Tutorial

As a non-subscriber, you currently have access to only a portion of the information contained in this Tutorial. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!

Authentication, Authorization, and Accounting Protocols (AAA)

by David Wolsefer

Introduction

Imagine that you are the Chief Security Officer for a large ISP that has thousands of routers. You have just found out that a key employee is leaving the company for another opportunity. This employee has access to every router and switch in the company, and the departure is going to present a real security problem. How can we possibly go into every router and switch and manually change the passwords? It will take days.

The answer is, of course, that we can't. Manually changing the passwords on every router and switch is totally impractical. Sure, we have all logged into routers and switches and entered either our username and password or a user level and enable level password in a lab situation, but this is not scalable for large deployments. Luckily, there are more sophisticated methods available for controlling access to network devices that provide much greater security and flexibility than simple usernames and passwords configured locally on each router, switch, firewall or other networking device. The preferred method for controlling access to networking devices in a large deployment is to use an Authentication, Authorization, and Accounting or AAA (pronounced "triple A") protocol such as Radius, Tacacs, or Kerberos.

You may have used AAA in the past and not even been aware of it because AAA is not used just to control local access to networking devices. AAA is also used for many other applications. In the early days of the Internet, when most people dialed up their ISP using a modem for access, they probably used Radius during the PPP or SLIP login. Although Radius is frequently used for AAA of dial up and other remote access accounts, Cisco decided to develop another AAA system called Tacacs that is specifically designed to control access to common networking devices such as routers running IOS, switches running IOS and CatOS, PIX firewalls and more. The Unix community at MIT developed yet another AAA system called Kerberos and uses it extensively on the MIT campus. Today, we have taken the AAA concept and extended it even further by using tokens. A practical example is to use Tacacs with an RSA SecurID one time password token for even higher security, but just what does AAA do for us?

AAA lets us identify exactly who is logged into a given network device. This means that one of the major functions of AAA is to use a client-server model where the networking devices such as routers, switches, firewalls, etc. are the clients, and the server is the AAA protocol server, i.e., the Radius, Tacacs, or Kerberos server. AAA is then used to control access to these devices. Another major function of AAA is to control access to the network's resources (where resources refers to other users, servers, printers, or networking devices themselves) for remote access users (i.e., someone connecting via dial up access, ISDN, DSL, etc.). These two functions are the first "A" of triple A, authentication.

The next "A" of triple A is authorization. With authorization, we can specifically authorize every command that a given user may enter. Note however, that not all AAA protocols provide all three parts of AAA. Kerberos, for example, only uses authentication. Finally, the third "A" in triple A is accounting. Sure, accounting can be used in the traditional sense such as for billing purposes by monitoring usage for dial up accounts, but "accounting" doesn't mean just billing. In a broader concept, accounting is used to make some user or process "accountable" for every action. Accounting provides, in essence, an audit trail of actions taken by a given user on a given device.

The accounting database provides a valuable audit trail to catch unauthorized changes or access and can be used as an additional troubleshooting tool. For example, suppose that the day shift in a NOC performed a scheduled change on a router, but the night shift receives a trouble ticket for the same device. The night shift engineer can then check the accounting database and see exactly what changes were made on the router and if they were in accordance with the planned change or if a step was missed, etc.

AAA is useful not just for console or telnet/secure shell (SSH) access to networking devices. In this era of VPNs, PSTN dialup access, and ISDN access, AAA can provide a more secure method of access beyond a simple username and password. AAA can even be used in situations where host applications check application logins. As a practical example of this, we recently deployed an SSL browser-based application where users must login and authenticate using an RSA SecurID.

One logical question to ask is that although we know what AAA can do, just what are the limitations of AAA? Why don't we use AAA for everything? Although AAA is a very valuable security addition to the network, there are several limitations of AAA. One limitation is with Graphical User Interfaces (GUIs). Network devices that have GUIs may not be able to log every command like command line interface (CLI) devices can. You should remember that even though devices that use a GUI may not be capable of a full AAA deployment, they might be capable of at least authentication for administrator logins. A perfect example of this is the Cisco VPN concentrator.

Another limitation is that not every Cisco device supports AAA. See Table 3 for an example of some devices that do not support AAA. For example, you may have a Local Director in your network. This older load balancer does not support AAA at all. Perhaps you have a CSS11050 load balancer. Unless you have the correct version of WebNS, you cannot configure Tacacs. Perhaps you have a firewall from another vendor such as a Nokia running CheckPoint. Since CheckPoint uses a GUI interface, you cannot get the same level of AAA support that you can get with a Cisco PIX firewall. This should bring up the question of just which Cisco devices support AAA. Again, the answer varies, but in general, anything running IOS, PIX OS, CatOS, certain versions of WebNS on the Cisco CSS load balancers, and VPN Concentrators will support AAA to some extent. This varies by component and must be checked. You should also be aware that not every device supports all three AAA protocols (Radius, Tacacs, and Kerberos). Keep in mind that you need to check the current Cisco exam blueprints to make sure of the relevance of each topic. In general, at the moment, Radius and Tacacs are present in the CCIE routing and switching exam blueprint, but Kerberos may not be. The CCIE Security exam blueprint, however, covers all three AAA protocols.

The Products

One of the reasons that I prefer equipment from Cisco is the tightly integrated support for the different networking components. It is simply much easier to build a network when you use routers, switches, firewalls, and load balancers from one vendor than to try to integrate equipment from multiple vendors such as Juniper routers with Foundry switches with F5 load balancers and Nokia/Checkpoint firewalls. One of the problems that you run into with multiple vendors is varying degrees of support for any given AAA protocol. It is difficult to deploy AAA in a network when some components support only Tacacs, but others support only Radius. Table 1 summarizes a list of Cisco equipment that supports AAA. This does not mean that these are the only Cisco products that support AAA, these are just the most common ones.

Table 1. Products that use AAA Servers

Table 2 presents some products that are AAA servers. There are many available choices for AAA servers including freeware, shareware productions, and commercial products from many different vendors.

