Solved: AAA New-Model/ TACACS, Local User

olsonkyle12 · ‎05-22-2011

Hello,

I'm trying to understand the differences/ requirements for various user access methods to Cisco devices. I've noticed three common models, "AAA New-Model; local user and TACACS, but I'm having problems understanding the difference between the three, or if I even understand the three correctly.

I'm running SSH on my routers, so I had to enable "AAA New-Model" but it appears that AAA New-Model is a local user, so what's the difference between it and the VTY user....

Is there a good reference that explains the user concepte in whole.

Also, If I'm using AAA New Model, does that mean I'm using the TACACs protocol?

Richard Burts · ‎05-22-2011

Kyle

No turning on aaa new-model does not mean that you automatically are running TACACS.

The concepts can get a bit complicated, but let me try to explain it this way:

- without aaa new-model the router simply defaults to authenticating using the local line passwords.

- when you enable aaa new-model you enable the aaa subsystem. aaa allows you to configure policies for authentication, and for authorization, and for accounting.

- in aaa the default behavior is to use local authentication (locally configured user IDs and passwords).

- in aaa you can define various methods the router should use for authentication. So in aaa you could configure the router to continue to authenticate with the line passwords. Or you can configure the router to use TACACS. Or you could configure the router to use the local user data base.

- in aaa you can configure a primary authentication method and also a backup authentication method. So you could configure the router to attempt to authenticate via TACACS and if the router does not receive a valid response from the TACACS server then the router should authenticate via the local user ID, or via the line passwords.

HTH

Rick

HTH

Rick

View solution in original post

subhish_p · ‎05-22-2011

Hi Kyle,

You say, you noticed three models for user access: AAA New-Model; local user and TACACS, but there are actually only 2: AAA and Local USer.

With Local User, you create user accounts on the device itself using the: "username xxx password yyy" command. You can create multiple such user accounts for different users and when a user tries to login, their credentials need to match one of the user accounts created on the device.

But the problem with this approach is scalability, it will become a giant PIA to create all those user accounts on all your devices. Thats where AAA is helpful.

AAA allows you to authenticate from a centralized server which will hold the user account information, and when a user tries to login to a device the username and password provided by the user is sent to this centralized server and once authenticated the user is granted access.

The centralized server is the TACACS server and TACACS is the protocol used for communication between the device and the TACACS server. (RADIUS is another protocol similar to TACACS. TACACS is Cisco proprietary and Radius is standardized.)

Check this out its a pretty good explanation on how AAA works:

http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/

.

I'm running SSH on my routers, so I had to enable "AAA New-Model" but it appears that AAA New-Model is a local user, so what's the difference between it and the VTY user....

You don't necessarily have to be running AAA for SSH. For SSH, you need to provide username and password when logging in as compared to telnet where you can do with just the password. So you could be running SSH with just the local user account configured on the device.

Also, If I'm using AAA New Model, does that mean I'm using the TACACs protocol?

No, You can use the local user account or you could be using RADIUS (which is another authentication protocol similar to TACACS), depends on how you configure the AAA authentication statement.

Hope that helps.

Cheers,

Subhish

View solution in original post

Richard Burts · ‎05-22-2011

Kyle

No turning on aaa new-model does not mean that you automatically are running TACACS.

The concepts can get a bit complicated, but let me try to explain it this way:

- without aaa new-model the router simply defaults to authenticating using the local line passwords.

- when you enable aaa new-model you enable the aaa subsystem. aaa allows you to configure policies for authentication, and for authorization, and for accounting.

- in aaa the default behavior is to use local authentication (locally configured user IDs and passwords).

- in aaa you can define various methods the router should use for authentication. So in aaa you could configure the router to continue to authenticate with the line passwords. Or you can configure the router to use TACACS. Or you could configure the router to use the local user data base.

- in aaa you can configure a primary authentication method and also a backup authentication method. So you could configure the router to attempt to authenticate via TACACS and if the router does not receive a valid response from the TACACS server then the router should authenticate via the local user ID, or via the line passwords.

HTH

Rick

HTH

Rick

olsonkyle12 · ‎05-22-2011

Thanks, that helps.

Leads to another question:

If I got a TACACs server and configured it, would it be possible to integrate it with AD and use AD's user database as means for authenticating against TACAC's and thus into the Switch. Essentialy, I'd like to use my AD username/ password and login in and authenticate with it, when SSH'ing into Cisco device. I've done this in the past with a Windows server 2003 and Internet Application Service (IAS) or Radius.

What is the advantage that TACACs gives you versus Radius? Are you aware of any free Windows TACAC servers/

subhish_p · ‎05-22-2011

Hi Kyle,

You say, you noticed three models for user access: AAA New-Model; local user and TACACS, but there are actually only 2: AAA and Local USer.

With Local User, you create user accounts on the device itself using the: "username xxx password yyy" command. You can create multiple such user accounts for different users and when a user tries to login, their credentials need to match one of the user accounts created on the device.

But the problem with this approach is scalability, it will become a giant PIA to create all those user accounts on all your devices. Thats where AAA is helpful.

AAA allows you to authenticate from a centralized server which will hold the user account information, and when a user tries to login to a device the username and password provided by the user is sent to this centralized server and once authenticated the user is granted access.

The centralized server is the TACACS server and TACACS is the protocol used for communication between the device and the TACACS server. (RADIUS is another protocol similar to TACACS. TACACS is Cisco proprietary and Radius is standardized.)

Check this out its a pretty good explanation on how AAA works:

http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/

.

I'm running SSH on my routers, so I had to enable "AAA New-Model" but it appears that AAA New-Model is a local user, so what's the difference between it and the VTY user....

You don't necessarily have to be running AAA for SSH. For SSH, you need to provide username and password when logging in as compared to telnet where you can do with just the password. So you could be running SSH with just the local user account configured on the device.

Also, If I'm using AAA New Model, does that mean I'm using the TACACs protocol?

No, You can use the local user account or you could be using RADIUS (which is another authentication protocol similar to TACACS), depends on how you configure the AAA authentication statement.

Hope that helps.

Cheers,

Subhish