {default | list-name}
43. Enable Authen. Method
• The additional methods on a list (if such were defined) are
used only if the previous method returns an error, not if it
authentication fails. To ensure that the authentication
succeeds even if all methods return an error, specify none
as the final method
• All aaa authentication enable requests sent by the router to
a RADIUS or TACACS server include the username
"$enabx$.", where x is the requested privilege level (15 for
the highest)
• The default and optional list names that you define with
the aaa authentication enable command are applied to a line
with the enable authentication (line configuration mode)
command.
44. Method Lists - Example
• Example
– Configuring 3 different login method lists
– Changing login “default” method list
– Configuring 3 different enable method lists
console(config)# aaa authentication login log1 local none
console(config)# aaa authentication login log2 radius enable
console(config)# aaa authentication login log3 line
console(config)# aaa authentication login default line
console(config)# aaa authentication enable en1 enable none
console(config)# aaa authentication enable en2 line
console(config)# aaa authentication enable en3 radius none
45. AT - 8000S – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
46. Assigning Login Authentication-list
to Line
• Use the following Line Configuration Mode
command to specify login authentication method
list. To return to the default list use the no form of
this command:
login authentication {default | list-name}
no login authentication
• default / list-name – as specified in the Global Mode aaa
authentication login command.
• Command is applied separately to each line (console,
telnet, SSH) via its own command line
47. Assigning Enable Authentication-list
to a Line
• Use the following Line Configuration Mode
command to specify an autherization method
list when the user requests to access a higher
privilege level. To return to the default list use
the no form of this command.
enable authentication {default | list-name}
no enable authentication
• default / list-name – as specified in the Global Mode aaa
authentication enable command.
• Command is applied separately to each line (console,
telnet, SSH) via its own command line
48. Method Lists - Example
• Example - Assigning login and enable method lists to lines
(assign default list to console login)
console(config)# line console
console(config-line)# login authentication default
console(config-line)# enable authentication en1
console(config-line)# exit
console(config)# line telnet
console(config-line)# login authentication log2
console(config-line)# enable authentication en2
console(config-line)# exit
console(config)# line telnet
console(config-line)# login authentication log3
console(config-line)# enable authentication en3
49. AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
50. HTTP Authentication List
• Use the following Global Mode command to
specify authentication method(s) for http server
users. To return to the default (local), use the no
form of this command:
ip http authentication method1 [method2...]
no ip http authentication
• method1 [method2...] - At least one from: Local,
Radius, TACACS, None.
• Default method is “local”
51. HTTPS Authentication List
• Use the following Global Mode command to
specify authentication methods for https server
users. To return to the default (local), use the no
form of this command:
ip https authentication method1 [method2...]
no ip https authentication
• method1 [method2...] - At least one from: Local,
Radius, TACACS, None.
• Default method is “local”
52. HTTP/HTTPS AAA - Example
• Example:
– Apply radius method on HTTPS for AAA services
– Apply TACACS method on HTTP for AAA services
console(config)#
console(config)# ip https authentication radius
console(config)# ip http authentication tacacs
53. AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
54. AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode
• Configuring databases
• Creating method lists
• Applying method lists to lines
• Applying methods to HTTP/HTTPS
• Show commands
55. AAA – Show commands
• Use the following EXEC mode command to
display information about the authentication
methods
show authentication methods
• The command will show:
– Login method list
– Enable method list
– Line – method list association
– HTTP/HTTPS/dot1x-method association
56. AAA – Show commands
console# sh authentication methods
Login Authentication Method Lists
----------------------------------
Default : Enable
logm : Enable
Enable Authentication Method Lists
----------------------------------
Default : Enable
enm : Enable
…
See next slide
57. AAA – Show commands
…from previous slide
Line Login Method List Enable Method List
------- ----------------- -------------------
Console logm enm
Telnet Default Default
SSH Default Default
http : Local
https : Local
dot1x :
58. Show RADIUS Server
• Use the following EXEC mode command to
display the RADIUS servers settings:
show radius-servers
console# sh radius-servers
IP address Auth. TimeOut Retran. DeadTime source IP Prio. Usage
--------------- ----- ------- ------- -------- --------------- ----- -----
9.1.1.1 1812 Global Global Global Global 0 all
Global values
--------------
TimeOut : 3
Retransmit : 3
Deadtime : 0
Source IP : 0.0.0.0
console#