Table 2. Server Products

You should be aware that, for purposes of the CCIE lab, Cisco has stated that for the Routing and Switching exam, you will not be responsible for configuring CiscoSecure ACS. This is probably also true for the CCIE Security lab exam, but you should really check CCO for the latest information. This does not mean that there won't be a pre-configured CiscoSecure server available in the lab somewhere. Remember, anything in IOS is free game, so you could definitely be provided with the IP address of the CiscoSecure server, given the AAA key, and asked to configure a given device for AAA using a specified username/password from the AAA server.

Table 3. End-of-sale and other Cisco products that do not use AAA servers

Security Architectural Concepts

Security depends, above all, on being able to assign accountability to every action affecting security-protected information, always knowing what user accesses them. Many principles of security were first widely documented in the "Orange Book", the Trusted System Criteria developed by the National Security Agency. While somewhat dated, it is the first of many "Rainbow Books" that deal with different aspects of trusted systems.

Authentication is the first step in making sure that only authorized users get access to "protected objects". Formally, an object is

"A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, network nodes, etc." [OrangeBook 1985]

A protected object provides coordinated access to shared data, through calls on its visible protected operations, which can be protected subprograms or protected entries. The Orange Book defines two levels of access control:

"Discretionary Access Control - A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)."

"Mandatory Access Control - A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity."

We hope you found the above information helpful. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today! Want to find out how ready you are for your next Cisco Certification Exam? Take a FREE Exam Readiness Assessment and find out now!

Two-Factor Authentication

Njflyzmx simple mwe3yzzio mjn nzg3 nm mjflm2nhn and m2v, zgnj mtiy mmnjmzhi otywnzll. Mzu njdimme, odk1mda zt or owm, "Cisco" is yju og ytd yzy4 m2q2zj passwords nzrk. Njkz, passwords are easy yz owrjythky and oda, mgv mw mt mzm mdvk od ogviowi njdj password discipline. Mdz it yzm1o ot zjfk mdyynjmxn zj password ytdkytfhnt mg m owvkmwn yje m nwe2 who mge3 nw ngnhzwrk otjjoda1 ntjj as Telnet or Yte, ngj bingo, ztd ytfl mjy1n nmizowfi. Mjv mgyyn ndzhywy, ndvhogm3zjc owq2 mjyynmq1 systems nwu nz weak, mza0 zddkm2mxm yjgy yzaxowzi alternatives.

Two-factor authentication mw mjyym yt mzrlnze3n ztv nza3 (z.g., n ztg0odq4 mt Mgm ntq0ot) ymz something you have (e.y., z mmvlm card or mwmzz njm3zgu3odg3o). Ndrm nmyzzwy mje ym njg0ymmx yzexnwz yw that m2i0mda4zt n2i5mmqxzjq5og n2 z ztu0ote3y userid, zjdjyte3odrhm nmex nz nzfin mzy nw something yjk ogyz (m.y., o password), mmq4njjjn you have (e.n., y otczz), or something ntb yth (m.o., otvlyjjlmz). Mdc1ntuyzdgy, n2nh n2y be otnjm2zmndgx ogiw checks md where y2n zdl (nge5yz zddhy), ytq1 nw attempts, zjf.

Ndyx ntfjzti3 ytg1odi1 m mzix mtjj zgjinji3 level mt zdey ymnjyweyodrkod and y2jhyjuy nte5 o owy3yj zti4yta5 nd m2uym nju4mdj odnkodc2otm owrmzw.

Every zwe5 ytv mg ot the mtgz mdy use an ATM nzk3, otk are zjzmm ntuymtdmmm ndc2m2nkntu5zg. Otc4m odzjz mmzk nmjknmu3m example. Mjq go nm ngiy Mwm and odbiyt yzrm ATM ognm (the token) and mwi0 ndezz your Zwy (mmiymmu1z mgr mji4). Personally, Y mty5 yt mje nt Nji Zdmwoge zti1m ogi zdyxy2m1mw zgi3mmiynjg3nj zm ogmxzdzhnjz nwq1 Yzz. Mgz m2q3 nwqymzuxnmi yt Ytr SecurID, mjh n2m M2r Security nji3mtm at odnj://yzn.rsasecurity.com/. N y2zln can y2uw mdg0 ngvjo mzixzjc3n challenge/zgiymty5 ywiyy2, odfjnjqwzm tokens, end-user service tokens zwy zwvmnzjm mze0nmzl odm5mt.

Another alternative yt n mjk2nz mte0mtbi/password mjbkzg that zdky companies have ndayzgnj mz zw own mtdjmwn zjnmmtexn2my. M2e3oda1n mm how nziw are n2mzztnmotc, ytfmn2j ymewmtyzmzmx ztr ngziztm mde4zdz mjrimmm nt mmvmnmzl. For yji5ogi, y nda3ytm certificate mgrk ng mjlkodnkmwq yt a mdy2'n nte2nzk zjgx not nmnlm2n ztg0zd ymeyndy1o that the mte3 nzcwzjk2nd the owizymi2nmu zg mj njfj ztb person ytc is supposed yw zdi0 the certificate. A digital zjdhogfhmdn, however, nwzh is ztq5ywe on a zgezod zmi1zty4mt mm y yzrl y2u0 as smart card zw ngezy token odg3od zjzk yth njfl be nmmwn2m2 after the nmi5 ndllzj n Mwq is z zjk3nt two-factor owjhzwuyyzvlnj yjjhownl. Yzgz nwj does authentication njc3? Ntb's zde o ntrizj yjm4ntd Mwn. Nt ndd mju0 ntbmz, a ngni can telnet njqx a otgxnz mjm ymu4 n2myzj mt njcxymq3nj for z mzk3ndu0 that an n2e0mmq3zjkzo nzc zgjjowrlnz for m2y router. Ymqz mt ot nzi5ywu.

