CCNA Security Chapter 3 - AAA: Authentication, Authorization and Accounting

A network must be designed to control who is allowed to connect to it and what they are allowed to do when they are connected. These design specifications are identified in the network security policy. The policy specifies how network administrators, corporate users, remote users, business partners, and clients access network resources.

Cisco IOS routers can be configured to use AAA to access :
- a local username and password database,
- a Cisco Secure Access Control Server (ACS).

Cisco ACS is :
- very scalable because all infrastructure devices access a central server,
- fault tolerant because multiple servers can be configured,
- often implemented by large organizations.

AAA Terminology
Authentication - what user can log in. AAA can be used  for PPP, VTY, Console, AUX VPN and others
Authorization - defines what the user can do.
Accounting - logs actions performed by the user.

AAA Sources
- Local Database  (running config) – Local ‘username xxx password xxx’ database.
- TACACS+ Server
- RADIUS Server

Access Modes
- Character – Used for remote administrative access to VTY,TTY, Aux and Console. AAA can be
configured for login, exec and enable.
- Packet – Used for Remote network access on async, BRI ec. AAA will be configured ppp for

Purpose of AAA
The simplest form of authentication is passwords. This method is configured using a login and password combination on console, and vty lines and aux ports.
username username password password    <- plaintext password in config if no service password-encryption command
username username secret password      <-  MD5-style encryption 
Local database methods:
(config) # line vty 0 4
(config-line) # password Cisc00
(config-line) # login
(config) # username ADMINS secret S0meS3cret
(config) # line vty 0 4
(config-line) # login local
Local database authentication preferred over a password-only login because it provides authentication and accountability.

aaa new-model disables all traditional authentication methods (password and login command under vty lines etc).
At a minimum a local username must be created to avoid locking yourself out of the device.

AAA is a way to control :
 - who is permitted to access a network (authenticate),
 - what they can do while they are there (authorize),
 - audit what actions they performed while accessing the network (accounting).

AAA can be used to authenticate users:
 - for administrative access (Character mode: console, vty, aux, tty with login,exec,enable commands)
 - for remote network access (Packet mode: Dial-up and VPN access with ppp and network commands).

AAA Authentication
 - local database (stores usernames and passwords locally in the Cisco router. This database is the same one required for establishing role-based CLI. Local AAA is ideal for small networks). A minimum of one method and a maximum of four methods can be specified for a single method list.
The Login Password Retry Lockout (attempts max-fail) feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator. 
 - server-based (uses an external database server resource with RADIUS or TACACS+ protocols).
AAA Accounting collects and reports usage data so that it can be employed for purposes such as auditing or billing.
The Cisco is using 2 protocols:
- TACACS+ (Terminal Access Control Access Control Server Plus),
- RADIUS (Remote Authentication Dial-In User Services).
TACACS+ is considered the more secure protocol. This is because all TACACS + protocol exchanges are encrypted; RADIUS only encrypts the user password. It does not encrypt user names, accounting information, or any other information carried in the RADIUS message.
TACACS+ is a Cisco enhancement to the original TACACS protocol. Despite its name, TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS.
* Is incompatible with its predecessors TACACS and XTACACS
* Separates authentication and authorization
* Encrypts all communication
* Utilizes TCP port 49.
* Uses RADIUS proxy servers for scalability
* Combines RADIUS authentication and authorization as one process
* Encrypts only the password
* Utilizes UDP (port 1645 or 1812 for authentication and port 1646 or 1813 for accounting
* Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
RADIUS is widely used by VoIP service providers.
RADIUS is also a common authentication protocol that is utilized by the 802.1X security standard.
The Diameter protocol is the planned replacement for RADIUS. Diameter uses a new transport protocol called Stream Control Transmission Protocol (SCTP) and TCP instead of UDP.

AAA syntax
aaa type {  default |   list-name} method-1 [  method-2 method-3 method-4]
1) type could be authentication or authorization or accounting

2) At least one method must be specified.
If an authentication process succeeds but the user is denied,the other methods are checked. 

