AAA using TACACS+ server setup - HELP

utawakevou · ‎01-16-2005

I have been assigned this task of enabling AAA for all our network equipments (switches and routers) and to use TACACS+ server. I havent had any experience in setting TACACS+ before but currently we are using RADIUS for our dialup users.

aaa authentication login radius-login group radius

aaa authentication login local-login local

aaa authentication ppp radius-ppp if-needed group radius

aaa authorization exec default local if-authenticated

aaa authorization network default group radius

Currently we have AAA enabled on all the routers and switches but using the default one. We want to point the authentication to the TACACS+ server (2) as the primary authenication and the local database if the 2 TACACS+ server has an error (no network connectivity etc).

We want to do this so that we keep track (Accounting) of who logged in and what time etc, who is allowed to access this and that resources(routers and switches) and who is not allowed, which level each user is allowed etc etc. Basically for easy management and monitoring network access from one point.

Like I said I havent got any experience for TACACS and would really appreciate any help to help me set this thing up to help up manage our network access for our Cisco network equipments.

With kind regards

Richard Burts · ‎01-17-2005

Part of the work is already done since you have got some of the aaa new-model things already configured when you did radius. And it looks like you created unique method lists (radius-login versus local-login) which will help very much in separating the functions that you want to go to radius versus what you will want to go to TACACS.

It looks like someone has already configured a method list local-login which probably has been assigned to the vty ports and the consoles of the devices. You can keep that and have it reflected in the config (which I will use in my example) or you could remove it from those ports and just do authentication default.

I would suggest that you add to your routers something like this:

aaa authentication login local-login group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

You may want to specify the interface to use as the source of the taccacs packets:

ip tacacs source-interface fastethernet 0/0

You will need to specify the information about your TACACS servers:

tacacs-server host a.b.c.d

tacacs-server host f.e.d.c

tacacs-server key

This configuration is a router configuration syntax. The syntax would change a bit to configure it on CAT-OS switches but the concepts are the same.

I believe that this should give you pretty much the functionality that you want.

HTH

Rick

HTH

Rick

utawakevou · ‎01-17-2005

Thank you Rick. Yes I think the IOS bit will be ok for me considering this example. Im really lacking in the tacacs+ server bit which I really dont have an idea in setting up. By the way thank you

utawakevou · ‎01-20-2005

I have downloaded a Windows based one called "ClearBox RADIUS TACACS+ Server". You might have heard about it.

This particular services can use any of these data source(MS Access, MS SQL, ODBC data source or OLE DB data source) for AAA or can be linked to our DC. Currently I'm just using a MS Access data source which comes with it (just have to add in the accounts/psswords)..at the moment I'm able to authenticate and manage to see the log file for the accounting part of it. I'm currently testing it using 2 accounts and want to define the privilege level of it. In the MS Access database (currently used) there is a table called users and this is where we define username, passwords and privileges.

What I want to do is to differentiate these 2 users e.g. Administrator(user A) and Standard User (user B)

User B can only go as far as the user exec privilege mode. When User B types "configure terminal" he is not authorized he can just use the show command or commands only on user exec privilege mode. Whereas user A can go past user exec privilege mode and do configuration change etc.

I did enter the privilege levels(on the Privilege column of the User table)of the 2 users using 0 and 15. Found out that when user with priv 15 logs in he is automatically logs into the user exec privilege mode and can do the config etc. But when I want to exit it says "Command authorization failed"

The user with priv 0 logs in and goes to user mode. Then can type enable and can also change config, write it etc..and can logout.

Do I have to configure the level of privilege on the router too. This is my AAA configuration

! Set-up default logins to use tacacs+

aaa authentication login default group tacacs+ enable

! Set-up enable to use tacacs+, fallback to enable secret

aaa authentication enable default group tacacs+ enable

! Do command authorization for all "enable" commands

aaa authorization commands 0 default group tacacs+ none

! Account all exec mode and enable commands

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host x.x.x.x

tacacs-server key SecretKey

Your help will be very much appreciated

With kind regards

Richard Burts · ‎01-21-2005

I do not believe that the situation you are describing is related to whether you configure privilege level on the router or not.

Whether you need to configure the privilege level on the router depends on what your requirements are. If you want to control directly the privilege level of the user when TACACS is not available then you do need to configure the privilege level of each user on the router. If you are willing to control who can get to privileged mode by controlling who has the enable or enable secret password then you do not need to configure the privilege level of each user on the router.

I believe that the situation you describe is a result of the way that you have configured the router. You have asked the router to authorize commands at level 0 but not at level 1, level 15 or any other level. Normal user mode is privilege level 1 and the usual enable mode is level 15. So it might help if you also configured the router to authenticate commands 1 and authenticate commands 15.

And I wonder if you really want to authorize individual commands. Most of the customers I have worked with want to control who can get to enable mode versus who can get user mode. But I have not worked with a customer yet who wanted to control at the level of individual commands. So I do not have any direct experience to guide this. Most of the customers that I have worked with include the command aaa authorization exec default group tacacs+ if-authenticated which you do not have in your config.

Also I note that your config has:

aaa authentication login default group tacacs+ enable

this command says that if anyone is logging in check with TACACS and if TACACS is not available they must know the enable password to login. I suspect that this is not what you really want. If you change the last word in the command from enable to line it will not require the enable password but will require the line (console or vty) password.

HTH

Rick

HTH

Rick

utawakevou · ‎02-01-2005

Thank you Rick. I want to "control who can get to enable mode versus who can get user mode"

That I what I meant initially

Hope you can help

regards

Richard Burts · ‎02-02-2005

I have looked at what you posted as the aaa configuration and have a couple of comments about it. You have this line for authentication of login:

aaa authentication login default group tacacs+ enable

What that says is to use TACACS to authenticate and if TACACS is not available they must use the enable password to be able to login. I would think that is not what you really want for a backup method. Instead of having enable as the backup method you might want "local" if you have entries of usernames and passwords on the router, or you might want "line" as the backup method so that people would need the vty password or the console password to be able to login.

I think that what you have for authentication enable is ok.

I would suggest that you add this to your config:

aaa authorization exec default group tacacs+ if-authenticated

this will give you control over who is allowed to start exec sessions.

You have this for authorization:

aaa authorization commands 0 default group tacacs+ none

this will use tacacs for authorization and has no backup method (none means there is no backup method). I would guess that you do not want it to work that way. It means that if you do not have connectivity to TACACS then you will not be able to authorize commands and therefore not able to execute them. I would suggest that you use "if-authenticated" as the backup method.

You have specified authorization for commands of privilege level 0. If you really want to get into authorization of command levels then I would suggest that you also need to specify authorization for levels 1 and 15 also.

I do question whether you really want to get into command level authorization at all. If you do the config on the router is fairly simple but the configuration of the TACACS server gets more complex (who has authorization for which commands). And based on your stated objectives in the original post I do see that you need to do command level authorization.

What you have for accounting exec will give you records of who has logged in on the router. What you have for accounting commands 15 will give you records of what commands people entered while in privilege mode. I believe both of these will work and are consistent with your stated requirements.

HTH

Rick

HTH

Rick