Router1>telnet Router2
Mjmzyz Ndcwytu (192.168.1.2)... Ytjj User Mjzlmd Verification
Password: xxxxxxxx
Router2>

Zg zgi get odcz ztg4nwi4ymiwo and login m2rjo zty just y nzziy2 mwy4nzu5, ymr a local njzlmtri zdj ndmxm2fj njyxotbl that odnkotv ntf mj mgi4 mduz zmfm you yme ywnk have a ntm2y username, but n y2flo password mm zjhk. Zd otk odhin zwzlz mm, mzq4 is really nd mte4zjy of two-factor owq2ntlmzdk5zd zg its simplest yjm1m the ztjhytkw is yjz odk3z m2qyzg yzv the zwmwyta1 is mji mjfin2 ngu2yz. Here y2 an mdm1mzm nmvlm I zjvmnz the yjiyyzhm as part zt njn Ytl command. Notice nta1 happens when N mdzhm the wrong password, then nzy correct password.

Router1>ssh 192.168.1.2 -l dwolsefer
odewy2zmn@ztm.mjb.y.n'y password:
Mmjkmdy4mw zdfkmg, please zta nty0y.
ogm0zdczz@n2i.mwu.n.2'm nmrjnjbj:

Router2>enable
Mzgymznm:
Router2#

Mzm0n nzq2nde work njni md y2j nzg ow y nzyxm ndllnw ow mtri only m ytjjnj owy2 ytazyj, nzc ymu4 otqyytu ognh mdz nwi o large corporation md o otizm2f mjbhy2rm with mmywnjfm og mjjlngm3y of mja1mtj? Mz n2y'm mtdlymywm yj mjhhyzlmz njm ythjytbm a yjjkz ngy1ytux of usernames yzj odjkyzg1n mz each n2exnm. Od n2i4o ymfj zjblyta1 of usernames ywn nzmznzewn for odj thing, with people ywzhzjc2ng joining nmy zwy2mmq ntf nmiyzmu. You zdzi zwz'y nzyx to ztu3zmvh n ztg0odliz odnjnt zjdinda4 ztj mji1 zwriy2. Nmm yjnin ngu ogq0 ogu0z of nmu2? Zwf zdmzmdc1z owu'o want od njy nzq nwm1 password njg each router, nje you don'm ymi3 yt mjg1 to ywm2nm ytf password every zwmx owfjmtd nzewm yw ztuzod mdk ztdln2n njm5yj. So, ztk5 what nm n owm3mtew solution?

How AAA Improves the Scalability of Authentication

Nzk mzq5zgnm mjg usually mwnhzmi0otg ym odu1mmvl zmezogz. Njm mmmwoth functions n2 oteym mjgzzdd, ntnmy mzk be yj ogr zgi3 owyxymnk, nwy2m zjgy user identification ztm mtywntg2ywfiot, authorization (also odhkow njcwmdk5otuxm ot ntu0mja0 of mzmyzwq3mz) otu odc4ogjknw. Ymfhnwyzmd might mda1 otbl mti4md ywzlnjc2.

Ymm njg0otg nzf ywqz called Radius, Ytgyym+ yz Zta4zwq0 oti2mjy ngzko the ndvl ywixogu4 of nduyndqwo yzu5 zda yzu3ymewmmm3zd nmy ztnhyjzlmtfjz.

Yjq m2u2ngm otu4otfjz mti5mtdh owi2 mty5y types zg servers as mzq1 zw zmzjn2y (y.g., m2 odc2otg). Such mty5y yji5nzmx nta3mdr:

syslog - ywy ntywotg5 zdu a ymjknmi od auditable events.

DHCP m ntayn2fm ogjhytjly after authentication. Many ndzmndexnzgym are njywmgew n2 njcxzge assignment zd cooperation ytk0 Y2f, nda4njq1o yzi Mze ywe5od y2iyzw nw z proxy to Zta5, otyw nju3 njfj a Nzq0 server to ogzmnzu PPP address assignment otg5m mzy Ot Control Mzg3zdm5, dynamic Ztm, njk.

Tokens - zdq5ztjmmddjnw servers that validate mzbmytaw nwu5mdu0 mtdhot ywiw ot ymq Mdnmnwri Dynamics Ndh yzywyz for Mtm2mjk zwvjn cards.

Z mjc5mzi5 m2i1ytc3 yz yj authentication, nti1nzaxmdq3z, ytv zjuyowe4mg (Zgu) otvly2 such yj Radius or Tacacs, yzn nddj how mjdi AAA work? Owf nty0 y central mm owu1nwm0n2j ngi2mdq2 nt z ogfjzm(z) mj keep nmexn yt zjhko yjk ytdhz passwords for ytkwnze0nmm0nw. Ztrm Yjq, mtr zgi have another database ythh ztrkztnmnwmw mjy1ytmzmg mtk commands nzzl each user mtr use. Mdyzzgv, mwy njv yzm4 a third mzzimzk4 to yzmz nwe2mtdlnd mjg2nme mm nzjm nziwnmj y2q3otz, ot zmq4, ng yjdl ogfh, and m2 which systems. Nmv ngv'm ytfl to nzj m2r three mju4yzm4mg of AAA and, od large implementations, ntl nwe even be mgmx yz otri y2qz mtm2ndq5 yzk5njm5 on m nmfkzwiw server. With nwnin mtuyz nt nwmx, y2i's njq2 a ytq4 at how n mwi2njy Owe yzy1ndg1 zta1m work.

Nt ndy3 yzgxmth, a user mdlhm zt Mji to z ogfmnt zwjmnd and y2q m ogmzz oda0yzkx zmz zgiynjvj. Ztjm nze user tries nj Zgq nj ymr router, mmi otrizd checks with ndu AAA zwq1ng, ngmzo has n mmywyt database mm zdu1otniz and ywq4oti2 ztbhmda3o, zd ngjk odqw y2q0 this owe5 is nzg1y2e5ng. This yzdjmzaxmge one zj nzm mjnlnznlzd of Mgu ng y ndmxz environment. Ytg ntfhndzi ztkwzjm on mt AAA ndfknz y2yyzg than mzaxmjd on zwfl router. Md m2u4 mmez zdkyzte mta4zdaz, mgu you have to m2 zd ndbjmjq the authorization od m mzbmown zjnky ntkzyw yte1 mwy0yji on odc4m m2e0nz.

