Skip to content

AAA Basics (Part 2 of 2) – Implementing local, RADIUS, and TACACS+ authentication

November 22, 2011

Continuation of AAA Basics (1 of 2) – Introduction

Local Authentication

It is possible, especially for small networks, to store account information on the local device instead of a central RADIUS/TACACS+ server. While this doesn’t scale nearly as well, it reduces the amount of servers in a network and is possibly ideal for a small organization. Local authentication is also recommended for fallback purposes in case the authentication server is unreachable.

All AAA commands open with

Router 1(config)# aaa new-model

Asking yourself what the old model is? I’ve wondered that same thing myself. If you have information on this, please leave a comment. This command enables AAA functionality on your Cisco device. Of course this isn’t all because usernames are defined like so:

Router 1(config)# username username password password

Of course, plain text passwords aren’t encouraged so use this instead:

Router 1(config)# username username secret password

Specifying secret instead of password makes the password be stored as an MD5 hash instead of plain text.

Finally, tell the device to use local authentication while creating a method list.

Router 1(config)# aaa authentication login default local

This is the minimum configuration required authentication using a local database.

Lets break this example down:

  • aaa – The top level command for most things AAA on a Cisco router.
  • authentication – Specifies this command should set configuration for authentication and not authorization or accounting.
  • login – Prompts a username and password when logging into the device via TTY, auxilary, vty, and console methods. Note that network access methods use a slightly different command. login is used only for administration access.
  • default – Uses the default authentication method list. Named method lists can be created by using words other than default.
  • local – The local user database is referenced instead of an external server. Up to four methods can be specified with the options being: enable, group, krb5, krb5-telnet, line, local, local-case, or none. If group is specified, you must also specify whether to use RADIUS or TACACS+.

Syntax is similar from command to command. For example, if you wanted to have authentication for the enable command use:

Router 1(config)# aaa authentication enable default

Or if you wanted to set authentication for PPP for login over a serial interface use:

Router 1(config)# aaa authentication ppp default local

The syntax between authentication methods are all pretty similar to each other. Verification for each step should be pretty straight forward. Log in using the respective lines and interfaces to see what works.

Now that basic local authentication is working, the next step is to configure authentication against a RADIUS database. This post won’t go into how to setup the database itself since there are so many options on the market today. Perhaps I will create a future post on how to configure FreeRADIUS.

TACACS+ and RADIUS Authentication

TACACS+ and RADIUS follow relatively similar methods for authentication over the wire with the RADIUS one being a little more terse. In this scenario, we are using a laptop, authenticating to a router, which verifies credentials against a TACACS server.

  1. Client tells router it wants to authenticate.
  2. Router asks server what the login text is.
  3. Server tells router what to set the login text as.
  4. Server displays text for client.
  5. Client enters username and the router forwards the username to the server.
  6. Router asks what to use for the password prompt.
  7. Server tells router what the password text is.
  8. Password text is displayed to the client.
  9. Client sends password to router, which forwards it to the server.
  10. Server returns an ACCEPT or REJECT code.

RADIUS has a more simple packet exchange using a Request and Challenge philosophy.

  1. Router asks client to provide a username.
  2. Client sends username to router.
  3. Router asks client for password.
  4. Client sends password to router.
  5. Router sends username and password to server.
  6. Server responds with an Access-Accept or Access-Reject message.

When the router is communicating with the client, it is using AV pairs, which is simply a question with an answer associated to it. In our case, User-Name and User-Password are the pairs being used. The IETF defines more AV pairs such as CHAP-Password or NAS-Port.

Configuring RADIUS and TACACS+ authentication are pretty straight forward. First we’ll configure TACACS+. If you haven’t already, enable AAA.

Router 1(config)# aaa new-model

Then set the TACACS server information.

Router1(config)# tacacs-server host single-connection

The syntax should be straight forward with the server’s IP address being  single-connection tells the router to keep a TCP connection open between the router and server instead of opening and closing connections. Finally, set the private key the TACACS+ server is using.

Router1(config)# tacacs-server key thisisthekey

With the TACACS+ server information setup, apply it to a method list for an interface.

Router1(config)# aaa authentication login default group tacacs+ local

Notice the command ends with local. If the router is unable to connect to the server, it will fallback to local authentication preventing the administrator from being locked out.

RADIUS follows a very similar syntax. Instead of using the commands beginning with tacacs-server use radius-server.

Theoretically, server based authentication is now working. It is important to verify it. Execute

Router1# show radius statistics

Simply show radius statistics with show tacacs if you are using TACACS+.

I do not have an install of Cisco ACS so I am using FreeRADIUS in my lab. Personally, the best way to verify this is to keep logged in on your current method and try to login different ways. If you can login using the proper usernames and passwords, it works.


From → Tutorial

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s