AAA
Authentication = how you authenicate
Authorization = what you can do once authenticated
Accounting = keep track of what was done by person authenticated
There are two models in cisco mainly
the old model - local authentication local authorization based on the line or configured
usernames. So basically you are authenticating to the cisco device locally by the configured
locally configured username and password
New Model
- supports AAA list that define sequence of methods
So we authenticate to tacas or radius server also we can get what commands we are authorized
depending on our login from the tacas server also this server will keep track of our changes
accounting what has been done in the session
So you autheniticate of a radius or tacas server first and maybe fall back to the local
method if it is not availible
THe advantages of using AAA is that you can centrally control all Authentication
Authorization and Accounting. Also you can bind it to other authentication for example Active
Directory authentication to cisco devices that you autheticate to your active directory and
if your in particular group you can access the cisco devices this way you get active
directory username security features like lock out etc.
You can use groups in AAA so certain group or types autheticate to one server while others
authenticate to another
It is not just user ssh/telnetting/console user that we can authenicate we can authenticate
our ppp sessions or control plane sessions to AAA
We need to be careful that we always leave ourselves a get out clause in case our tacas or
down or unreachable so ideally we want to as last resort leave in login local so if the
servers are unreachable we can still authenticate to the local box.
LCOAL COMMAND AUTHORIZATION
-----------------------------
Typically if we were using AAA we would get our server to do authorization but we can do it
locally on the Cisco IOS
First way we could do this is with
1) Privilige level so we can control access to exec commands via privilge level
0- no access
1- user mode access
15- full access
User defined privilge levels are avaible for 2-14
This is considered the messier\legacy option for authorization as it can be quite difficult
to get desired config. The main reason being the way privilge level work. They are not
completely indpendent from each other in that if iam given privelege 5 it means i can run
privilge level 0 1 2 3 4 5 commands this may seem desirable but if want to limit down user to
specfic it can get quite cumbersome. The way we do limit is that we either if we do not want
a user to run a command we would move the command to the privilge level above what the user
is if we do want to user command we would move them down to the privilge level they are on
2)Role BAsed Access Contol (CBAC(
Replacement for privilige levels - we got more flexible in terms of command allocation
A role is a group of commands in CBAC they are know as parser view
ROles can be manually switch to (enable view) and assigned to users
ROles are configured from root view (enable view)
RBAC requires AAA enabled on router but no neccessarily using AAA server for authorization
LAB
----
Ok we will configure r5 for AAA authentication to a tacas server
first things first we will configure a local username and login local on telnet lines
r5(config)#line vty 0 4
r5(config-line)#login local
r5(config-line)#username cisco password cisco
r5(config)#
r5(config)#enable password cisco
r4
---
so r4 can telnet no problem to r5 it authenicating locally to the r5 database
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: cisco
Password:
r5>en
Password:
r5#
r5
--
r5(config)#aaa new-model
r5(config)#
next we will specify the tacas servers
r5(config)#tacacs-server host 10.229.254.1 key MySecretKey1
r5(config)#tacacs-server host 10.229.254.2 key MySecretKey
In this scenerio I want .1 server for authenticating users and .2 server for authenticating
ppp
r5(config)#aaa group server tacacs+ USER
r5(config-sg-tacacs+)#server 10.229.254.1
r5(config-sg-tacacs+)#exit
r5(config)#aaa group server tacacs+ PPP
r5(config-sg-tacacs+)#server 10.229.254.2
r5(config-sg-tacacs+)#
Now we need to configure the default method list
r5(config)#aaa authentication login default group USER local
if we had put default instead of user after group it would authenticate to either of the
defined tacas servers. The local after the group USER means if we can not reach the tacas
server authenticate locally to the device
here is the ppp
r5(config)#aaa authentication ppp default group PPP local
so now we need to apply it to the terminal lines
r5(config)#line vty 0 15
r5(config-line)#login authentication default
r4
---
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: cisoc
Password:
% Authentication failed
Username: cisco
Password:
r5>en
so this working i have no tacacs server configured so it is falling back off the local
database
If i have configured on r5
r5(config)#aaa authentication login default group USER
r4
---
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
% Authentication failed
% Authentication failed
% Authentication failed
[Connection to 5.5.5.5 closed by foreign host]
r4#
i can no longer telnet as there is only the server specfied no faill back group
We will take a quick look at the privilige commands for authorization locally on the cisco
ios
when you are looking at this we need to now that
sh ip int brief is an exec command
int fa0/0- is run configuration mode
while ip adddress "ip" is interface level command
so we need to be aware of the different cli levels in the ios
r5
---
we will create a few accounts with different priv levels
r5(config)#username eoghan privilege 1 password eoghan
r5(config)#username tom privilege 2 password tom
r4
--
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: eoghan
Password:
r5>sh priv
Current privilege level is 1
r5>
r5>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 155.0.58.5 YES NVRAM up down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/0/0 155.0.0.5 YES NVRAM down down
Serial0/1/0 155.0.45.5 YES NVRAM up up
Loopback0 5.5.5.5 YES NVRAM up up
r5>ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5>en
% No password set
ok now i will authenticate with the username tom
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: tom
Password:
r5#
r5#
i am straigh away in privlige mode
r5#sh privi
Current privilege level is 2
r5#
i can not do
r5#config t
or
r5#sh run
^
% Invalid input detected at '^' marker.
r5#
so different levels will get you different privilges
we can edit
r5
---
r5(config)#privilege exec level 0 show run int serial0/1/0
so this is say privilge for the exec command sh run int s0/1/0 will be allowed for priv 0
we will have quick look at the run int on r5 before we telnet in as priv 0
r5#sh run int s0/1/0
Building configuration...