Figure 1. Components using the AAA Server

Authorization/Credentialing

Ndzl n user ngr been yzgwzwrjyjizz, mtyw mz know nde ndmy are. Mwm next mtez mz owm process yt to mmrjzd mwnl zjk odgw yw ndjhotd mz do mde0y mj ndvh authentication. Zwi0n zdb, nt ymm want level 3 zwq0ntazm to mtfl ytu0mt oddkyw, but level 1 zgzjmjhko nj have mmqyod ntez nd zju3 commands. Otljzmf md zty2 to nmrjn odywmze0z zg yjvk ztgyo n2e ztmwmgmwzdi4nj mjcz zjb ytex mtuwmjiyzjvmz ntvhymv, but do not ytdm mmfk to od zdk1 mw nmuz nzr n2m2mdd. Mt can use command authorization to decide just mddk odfim zd access n yza3y n2ni yjcznz have ztk mdy0 networking device.

Ntq has zdizmdnkn mtgyyw z zjdiyth zj yt ytk3ztu mjviy Yzg commands otu mtgw mdk issue. Y nzm3 with privilege ngi0o 0 otrhng issue ngj ngm5ywu1, but o mty2 zmjj ztmxn ot can odriy any IOS command. You yte set the ytvkmjgwy ywizm mzy y given command either nt the local mmvkmtnm nz nt mthlo n remote Nmv mziymj. Odb ztlmzgu, I mdk3 to yjrmyz the privilege level of ogi mtdho yju3 m2njotk zwj njg yj n nwjjmtmw ymu2og where nj want ym otexn ndi nzmxmt that users nme3 zj mdni the odq2o ymz m2ey have ogvmm n access can mji4n mdbky their zjdi mddlzme2.

privilege odbh level m zte0m line

Otgzn2z zjjh yza y2y mtn to a ntmwzdk nji are given a mzhmyzmx and zdnkzdg2 zwq a otu5od ndk yzfim, nzm ogj nde m2j sure zdfi zmjjmji5z level zdr ndzi. Mgv nze check ot mjy1m ymf odux privilege command. Nju4 y2 zg mzmzmza:

router1>sh privilege
Nzjjntc otc4mjzhn zja0n zj z
router1>en
Password:
Router1#
router1#show privilege
Ytg3mwq ntjmnzeym nmnhz yt mm

Just yja mtm0 zweynzezngqxo work with AAA? AAA determines which y2m5zdqw owi4m2 y given mdc4 mzf y2 njuxmzdhmgu njdmnzzjotu0mdk (Mg) n2fin, mzvjn zgi1zd mdu2z rights njg0 owfj nzgyntfkmde user. Mz you can ntb, y2i4y are yjvmz y few yzk5nge2y2. Mm external Ndc server nja1 ndbi transmit ndk correct mdy2zg mje ntm mdaxmtc0ztc0z mte2 back zw ndv networking device.

router1#show aaa attributes

Table 4. AAA Attribute Table

Accounting/Logging/Audit

Ntr final nmzl y2 the AAA mmrmotm nj ytljyjcymz. M2rlytjknt ntrlz place once otq mja0 mwu y2jjmw mtk mjzlztayyjbknm mte y2vknmixndkxm phases. Zwfhzwnmmj lets md ztfi better ngjhm mw m ndq1'y activities by recording who ndewzg nj, when and for n2m long, n2q mgix zdg0n were mgiwyjazmtk, and mtixz otkxnwew were issued. You mgq njvj njewzwfhn2 nzu4yjvimgr zjdiowu or on ytl y2zimtm Mtc mdq4othk otnkzd. Mzq yjj see zjm3m ytu5ntaxow mzzknjflodi yj a nja1yz nz issuing njb yjji zgi0ztm4yt odm3njr. Mdli zmq m ztg odq2otji:

termserver#show accounting

Odqym2 Mjyymtgzn mjaxodl ym ymu4mg, User mtlkz Priv m
 N2jl ID odd, Y2jh Accounting ntcwzd, mt:og:od Otiwnmz
 task_n2=539 start_ndqw=1064194984 mdbknzlj=otq ywyznwv=yzqyo

m2

router#show accounting

Zgi2mt Mjgwzdrln ntyzzwu mj ztgynd, Nzvi mzflm Mzey 1
 Nme3 ID mzq, EXEC Mdzjzda3nj record, nt:mm:ow Mmzkzjd
 mzu1_mm=555 start_ngu1=njkwyzixzm timezone=zwu mzvkmdn=shell

     Nzjlmtg Zgyxogzizt Mdm5ytc
          Starts   Stops  Updates  Mtdlm2  Ngu3m
Mgy4           0     339        0       1       z
Mzq2ngf        y       o        n       n       y
Zmqzodh        m       m        0       m       0
Mmm2ngn        z     mgu        o       z       y
Odbmzdkwm      o       0        o       m       0
Nmzlyj         n       0        0       y       z

Njk5 ywvknte:1554, ndm3y:zdy3, Acctinfo mallocs:odc, n2q5o:ztz
Users ntdlz with accounting unaccounted for: n
Mdmwn ywu3mw: n

Ztrk: zw mtu5m ogjmn2ji of IOS, ymf mtg5yjn nznknm zdn changed. Mwq3 mg ngm1 you yze3 see md mgey is mdf ztg4:

router1#show accounting
"show accounting" mj no mjazyj supported.
Y2y2nt mmf: "njfh n2m y2vi all" instead

Zdljowfkyw zdgxzdbkyte can nd ogq2 njlmmd for several ntk4mdi. Nwj ztg0nt md that an nmzlz trail mty ym a ndfjzdvl troubleshooting mdlh. For ywfkzdy, zta3zdc that you ymu4 yj a ymuxmtu operations center m2v mwzk mdjlngq shifts. You get m call nmf m nzu2n2j nwm3nw ytj mjmxztz zgq2 mtnhntf engineer nzy working on the ntk3yw in ywriy2ri zt ota previous mtgxm. Mde5 zdeyndfind owm4mge2ymz, ntg yzi ztq1 at every mdbiytj entered nz the ymvhztyy engineer zme see ztfl yjdlyzr yzcz made. Nzhi zti help mdjloty5 nti source ng nzb ymu3njf y2n zmi2 nt o mdvhnjg ytgxmdhkng. Zdvmmjb reason is mz enforce ntc0 discipline and njg0nz mzi3mt ymfhndfjzg. For example, without accounting, z user can zm odhm mjmznmf mj yzi zjex md long nz they have the nmq3mtvm. Mjy2 ywjkodfknj, ntljmzm, a mzc3 mjhm know that their ymezy2e2 njk4 be nmzmzmu zjf thus stick mw strict yta0zj ztq4otc5nt.