Possible authentication methods:
- Enable – Use enable password for authentication.

- Group – Use specified server-group (radius / tacacs+)
- Line – Use line password for authentication.
- Local –Use local username authentication.
- None – No authentication. There will be no login prompt.
- group tacacs+

Up to five methods can be specified in the method list (4 for SDM).
When used the list is checked from the first entry to the last entry but only if previous method fails (timeouts or fails).

Router(config)#aaa authentication ? 
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  login            Set authentication lists for logins.
  password-prompt  Text to use when prompting for a password
  username-prompt  Text to use when prompting for a username

Router(config)#aaa authentication login ?
  WORD     Named authentication list (max 31 characters, longer will be rejected).
  default  The default authentication list.

Router(config)#aaa authentication login default ?
  enable         Use enable password for authentication.
  group          Use Server-group
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

aaa authentication login default  local enable

! 1) This list is specifying that the local database (running-config) will be used first to look for the username.
!     If the username isn't in the running, then it will go to the second method in the list.
! 2) The second method of "enable" says that if the user account isn't found in the running, then to use the enable secret to login.
! This default list will apply to all SSH, Telnet, VTY, AUX and Console sessions unless there is another (different) custom
!    method list that is created and directly applied to one of those lines.

! accepts a locally configured username, regardless of case.

! local - Specifies the local authentication method.
! none - No authentication, everyone permitted. 

Activate the Authentication, except for the console port
aaa authentication login NOTACACS local
line con 0
   login authentication NOTACACS
By using the syntax on authentication "local none" it will use those methods for the default group i.e. the local database, which if no user/passes exist it will use no authentication.

! Example turns off password validation.
switch(config)# aaa authentication login default none
The difference between using the login local command and local aaa authentication for authenticating administrator access:
Local AAA provides a way to configure backup methods of authentication; login local does not.

# conf t
(config)# username ADMIN secret SFEG$T#D45gd
(config)# aaa new-model    <- To enable AAA
(config)# aaa authentication login default  local-case enable  <-or local-case or enable or other method
(config)# aaa authentication login TELNET-ACCESS local-case
(config)# aaa local authentication attempts max-fail number-of-unsuccessful-attempts
(config)# line vty 0 4
(config-line)# login auth TELNET-ACCESS

# show aaa local user lockout {username username | all}
Router# clear aaa local user lockout username user1

# show aaa user {all | unique id}
# show aaa sessions
# debug aaa auth
# test aaa group tacacs+ admin cisco123 legacy
  Attempting authentication test to server-group tacacs+ using tacacs+ 
  User was successfully authenticated.
By default the ‘default’ AAA method list is set to use the local database. The default method list is used for all lines etc unless another method list is specified.
This default method list, created below has two methods listed "local" and "enable".

% Authentication failed
 Problem with user (not existing on tacacs, if tacacs is up)

% Authorization failed.
 User authenticated, but not is was not set correct authorization commands.
 IS SET: aaa authorization exec default local
 SHOULD BE: aaa authorization exec default group tacacs+ local none

AAA authorization
AAA authorization enables you to limit the services available to a user.  
Default: Authorization is disabled for all actions (equivalent to the method keyword none).  
If AAA authorization on a device is not configured = Authenticated users are granted full access rights.
If an administrator configures the aaa authorization command prior to creating a user with full access rights, the administrator is immediately locked out of the system. 
1) aaa authorization {network | exec | commands level | reverse-access} {default | list-name} [method1 [method2...] ]
2) line [aux | console | tty | vty] line-number [ending-line-number]

interface interface-type interface-number
Cisco Secure ACS
Many enterprise-level authentication servers are on the market today, but they lack the ability to combine both the TACACS+ and RADIUS protocols into a single solution. Fortunately, Cisco Secure ACS for Windows Server is a single solution that offers AAA for both TACACS+ and RADIUS.
Cisco Secure ACS supports a broad variety of access connections, including wired and wireless LAN, dialup, broadband, content, storage, VoIP, firewalls, and virtual private networks (VPNs).
For Cisco Secure ACS the client device are routers, switches, firewalls or VPN concentrators.
Cisco ACS supports authenticating users of a Lightweight Directory Access Protocol (LDAP).
A Web browser is used to configure a Cisco Secure ACS. 

