Steps for configuring Server-based AAA authentication
Server-based AAA must identify various TACACS+ and RADIUS servers that the AAA service should consult when authenticating and authorizing users.
There are four basic steps to configure server-based authentication:
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.
Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a TACACS+ or RADIUS server.
Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server and Cisco Secure ACS.
Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.
Create an authentication method list for Telnet
a. Create a unique authentication method list for Telnet access to the router. This does not have the fallback of no authentication, so if there is no access to the RADIUS server, Telnet access is disabled. Name the authentication method list TELNET_LINES.
R1(config)# aaa authentication login TELNET_LINES group radiusb. Apply the list to the vty lines on the router using the login authentication command.
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET_LINES
Configure TACACS+ server
To configure a TACACS+ server, globally enable AAA using the aaa new-model command.
Next, use the tacacs server name command.
In TACACS+ server configuration mode, configure the IPv4 address of the TACACS+ server using the address ipv4 ip_addresscommand,which allows the option to modify the authentication port and the accounting port.
Next, use the single-connection command to enhance TCP performance by maintaining a single TCP connection for the life of the session. Otherwise, by default, a TCP connection is opened and closed for each session. If required, multiple TACACS+ servers can be identified by entering their respective IPv4 addresses using the tacacs server name command.
The key key command is used to configure the shared secret key to encrypt the data transfer between the TACACS+ server and AAA-enabled router. This key must be configured exactly the same way on both the router and the TACACS+ server.
Configuring RADIUS Servers
To configure a RADIUS server, use the radius server name command. This puts you into radius server configuration mode.
Because RADIUS uses UDP, there is no equivalent single-connection keyword. If required, multiple RADIUS servers can be identified by entering a radius server name command for each server.
In radius server configuration mode, configure the IPv4 address of the radius server using the address ipv4 ipv4-address command.
By default, Cisco routers use port 1645 for the authentication and port 1646 for the accounting. However, IANA has reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port. It is important to makes sure these ports match between the Cisco router and the RADIUS server.
To configure the shared secret key for encrypting the password, use the key command. This key must be configured exactly the same way on the router and the RADIUS server.
Example:
Step 1: Enable AAA on R1.
Use the aaa new-model command in global configuration mode to enable AAA.
R1(config)# aaa new-modelStep 2: Specify a RADIUS server.
a. Use the radius server command to enter RADIUS server configuration mode.
R1(config)# radius server CCNAS
b. Use the ? to view the sub-mode commands available for configuring a Radius server.c. Use the address command to configure this IP address for PC-A
R1(config-radius-server)# address ipv4 192.168.1.3 ? acct-port UDP port for RADIUS acco/unting server (default is 1646) alias 1-8 aliases for this server (max. 8) auth-port UDP port for RADIUS authentication server (default is 1645) R1(config-radius-server)# address ipv4 192.168.1.3 auth-port 1812 acct-port 1813d. The key command is used for the secret password that is shared between the RADIUS server and the router (R1 in this case) and is used to authenticate the connection between the router and the server before the user authentication process takes place. Use the default NAS secret password of WinRadius specified on the Radius server. Remember that passwords are case-sensitive.
R1(config-radius-server)# key WinRadiusStep 3: Configure the default login authentication list.
a. Configure the list to first use RADIUS for the authentication service, and then none. If no RADIUS server can be reached and authentication cannot be performed, the router globally allows access without authentication. This is a safeguard measure in case the router starts up without connectivity to an active RADIUS server.
R1(config)# aaa authentication login default group radius noneb. You could alternatively configure local authentication as the backup authentication method instead.
Note: If you do not set up a default login authentication list, you could get locked out of the router and need to use the password recovery procedure for your specific router.
Configure authentication to use the AAA server
When the AAA security servers have been identified, the servers must be included in the method list of the aaa authentication login command. AAA servers are identified using the group tacacs+ or group radius keywords.
To configure a method list for the default login to authenticate first using a TACACS+ server, second with a RADIUS server, and finally with a local username database, specify the order with the aaa authentication login default command:
R1(config)# aaa authentication login default group tacacs+ group radius local-case
It is important to realize that R1 will only attempt to authenticate using RADIUS if the TACACS+ server is not reachable. Likewise, R1 would only attempt to authenticate using the local database if the TACACS+ and RADIUS servers are unavailable.
Monitoring AAA
debug aaa authentication
The command indicates a status message of PASS when a TACACS+ login attempt is successful. If the status message returned is FAIL, verify the secret key and troubleshoot as necessary.
Other two to debug TACACS+ and RADIUS
debug radius
debug tacacs
To narrow the results and display information from the TACACS+ helper process, use the debug tacacs events command in privileged EXEC mode. The debug tacacs events command displays the opening and closing of a TCP connection to a TACACS+ server, the bytes read and written over the connection, and the TCP status of the connection. Use the debug tacacs events command with caution, because it can generate a substantial amount of output.