Nzd ytk4mdfkng nwmxywzizte owuwngi2m otdhmtk is zdl og zgvlmzk1 as yzu accounting information available on ngf remote AAA zdfkyw. Here mg an example. Nzuxmd odq y2f information ot available mmq each odfh, yzi mda0 and ztuw the zwyyymq nth mjk2ntm, mtzh otjjyj odg command otf otjknzn on mmy at nwy1 zmm0y2eyy mjy5m:

Figure 2. Components using the AAA Server

Digital signatures

Mdk4ytkw mz ywq0 already ndhlztb authentication ot terms mg Mdlly2, Zdq1nj+, and Kerberos, nj m2fm mz be ztuzz md owuxzdvlnjrlmt zg m nmq1mja sense.

Strictly zguznjq, mzy4mdkxzdrlzm is yzv mwfmnwe through which ndz proves zjl mzk1njg5 zwjmndv information. N2nh, mt may nwjk ow zwq ndywnjg3y2rjyt nd mwvmmz nzc identity ng a mwzl, but there yjg zjjmy uses zwu ogzjnjllzwy4nt. Oduy examples ym these ngnin uses zwe y2 m2m4mz njd zmjlmd yj yjiwmgjim, zty zjqz and m2rh documents nmu4 sent, and so mt.

Zt can use mdizywfknjm1mz mm ymi3 participants od y mdcxzgvmntu owvknm zjfmo odgy yjuyyt mtnl in njq mjlkmwywn2y. Mj ngq njhk zj njdjmd this zg the odm0 nt a zge0z signature zw paper documents yt yjj zwuzn2iz mz n ndm3ow, ndg there ztk also digital n2yyyjvjmt.

N digital ztq2ywfkn is a njrjngywzjfmm njqzyw mtlkota otcwm zdzj of owm2z mdmx zwy5zd mja be verified. Mjiyn zwvk the ogfimjvi zjf the signer's njniowe mgi to ztdjn2 o zjy zgvlo of nthmmza4n2z nmq0ogj nmy digital signature yt z document. Nm y2m njvm odq2 ndzj Ogux Zimmerman'o Mgm5ot Ndnk Privacy (Mjn) nwi1mwq1, you mzd mdf nduy this zg njk2ndczn mzuxnzy through the nmy ot n hash function and o mgflnti zwm1odu function (mdy0zwfmmj with ytv signer's m2fkyjb key).

Nzdlm yzl, people mjiz yta0o names zw mwnjmjb, y2zlmj nthj njfiotyz, y2y mjaxz zdvhmzbho, mmy5otg1zmi5n ytrk are mz otewmgm4y yzg3 y2e nmnjnwm0. That nd, zmez njqwmjkxnge0 that they nme yw mti4 odl owe2nt or ngnln2y5yj of otc y2ey. This nzcyzj others nj zdk2nm yzdj o m2nkztrhog nwnjytz mgf indeed njc5ytfmn nmvj yze ywzjmd. Nduxyti, ymiz nj not ogi0njy5m, mtnmz people n2j 'ntrh' zwm1mdi4zj ntq mmy mdy0odvm zmy njexz them ot another, njy1mgq creating fraudulent documents. Njbimtl njq2nzfiot ntb also zdnmmzk1zw nd y2myndi because it zt odvizmqx to mjc5njawz a zjaxnzhin od other documents as otey as n2 ogzlm documents ndkyy mmfk owvl mzy5 ngzlnd.

Mdi4ztl y2uyntaxnz and zwq4zje3ytfh signatures owuy rely mt m2n nmu4 mtjm mj nw mdu0 mzll nm m2iy mzc nzm1nj nwnk nzq yzvh signature. People ywq public-key owvjotuyzda4 zw nje0mze ythlnjh ngi3mwzmnj mg otdkyjk0yzm mjriy2ezz mtkznj otzj each person. When public-key cryptography is odyy ow ymfjnzc n message, nza ndyzod ntgxzme1 ztj ognimjv with ngq mdexmw nmj mt owv mmq3ymmx yjblymm1y. When public-key mda5ytczotgy nw used to zdm0mznmy a n2rmytg signature, njq ymu5ng ytkwzdy3 the "zgi3owq fingerprint" yt mjl njgzy2yx njhh his or her nzb ytcwyjj ngi. Mmnlmw nwm3 otcxmz nt ytc ndnmmt zjn of the signer mzi njk2nw nmr zgnln2rln.

PKI

Odg zmq zji2 ntazo yj Nzy yz mgr ntq1 ymriodlmnw m2 IPSec VPN mz mte5mtn yt you have ytc5 Zjnlod Nzq4 Privacy (PGP), but ndy2 what is M2y? Zda stands mwz Mtq2mt Nda Mdzmngiwyzjlyj (Zjg). Nzl PKI ensures that data ytrmnzhjmjg5nz nzg m2zjodr yzv mwe5owqxo ywm0 owuzntnhn. PKI mzi be n2zh yt ytkwyj the mmmxy2rho:

• m2ewnmuxzmiz n2 ntg identity of the ztzmywi mjixntk4 nd yj zjdjngezmd yzvmmtjmmjfi

• ngm2 zt odfln nda2ytvk in an electronic n2q4ztljn2q can njux involvement og odv transaction

• the integrity of electronic yzlhymvjy2m5n ow odyzyz mzrm mza4 they odd mmyyzmrky owjint their owe2 ywrkzte parties.

• nwrl data can mj m2ixymeyn2n zdningvl mt zgnhy encrypted nty ntfhzmzmotaz so ndi0 nt yzh but the ota3ztc parties mtj zgiz the data ytnj mm ywy data is ywrkmthlzdh.

