7.1 Key Terms
ACS
= Access Control Server, the RADIUS and TACACS system sold by Cisco.
RADIUS
= Remote Authentication Dial-In User Service. This is one method for a router
or switch to communicate with an AAA server, such as ACS.
TACACS+
= Terminal Access Controller Access Control System. This is one of the
protocols that can be used to communicate between an AAA server and its client
(such as between an ACS server and a router).
AAA
server = The server/host responsible for running RADIUS or TACACS
services.
authentication method list = The list of methods to be
used for authentication (RADIUS, TACACS, enable password, Kerberos, vty line,
or local database).
authorization
method list = The list of methods to be used for authorization (RADIUS,
TACACS, Kerberos, local database, or to pass if already authenticated). Used to
specify what the authenticated user is authorized to do.
7.2 Things to
Remember
7.2.1 TACACS+ Versus RADIUS
Functionality
TACACS+ >
Separates AAA functions into distinct elements. Authentication is separate from
authorization, and both of those are separate from accounting.
RADIUS >
Combines many of the functions of authentication and authorization together.
Has detailed accounting capability when accounting is configured for use.
Standard
TACACS+ >
Cisco proprietary, but very well known.
RADIUS >
Open standard, and supported by nearly all vendors’ AAA implementation.
L4
protocol
TACACS+ > TCP.
RADIUS > UDP.
Replacement
coming
TACACS+ >
None officially planned.
RADIUS >
Possibly Diameter (named to imply that RADIUS is only half as much, pun
intended).
Confidentiality
TACACS+
> All packets are encrypted between
ACS server and the router (which is the client).
RADIUS >
Only the password is encrypted with regard to packets sent back and forth
between the ACS server and the router.
Granular
command by command authorization
TACACS+ >
This is supported, and the rules are defined on the ACS server about which
commands are allowed or disallowed.
RADIUS > No
explicit command authorization checking rules can be implemented.
Accounting
TACACS+ >
Provides accounting support.
RADIUS >
Provide accounting support, and generally acknowledged as providing more
detailed or extensive accounting capability than TACACS+.
7.2.2 Key Components for Configuring ACS
Component of ACS
> How It Is Used
Network
device groups > Groups of network devices, normally based on routers
or switches with similar functions/devices managed by the same administrators.
Network
devices (ACS clients/routers/switches) > The individual network
devices that go into the device groups.
Identity
groups (user/admin groups) > Groups of administrators, normally based
on users who will need similar rights and access to specific groups of network
devices.
User
accounts > Individual administrator/user accounts that are place in
Identity groups.
Authorization
profiles > These profiles control what rights are permitted. The
profile is associated with a network device group and a user/administrator
identity group.
7.3 Command
References
Command >
Description
aaa
new-model > Enable the configuration of method lists and other
AAArelated elements, including the use of ACS.
test
aaa group tacacs+ admin cisco123 legacy
> Allow verification of the authentication function working between the AAA
client (the router) and the ACS server (the AAA server).
aaa
authentication login MYLIST1 group tacacs+
local > Create an authentication method list, that when applied
elsewhere in the configuration, requests the services of an ACS server via
TACACS+, and if no server responds, the next method “local” (which is the local
router configuration) is checked to verify the credentials of the user.
aaa
authorization exec MYLIST2 group
tacacs+ none > Create an authorization method list, that when applied
to a vty line, requests the services of an ACS server (via TACACS+). If no
server responds, the second method “none” is used. This
result in no username prompt being provided to the user,
and authentication is not required.
tacacs-server
host 192.168.1.252 key cisco123 > Places a server
into the “group” of ACS servers the router can
use for TACACS+ requests. It includes the IP address and
the secret used to encrypt packets between this router (the client) and the ACS
server.
7.4 Command
Examples
Using the CLI to
Configure IOS for Use with ACS
R1 (config)# aaa
new-model
R1 (config)# aaa
authentication login AUTHEN_via_TACACS group tacacs+ local
R1 (config)# aaa
authorization exec Author-Exec_via_TACACS group tacacs+ local
R1 (config)# username
admin privilege 15 secret cisco
R1 (config)# tacacs-server
hosts 192.168.1.252 key cisco123
R1 (config)# do
ping 192.168.1.252
R1 (config)# line
vty 0 4
R1 (config-line)# authorization
exec Author-Exec_via_TACACS
R1 (config-line)# login
authentication AUTHEN_via_TACACS
Verifying AAA
R1# debug tacacs
R1# telnet
10.0.0.1
R1# debug aaa
authentication
R1# debug aaa
authorization
R1# telnet
10.0.0.1
R1#
Verifying Basic
Connectivity
R1# ping
192.168.1.252
Testing AAA Between
the Router and the ACS
R1# test aaa group
tacacs+ admin cisco123 legacy
Using debug
Commands to Verify Functionality
R1# show debug
R1#
R1# show users
R1#
R1# show users
Comments
Post a Comment