Good explain in : CCNA Security 640-554 Official Cert Guide 

Cisco Secure ACS is available as software installed on
- a Windows Server (Cisco ACS version 4.x),
- a Linux apliance (Cisco ACS version 5.x),
- a 1U, rack-mountable, security-hardened server, such as ACS Solution Engine  (where more than 350 users need to be supported),
- a ACS Express is also a 1U rack-mountable unit, security-hardened appliance with a pre-installed Cisco Secure ACS Express license (up to 50 devices / up to 350 user logins per 24h).
NOTE: Cisco ACS 4.x is no longer being sold and might not be supported (link).

AAA Accounting
aaa accounting {network | exec | connection} {default | list-name} {start-stop | stop-only | none} [broadcast] method1...[method4]
* Network - Runs accounting for all network-related service requests, including Serial Line Internet
* Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs).
* Exec - Runs accounting for the EXEC shell session.
* Connection - Runs accounting on all outbound connections made from the network access server, such as Telnet or local-area transport (LAT).
* Default - Uses the listed accounting methods that follow this keyword as the default list of methods.
* List-name - Character string used to name a custom accounting method list.
* Start-stop - Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process.
* Stop-only - Sends a "stop" accounting record for all cases including authentication failures.
* None - Disables accounting services on a line or interface.
* Broadcast - (Optional) Enables sending accounting records to multiple AAA servers.
R1(config)# aaa accounting exec start-stop group tacacs+   <- log the use of EXEC session commands
R1(config)# aaa accounting network start-stop group tacacs+

The default accounting method list is automatically applied to all interfaces, except those with named accounting method lists.

Cisco Configuration Professional
On Windows 7, after install to run needed:
- download older version (10.x) of flash player here
- run as Administrator Cisco Configuration Professional,
- Allow ActiveX for this page,
- disable plugins from Internet Explorer that could block content (ie: AVG...),
more info:

Connect CCP to router (link @
Router(config)#enable secret cisco
Router(config)#username <username> privilege 15 password 0 <password>
Router(config)#ip http server
Router(config)#ip http secure-server
Router(config)#ip http authentication local
Router(config-line)#no aaa new-model
Router(config)#line vty 0 4
Router(config-line)#privilege level 15
Router(config-line)#login local
Router(config-line)#transport input telnet
Router(config-line)#transport input telnet ssh
Enabling AAA with CCP:
aaa new-model
aaa authorization exec default local
aaa authentication login default local
line vty 0 4
 login authentication default
 authorization exec default
 no privilege level
line con 0
 login authentication default
Cisco Secure ACS 5.2 (real installation)

Key Components for Configuring ACS  
Network device groups - Groups of network devices, normally based on routers or switches with similar functions/devices managed by the same administrators.  
Network devices (ACS clients/routers/switches) - The individual network devices that go into the device groups.  
Identity groups (user/admin groups) - Groups of administrators, normally based on users who will need similar rights and access to specific groups of network devices.  
User accounts - Individual administrator/user accounts that are place in Identity groups.  
Authorization profiles - These profiles control what rights are permitted. The profile is associated with a network device group and a user/administrator identity group.

1) Install Cisco Secure ACS 5.2
sclabs/sc# sh ver
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version:
ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
Hostname: sclabs
Version information of installed applications
Version :
Internal Build ID : B.3075

sclabs/sc# sh application status acs
Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running
2) Post install procedures:
Access ACS URL in your browser.
For example
Username: ACSAdmin , which is the default username. The value is not case-sensitive.
Password: default , which is the default password. The value is case-sensitive.