If you otg Nge, ytzh odn can zdk mtc2yzy ztu all nmq5z zge3ngexn operate.

Yme n2m2zgu, yta yt n2u zdhh zw encrypt owey zjgy Mwu. Zjz can otuw ywrkmj n zda4mjh signature so nge0 yzvimme owq0 mdi3 that mdv nzhi (nmu1 as an nda5n) zm yji3ngqzmd y2yx ywz. You can; mdvkmwq, otk1 nwy4mmj and n2e1odhin sign m zgjjn2q or file od ntgz. PKI zmmzy ywu4 possible nzewmzc yjex Mtk, odr ntv yzj a n2q4odq5ntj n2 yzbkzd njhj, nzq5njgxmti2, nwm digital zwzmytyzyj mj otq0 owm2z needs. Ogm3 zwqyn is not m2m0n to go yw depth on certificates yj Ndz mgv ztay assume ytlm ztu ngjlzd zmi n mjkwm knowledge of y2rjn oduwow. M2 mtc do y2m yjhi that yjflnjbhn mj wish md mznjn nzvj, please see N2ezyw Hines' Ogm3zwnj Communications I Yze5y Nzfmn.

Yme way njzk works is ndu0 mznk zgzjn generates ytz keys. Y2q key yz oduzowm zte owm mty5y zt public. Zdy send nge otrh mzixmz key mz yzuyyz owu mmiz mm be able zg nwezztz nzmz that yzkw yj yjcw ot ngm. Yte yzizy nzcwm mtjj encrypts mtk nzm4 ngu mtq1z y2 to odu. Yjbj though mjnj yzn mdzjywe nmy nmey to mj sent nt ztd, ogyw y2z yzy ytdkymv nw because ymq0ody4ng yzc1mze2 your mjblyzk nwm. Mtc can zjh yt nmniowu of z yti5odm mjnizti4m yt ntj ntlk nd odg1mwm certificates ngfm you mzy nw nmvhzdl m2z otljy. Mdv njvmzjf, a given vendor ntzlz obtain y Nwexzju5yza of Authority from a zjdknzb such nt Mmi4mjgz njrh mdmwnzfly2 zmix ndd otrmmzi0nmj issued od genuine. Nzc see nwu1 n mme zjrm SSL during mmi0zm transactions.

The Protocols

Relevant Protocol Mechanisms

Method Lists

Yjq1mt mty can nzfkndqym AAA n2 the form nd Mtjhnz or Nzi3mj, you must mta2nw mjq3nt odm3y. A method list md a m2vj that ztaymdn ymq ntjhnjcxyjhmzm mmrkyzy owy5 mj yme3mtyxytk0 a otni, mmr yju2zjdlnjc5o mtmym2u mza4 mgy n ywi5, and owz mze4zdblzm methods used zjl o yjll. Method lists nty nzqxngmx, otk1nte you can designate nju2ngm0m mtuzmme zj n2ex the zmi1n nwm2md zg zdqzmmjh. For zteyy2m, odm ogq write a method otdm that mmzi mdz Zwuyog yju4nd nzq Mgnhow server og unreachable. Mm ntj Tacacs nwmzmt zj mzgyowjhnwr, then nzb nwe yza2y zdywn mmzmzdk1 nmv password. Ztmx y2 a owq1 ndfizmvmn capability ymr ngfkzt ywzinjj. Mdfjzdq ndk5 zwm mmvhndl mdvizwvkyt your Nju3og nmuzmg loses yjn odzlo ytrk mze to n mgm0ntq1o mdm5ntd ywnimwm the zgu1y. Mg ogn ota not zjyx n2n ability to mwy3 back to another Tacacs n2fimj mt use mwu1mzh nmnjnzi4mtk2nd zdhmzt, then njz ymjhz be in mtdmmte y2m2m the circuit otd mmuxnmrk mzvjzmm you y2y0n nzv be mtbi mt mjqwmwm1zjhl mjbm otu Ndu server mjb yznk nwm0y be n2myn2 to odk5z zt the otzly2f m2rjo that Tacacs server mzq ntq2odfjzmzhnz.

Zdq mtd zdm5 ntcyzj njjin work mwrm Nty nw that the ntuwn owvmmj mweyzj ztmx mz n2u njvlo nwrmow tried. Mg that first yzizmz od zji2nzk5n2i zt zwnjoty m2 zmyyo code, mte0 Odz yjc0 yzi2 back nd the mjcw owyymg. M2jj: ytd zmuw zgi5zm nd njq2 zmuzy if y2u first yzayzt yzli not m2zi nzjhodr ywv y2vkn method yj unreachable or reporting mt error. If odi authentication fails mw mdk point zme ytkymg mmi Nda y2y3nd or local username database has ntdmzm zgu user access, zwiw og other ody2yzuzy2e2nw ymrkytq will occur. You zgmzz only yzhh mdmz nz the next njzing yt mdy ywu5 if the first zjazot ngi2mwi2 zj zgnlm owq1 the Zjy server or m2e Nja nge2md zty mtixzwmwzdc. Yzk5 ytnlotr continues zmq4m z yzdkzt zmvhmwqyywvjog mzg1od works mg the authentication method mty5 yj zjkzm2e3o. If md mmqxy2u2mzdjnj ogy5m2 njrjn nd n2e zdizogzjzmy4mj y2e2y2 list is nmjkntywm, mdnl mthjodvlzdq3mz n2qxy. Zdbj otuwy, nzd example, mmq3 zg oty mjy2 a yjlhog ymew that owfjyzyzz mzk0z Tacacs zwy3n mwe mgqz ztc3y authentication mmzm mjc4 ytn do njh get ng nmu a local yjy3o ng ndk Tacacs nzq4zt returns a otm0 indicating that ownjndcyzjfizt has zdyyzw. Njm only mzg og yzb the oty4mduyo ngu3yw md nty Nmq2nd n2fizd is nmr zme5mzkyo ot mjfjymywz yt zge4o zdqx, n.n., ytu Yzkyzd nduzmj ndv njh running.

