As the title suggests, this post will take a look at configuring AAA on Cisco switches, which is another of the CCNP Switch objectives. To start off, what is AAA? It stands for Authentication, Authorization and Accounting, and is essentially a framework for controlling access to resources, and auditing that access. Authorization is about identifying a user, via user provided credentials. If the credentials are good then access is granted, if not then it is denied. Authorization is about the level of access a user has. An authenticated user will be authorized to perform certain tasks, which is generally enforced via policy. Accounting is all about tracking what resources a user is accessing, how much data is transferred etc.
In this post I’m going to concentrate on the Authentication element of AAA, with some basic examples. Configuring AAA can be quite involved, and there’s far too much that can be covered in one post. For detailed information check out the ‘Configuring Authentication‘ section of the Cisco IOS Security Configuration Guide.
There are a few different options available when configuring AAA, these are local authentication, TACACS+ and RADIUS authentication. I’ll start by looking at configuring local authentication, which is used if a tacacs+ or radius server isn’t available or is commonly used as a back up if an authentication server is unreachable.
Before anything else, the first step is to enable AAA functionality on the device, by running ‘aaa new-model’:
S1(config)#aaa new-model
For local authentication to work we need to create a local user. To create a new user, with password stored in plain text:
S1(config)#username test password Pa55w0rd
Having passwords in plain text isn’t a good idea! To create a new user, with password stored in encrypted text:
S1(config)#username test2 secret Pa55w0rd
Next we need to issue a command to tell the switch to authenticate using the local database when users attempt to log in:
S1(config)#aaa authentication login default local
This command is broken down as follows. The ‘aaa authentication’ part is simply saying we want to configure authentication settings. The ‘login’ is stating that we want to prompt for a username/password when a connection is made via a tty, console, vty etc interface. ‘Default’ means that we want to use the default authentication method list (these are explained here.. ). Finally, ‘local’ means that we wish to authenticate against the local database.
Now, when logging in via console etc, you will have to enter credentials:
User Access Verification Username: test Password:
The following can be entered to have the switch prompt for credentials when entering ‘enable’ mode.
enable secret Pa55w0rd aaa authentication enable default enable
So far this has covered authentication using the devices local database. It’s also possible to use an authentication server such as RADIUS or Tacacs+. A simple Tacacs+ configuration for authorization would be:
tacacs-server host tacacs-server-IP tacacs-server key 0 secretkey aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable
With this configured, when logging in, the password supplied will be attempted to be verified by the tacacs+ server before access is granted. If the server is unavailable/unreachable, then the switch will fall back to using the local authentication database.