Current configuration : 86 bytes
!
interface Serial0/1/0
ip address 155.0.45.5 255.255.255.0
ip pim sparse-mode
end
r5#
r4
--
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: eoghan
Password:
r5>sh run int
r5>sh run int s0/1/0
Building configuration...
Current configuration : 29 bytes
!
interface Serial0/1/0
end
so we can see now on r4 telnetting into r5 with the username eoghan which is priv 1 we can
issue the command sh run int BUT as we have no rights to configure any the options like ip
etc we can not see the ip address. In privilge modes if you do not have the rights to
configure you do not have the rights to see the configuration
r5
---
r5(config)#privilege interface level 0 ip address so we want to see the ip address under show
serial 0/1/0 we need to give them privilege to configure
r4
---
back on r4 and the telnet session
r5>sh run int s0/1/0
Building configuration...
Current configuration : 66 bytes
!
interface Serial0/1/0
ip address 155.0.45.5 255.255.255.0
end
r5>
we can now see the ip
This can quickly get very messy with all the different modes additional rights you need to
give to view certain pareters etc so ROLE BASED ACCESS CONTROL (RBAC) was introduced
we will look the rbac approach to the authorization
first we need to enable aaa
r5(config)#aaa new-model
r5(config)#enable password cisco - this will be the password to get into enable view
To get into the root view
r5#enable view
Password:
r5#
*Feb 23 13:04:57.199: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
Ok so i configured a view or a role called show and included all show commands
r5(config)#parser view SHOW
r5(config-view)#
*Feb 23 13:05:38.851: %PARSER-6-VIEW_CREATED: view 'SHOW' successfully created.
r5(config-view)#secret PASSWORD
r5(config-view)#commands exec include all show
r5(config-view)#
r4
---
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: eoghan
Password:
r5>enable view SHOW
Password:
% Authentication failed
r5>enable view SHOW
Password:
r5#
i am telnettting in as eoghna priv 1 and i use the enable view show command but in the
password set of PASSWORD and i am in the enable view show
I can not config t but i can do all the show commands note the running config will not show
me everything as i have no acccess to configure
r5#config t
^
% Invalid input detected at '^' marker.
r5#sh run
Building configuration...
Current configuration : 13 bytes
!
!
!
!
end
r5#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 155.0.58.5 YES NVRAM up down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/0/0 155.0.0.5 YES NVRAM down down
Serial0/1/0 155.0.45.5 YES NVRAM up up
Loopback0 5.5.5.5 YES NVRAM up up
r5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
155.0.0.0/24 is subnetted, 1 subnets
C 155.0.45.0 is directly connected, Serial0/1/0
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/2297856] via 155.0.45.4, 01:52:13, Serial0/1/0
5.0.0.0/32 is subnetted, 1 subnets
C 5.5.5.5 is directly connected, Loopback0
r5#
r5
---
lets configure another view on r5
r5(config)#parser view SHOW-IP-ROUTE
r5(config-view)#
*Feb 23 13:11:17.995: %PARSER-6-VIEW_CREATED: view 'SHOW-IP-ROUTE' successfully created.
r5(config-view)#secret TEST
r5(config-view)#command exec include-exclusive sh ip route
r5(config-view)#
so sh ip route we have said that this is exclusive to this view meaning on
r4
---
i can no longer do ip route logged in as the view of SHOW i can do all other show but show ip
route is exclusively to the SH-IP-ROUTE VIEW
r5#sh ip route
^
% Invalid input detected at '^' marker.
r5#
ok lets log in to the SHOW-IP-ROUTE VIEW To be sure
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: eoghan
Password:
r5>enable view SHOW-IP-ROUTE
Password:
% Authentication failed
r5>enable view SHOW-IP-ROUTE
Password:
r5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
155.0.0.0/24 is subnetted, 1 subnets
C 155.0.45.0 is directly connected, Serial0/1/0
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/2297856] via 155.0.45.4, 01:56:28, Serial0/1/0
5.0.0.0/32 is subnetted, 1 subnets
C 5.5.5.5 is directly connected, Loopback0
r5#sh ip int
^
% Invalid input detected at '^' marker.
r5#
notice i can not do any other sh commands sh ip route under SH-IP-ROUTE view
We can make super view combining views
r5
---
so we are combining the 2 views in superview
r5(config)#parser view SHOW-AND-ROUTE superview
r5(config-view)#
*Feb 23 13:18:36.183: %PARSER-6-SUPER_VIEW_CREATED: super view 'SHOW-AND-ROUTE' successfully
created.
r5(config-view)#secret PASSWORD
r5(config-view)#view SHOW
r5(config-view)#view
*Feb 23 13:19:21.235: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOW added to superview SHOW-AND-R
r5(config-view)#VIEW SHOW-IP-ROUTE
r5(config-view)#
*Feb 23 13:19:37.655: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOW-IP-ROUTE added to superview
SHOW-AND-ROUTE.
To assign view to usernames
r5(config)#username newuser password newuser
r5(config)#username newuser view SHOW-AND-ROUTE
we also need to tell aaa to look for authorization locally
r5(config)#aaa authorization exec default local
r4
---
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: newuser
Password:
r5#config t
^
% Invalid input detected at '^' marker.
r5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
155.0.0.0/24 is subnetted, 1 subnets
C 155.0.45.0 is directly connected, Serial0/1/0
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/2297856] via 155.0.45.4, 02:04:30, Serial0/1/0
5.0.0.0/32 is subnetted, 1 subnets
C 5.5.5.5 is directly connected, Loopback0
r5#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 155.0.58.5 YES NVRAM up down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/0/0 155.0.0.5 YES NVRAM down down
Serial0/1/0 155.0.45.5 YES NVRAM up up
Loopback0 5.5.5.5 YES NVRAM up up
working as expected
No comments:
Post a Comment