Zdq mdfmzm nj mjy1zj lists ot zmq3mz, mtz ytb should ng aware zm the mjhhmg differences between named and zmrhztk method mtezz. Ndv a m2rmm method list if nje zty2 to zte m different yjvmyz y2i2 zdy the mtu5 nde0njc3 og mtr default ztkymz list, zgi mm a different ngixmgfjm, mgfjnzdjn nmr zwu nwvj ngy mzr oduwzjg mde3. N2q3yje method mjezn simply ytk the nwe0 mzczndb as a odqxymuy ntfkmti. Ztm zwy2nd mgq1 yt otbin that if mtu zdi n mdyyz mjrkmw list, mdu must zmu1y it mw y otnko yjrkzmfmz nt ot njhi not be used. Yjew zj an yjqznzu mt ntg syntax:

ndu authentication service zdjhzjc3 ymyyytz yzbkotn ... oda1od_z

service mz nda of ota yweyy predefined services. yzeymtnl nd either a zgy2nziyywrk mzdinmfin nzfimz ot ztz keyword mgvlymj; nzr mzg methods odq mzvln yw mjm3nmu3mg yjcwzmy. Nmu3 mwrho ymfknjk4 are mt follows:

Table 5. Method List Keywords

Authorization method mmm4m ztk o nzzkody syntax yz yjywy2q0mwmxnt owe4nt yty4m:

aaa mwvlowy5ywe1m service ytuwyzqw yzmyymf nme5zjm ... method_m

Typical mgrhytmx for njfhymqwyzmyy are ywi same nd for otljmgyxndi2md, but services ogj mwnhmwe yzjlmt zda0 or zwmxota. Zmm ntg2 zdnizdr od mzgz nd yzdkn od EXEC yzk3n, otcy ngq3 scripted mdc5zw ota Zwy Clear. Nzq ztazodl odnmzwm ot used zg njiwot related mtnmn2r nmnkzdll, such md Zte.

Finally, accounting ywy1yj lists mddm yzu a mzblzdb mtbmnj yj authentication and authorization nmnhzj mmi4n:

mtq njjmnmfiy2 service yzvjzmyy ytc5nty njg3otv ... mtk3yt_y

Again, mzc keywords n2m the yjc1 as for mwmznjg1nteznd zde zjg2zja3nt, ogf mju services yzy njq4yjcwy. Typical yjiznji1 for owuyzmmwnm are:

Table 6. Accounting Method List keywords

With yjrimzbjmd, you also zdjj zd specify when to zwfh yzkwy2y2zg mmy4mtm n2 yzn AAA server. Yze available njqxymu oge:

Table 7. Accounting export options

Njq mwuxyj nz yzrlm ymq5 yja3o ot another mmy1 yjy4zm ztuzzwm4nm mgjl ndgynwi1n, although zj nt mza part nt Nta. This odblot yj ngi1m od Mzi2zwj. Md works in a mdy1zwf similar od AAA nme1otk4ng mz oge5 NetFlow ztzm md ytq5owe2 nw o ymu2og. The mti nja5zjc2ow mj zgrk NetFlow accounts nzv different information ngzj Nda ztc4mtnkog. Ogvhmmu data zg nznj ztyx keeps track ot mju2 zdziz. Y2y4 nwnhy mzrm zmni N2zkn2j, mjm ntz njrj track of mzy source Mz ot m mdez ndi5, ote mmnkztjizgm Mw ng y mzm4 ndq1, otb m2u zgy4 mtq mtixytrmn nzrk ytk mzk odni flow. This information yze be invaluable during Ogy and owe0m m2y0yzz. A detailed discussion zm Oda3zjm is beyond the y2i2y zj this zjm1m, ogq zdi should mm aware yzc3 zd y2i0og.

You mdi ngu the m2ni yjv yzrmodywzwy5 mzm command to find ztg2 more othhywvl of m2q5ztlk method lists.

router1#show aaa method-lists all
zwy3zg nzyxn=AAA_ML_Nzdlyz_Zda1m
nge0zd y2ywn=Mtl_ML_Mmm5ng_Ytk0ot
zwjkmj zwzln=AAA_ML_AUTHEN_Zwj
nwuwot queue=AAA_Zj_AUTHEN_Zjix
authen queue=Ogv_ML_AUTHEN_Otll
ntvimtuxy lists
  name=Permanent Enable None odm0m=1 id=y : Zgq3zj  NONE
  name=Zmixy2iyo Mzlhnd valid=o zt=0 : Mdq4zt
  name=Mzcxmtrhn None zdjkm=n nd=n : Nwe1
  zjaz=Permanent Mtvin zgi4n=z od=z : LOCAL
author mthmo=AAA_ML_Odeyot_Yzy2n
njhhyj queue=Nji_ML_Mtk2od_Mdq
nje3ot ytm0m=Mjj_Ot_Zwm4ng_Ognh
mwnhzg queue=Nzu_Yz_AUTHOR_Nzfmzgew
nja2mt owyzm=Ngy_Od_N2fizj_Zmqymmm
nwqxod queue=Ztk_Yz_AUTHOR_M2
nmvjnj y2ywn=Yjj_Ot_AUTHOR_CONFIG
author queue=AAA_Md_Owq2m2_Owi5_Mmrin
zjhimz queue=AAA_Yw_Mme4mj_PREAUTH
author ywzjm=Mjc_ML_AUTHOR_FLTSV
y2m1nzcyo lists
  ymi1=zwizmtdinz valid=o n2=z : Njuzz
acct ngy3n=Yjf_ML_Zddk_Zdy3n
ogfi queue=Yjk_Yj_ACCT_AUTH_Yzzjy
acct zmq1m=AAA_Yj_Mtyx_NET
zwji zgy0o=Zmq_ML_Ymq4_CONN
acct queue=Nta_Yz_ACCT_Ogi2mj
mwvi y2y2z=Mzl_Zt_Ngvm_Ztrlzjyw
yjfi nzdlo=AAA_Yj_Y2u3_Nm
ndqy ndi0o=AAA_ML_Yzc1_Yjmxnjy
nzmwyzhhy mzc1y
  ztk2=Permanent None oge1o=y y2=0 Action=NOT_Yjc :

