Notes - AAA
Last updated
Last updated
Enable AAA new-model
aaa new-modelAdd a radius server
radius server SERVER1
address ipv4 1.1.1.1 auth-port 1812
key MY_KEYAuthentication verifies the identity of a user to allow access to the device.
Set the authentication default method list. The “default” method list is used by default on the console, VTY lines, and the AUX port. You can also specify a different name for the method list and apply it manually to the lines.
aaa authentication login default <method 1> <method 2>Possible methods include:
Local (local username authentication)
Line (line password)
Group (radius, tacacs or ldap)
enable (use enable password for authentication)
Subsequent methods are only attempted if the previous method cannot be used. (For example the radius server cannot be reached).
To use a named list you instead use:
aaa authentication login <list-name>Besides performing authentication for remote logins, you can also configure authentication for enable mode, ppp, dot1x and more.
To apply a non-default method list to a line you use:
line vty 0 15
login authentication LIST1Authorization defines what the user can do once they are authenticated. This can be simply defined locally using the privilege level, or the privilege level can be associated with the user in the radius/tacacs database.
You can define authorization methods for:
commands (exec shell commands)
config-commands (config mode commands)
exec (for the ability to start an exec shell)
console (this is separate from starting an exec shell)
Just like with authentication, you can use a default list or a named list.
aaa authorization exec default group|local|none [if-authenticated]The if-authenticated keyword means that authorization is only used if the user was previously authenticated through RADIUS/TACACS.
To apply a non-default authorization list to a line you use:
line vty 0 15
authorization exec LIST1TACACS can also provide a per-command authorization. This cannot be used with RADIUS. You define authorization for commands and the specific level. By deafult a device has commands for level 0, 1, and 15.
aaa authorization commands 0 default group tacacs
aaa authorization commands 1 default group tacacs
aaa authorization commands 15 default group tacacsAccounting keeps track of what the user has done. This can be configured for:
commands (every exec command that is entered)
exec (starting an exec shell)
network (ppp)
dot1x
When you define a method list, you must specify whether it is for start and stop, or stop only. If using stop-only, this means that the record is taken only when the service terminates. With accounting you can only send accounting information to a radius and/or tacacs group.
aaa accounting exec default start-stop|stop-only AAA using IOS-XR is quite similar to IOS-XE. The same idea of defining AAA method lists and applying them to lines exists. However, IOS-XR also uses the concept of task groups and user groups to define permissions instead of using privilege levels.
By default, the router has several pre-defined user groups. The root-system user group allows access to the entire system. The root-lr user group allows access to that specific SDR. (A user belonging to root-lr cannot enter admin mode). There are also other pre-defined user groups such as cisco-support, operator, sysadmin, etc.
You can create custom user groups to have granular control over what access a user has. Each task can have a read/write/execute/debug permission. For example:
taskgroup NOC_TASKS
task read rib
task read ospf
task read basic-services
task write basic-services
task execute basic-services
task debug basic-servicesA handy way to determine what tasks a user needs to execute a given ommand is to use describe <command> from exec mode.
These taskgroups are then applied to usergroups. Each usergroup can have multiple taskgroups. You can mix and match pre-defined taskgroups and custom taskgroups.
usergroup NOC_USERGROUP
taskgroup operator
taskgroup NOC_TASKSTaskgroups and usergroups can also inherit each other to provide for flexibilty. Below, the taskgroup NEW will inherit all tasks from the taskgroup operator, plus add write for OSPF. The usergroup NEW_UG will inherit all taskgroups for the usergroup UG1, plus add taskgroup NEW.
taskgroup NEW
task write ospf
inherit taskgroup operator
!
usergroup NEW_UG
taskgroup NEW
inherit usergroup UG1A user is assigned to a usergroup as follows. They can be assigned to multiple groups at once.
username ADMIN
group sysadmin
group NOC_USERGROUPExternal AAA works very similarly to IOS-XE. You can also assign the usergroup via TACACS or RADIUS by adding the group as an attribute to the user on the external server. For example, this gives the user R/W/X/D for OSPF plus assigns them to the group “operator”. This is defined the server itself, not the router.
user = igpadmin{
member = igp-admin-group
opap = cleartext “cisco”
service = exec {
task = “rwxd:ospf,#operator”
}
}You can also use legacy privilege levels from the external AAA server. These will automatically be mapped to corresponding usergroups on IOS-XR with the name “priv#”. So if you assign a user to privilege level 10 on the AAA server, it will be assigned to usergroup priv10 on IOS-XR.
The following defines a radius server and uses it in a group:
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
key CISCO123
timeout 3
!
aaa group server radius RAD_GROUP
server 1.1.1.1 auth-port 1812 acct-port 1813The following defines a tacacs server and uses it in a group:
tacacs-server host 1.1.1.1 port 49
key 7 05282F3C02631F5B4A45
!
aaa group server tacacs+ TAC_GROUP
server 1.1.1.1AAA method lists work just like IOS-XE:
aaa accounting exec VTY start-stop group radius
aaa authorization exec VTY local group radius
aaa authentication login VTY local group radius lineThese must be applied to VTY lines by using a template or using the default template:
line template VTY
accounting exec VTY
authorization exec VTY
login authentication VTY
!
vty-pool default 0 50 line-template VTY
! or
!
line template default
accounting exec VTY
authorization exec VTY
login authentication VTY