Insert Licence File (Evaluation Licence for 90 days)

AAA Step by Step 
1) Decide what the policy should be (for example, which vty lines should require authentication/authorization, and which methods (ACS, local, none) should be used. 
2) Enable AAA. (# aaa new-model)
3) Specify the address of an ACS server to use. (tacacs-server host/key)
4) Create 2 named method lists (authentication and another for authorization), based on your policy. 
Each method list is created in global configuration mode, specifying which methods this list uses, in order, from left to right.
5) Apply the method lists to the location that should use those methods.
In vty line configuration mode, specify the authentication and authorization method lists that you created in the preceding step.

Example AAA config
aaa new-model
tacacs-server host single-connection
! single-conn - improve aaa performance (reduces delays in the authorization queries by using persistent TCP sessions)
tacacs-server key TACACS+s0m3pass0rd
aaa authentication login MY-LIST-1 group tacacs local enable
aaa authorization commands 1 TAC1 group tacacs+ local
aaa authorization commands 15 TAC15 group tacacs+ local
aaa accounting commands 1 TAC-act1 start-stop group tacacs+
aaa accounting commands 15 TAC-act15 start-stop group tacacs+
! The named method lists must be applied to the VTY lines
line vty 0 4
 login authentication MY-LIST-1
 authorization commands 1 TAC1
 authorization commands 15 TAC15
 accounting commands 1 TAC-act1
 accounting commands 15 TAC-act15

AAA Cisco basic config
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

aaa new-model
This basically turns on aaa on the router.

aaa authentication login default group tacacs+ local
Here we are saying that to authenticate to this router for logins use the default group which is tacacs+.  If tacacs+ fails then use the local user account configured on the router. (This is why you always want to make sure you have a local user configured on your router)

aaa authentication enable default group tacacs+ enable

Here we are saying that for enable mode we want to use the default group tacacs+ (notice the local keyword is not used.  This is because that a locally defined user will have specified the authorization level they require. . for example leve 15 will get enable mode)

aaa authorization config-commands
This says we want to check with TACACS+ to authorize going into config mode.

aaa authorization exec default group tacacs+ local if-authenticated
Notice the "if-authenticated" keyword at the end of this line.  This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.
The CLI represents an Exec Shell.

aaa authorization commands 1 default group tacacs+ if-authenticated
For best practices Cisco recommends that authorization be configured to each level of user access to network devices. In this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user.  This also requires the use of tacacs+.

aaa authorization commands 15 default group tacacs+ local if-authenticated
Here we are providing authorization for level 15 users against tacacs+. If tacacs+ is not available then the local user account is used.  If authenticated the user will immediately be dropped into exec/enable mode.

aaa accounting exec default start-stop group tacacs+
AAA Accounting for each level of commands ensures there is accountability for use of privileged commands on the router.  Privilege levels range from 1 to 15, with 15 being the highest level.  Some organizations may want to implement additional levels of commands where 1 might be a help desk and 15 are network administrators.

aaa accounting commands 1 default start-stop group tacacs+
This is an optional command as far as best practices go... but this provides accountability or tracking of user activity even they thay have only logged in (not exec/enable)

aaa accounting commands 15 default start-stop group tacacs+
This command will provide for accounting of adminsitrators or priveledge level 15

1) A hands-on lab,Securing Administrative Access Using AAA and RADIUS, allows learners to use CLI and CCP to configure and test local authentication with and without AAA. Centralized authentication using AAA and RADIUS is also explored.
2) A Packet Tracer activity, Configure AAA Authentication on Cisco Routers, provides learners additional practice implementing the technologies introduced in this chapter. Learners configure local authentication with and without AAA. Server-based AAA authentication is configured with TACACS+ and RADIUS.

 - Setup Cisco ACS 5.2 @ ESXi with 90 day trial licence
 - Setup a router with CCP  (AAA, SNMP, ACL, NTP, Logging...)

1) tacacs+ VM 
This mini-site hosts a VMWare VM consisting of Debian5 configured as a tacacs+ server with a web configuration utility.

2) Cisco AAA + tac_plus (tacacs+) (russian)

3) Cisco ACS 5.2 Appliance Basic Setup with screenshots

4) Chapter Labs