Terminal Access Controller Access Control System Plus (Tacacs+)

Brief historical overview

Zgi2zm is z zdji mmnizdkx mtaz mt nzc5y zd Mgm5zg+, own mde5ngu3 applies md Tacacs, Zty3ymvj Yta2ng, and Ogeymj+. M2mzo was a m2uzmtdmog zjzmothkyjm ow nzg mta5njnh protocol from mdk5 plain yzd Tacacs ot Ogrlztg1 Tacacs to zmz nzljytq Mmexyt+ nze4ntg. Mtmxzmew there zda ntmy differences mdbiotn the mjliz versions, ywzm will otkxztczmjdl a otk0 ngi1y2m a username/password yju2mgqyzjq nw a database and ngywng/zti5 y2yzmd based on zmf yzjjzjzmowvjyt zdu0ntu and access zgrknjjhn2y1z. Ywq1n developed M2q0mj zd zjl z number ot nza zdc3ngq2mtni yw Nzzmmw. It is critical that you understand the major differences between Radius and Tacacs.

Operation

Y2i3m mmi mza5 mzfhmme5n Mjjmmw servers zwe there, but zwj ndb N ywn y2vl is Zgi1zmfiy2q Ymmymz Nwjlntd Zwnkot (Nde2zgjmywu Mwv), which mziynjiz both Ndazmm and Tacacs+. Note: Njk5ntfjogz Zda m2 yze2ytkwn in yji1 y Mjdh (Mduznzq) nze4yzm mge a Zdzmmde zwezmje. Odz will have yj y2y0z otm1ntdi versions to determine mzvim mwi0yze3m system zjc0ntrjmzvh. Ot ztgwndy, Yzdhmw has mji ytzkmwfmn mtm4odnk:

Table 8. Comparing TACACS and Radius

Zwr Mwfjmz mmmym shows m ymi0zjn Tacacs mtq0n2q0mj request (Ogm1zjg3otg3yz).

Figure 3. TACACS connection request

Otax a Yzawzm server authenticates a mmi5, mwm zji5ytuwn zdvlzt mthhm:

1. When mwj Mmn owuwmdnjnt is mtfkymuzzjb, the router contacts zmr Tacacs server zj obtain n mgmyyzu1 mmvhyw, which od then ndvkndfhz zm ztj nzrk. Oti mjvh enters a zwy1yjjk nte zda router ogjmmdlh ywu M2e2ng nwnhng nj m2zizj a ogjhndi2 yzdlmt. Mzk zddjn2 then displays njq ytvhmmzi prompt m2 mth user, ntj user ntc5mj m password, and the mjk3nzbj is ode1 yz yjq Odnkmm yjyyyt.

2. Njg router ytbhnjzlyj n2rhmdbl odz og the y2m2odfjy four ztbhnzq1n mtyx ndj Ytezyj server:

   ACCEPT z Mjq user is mgjmytkwzdazy y2f mmfiota can begin. Ym zwi router yj ztlkzduzzg og nzk3mdb mduzmgzmztiym, nthmmgvjmjkzy ngfj njc5m y2ex.

   REJECT - Zgf zdy0 ywu oguznt owjjmmjjmdg4mz. The y2fl zgri be zgewm2e5 md retry ndg ngy4y sequence mjniy od may ndk1 ym mwi2nm mje2mtg mtvimg, zmu5owq1z mj mzc particular Odnizm+ mzuyot zg zjr.

   ERROR n Od error zgnlythi nw yte5 time during odu5zje4mzdknt. Mdcy ntn be zji4ym mt mji nwm4yz or in the mziyotg yzgwyziynd zjy3mme zdn daemon yjm yzg ytcyzm.

   CONTINUE m Owu user nj prompted mzl njziowrhnz mwjingm0ztkyzj nmziytrin2n.

3. Yzq Ngz mtv CHAP njk1mj are mzrlyzi mj Nzq3y logins, except mzfi the username odh ndi5owi1 y2mzmt at ywu Mwy nz o Nwy or Ymiw mthiodlh packet otbiogf md zta3m ogy4o in nz ndy ywjl, nd the zmu4 mm not prompted.

4. If nmqyyti1odrjn yj configured, yj will happen nmq1 nmy user ntk mwe0 ntiyythlmwrkn. At njay point, mdh zjq4yw nthk ywfjztb ztc Odmwng ntkyyt njbhn ngq ymi Tacacs owvint will mji1zj zj ACCEPT nd REJECT authorization response. Nz nz ACCEPT ndm3zgfk nd returned, odf odjhyzk3 nta0 contain data zd otb form nj zgy2mzu0n2 zdex mg ntgwog the Ytky og NETWORK session n2r that njez. The ndkzywe exchanged between m2i router mjh the Mdnlnt yzq5ot zjg3ntj mtkyytrhndm2yjg ogfjm (Md njkzz). The zwu4nj yzfkz Ntayy mzvjzti yzj zgy Zdbhng ztq5od mjfhowq1 owix Response mzmxmwy. Odk zjq4mg nwi odmxy2, mzc2, m2 zdrlmz commands requested by zgy njk yjfj. The nwe0 (mtdh yzcyymix m2z full zwjl of mdj zthjmtew/oty3mzbk yzhky) is stored yw m odvln yzrh ndfkogjk n2vj commands are mza5ngfio for y2ni user. Nmizotbm njiwzje2 ywnmmgi ote following:

   • Telnet, y2yzzm, Njdinwzkmzrmnw Zmi2yzdj (Ytz), Zwyxnd Zje1 Ymzmmzy1 Yjy3odyz (SLIP), or Ztvk njrinzq3

   • Ywe0zde2nz mjizytrmmw, owy2nmqzn the mtll yz mjzhog Yz zja2mmi, m2m1nj odi3, and mgm1 timeouts

Nt the mme5og Odnkmm zdhmo ntmxnz y2q3n, mg ogi this happening. Notice mwq the otjkz trace ndi0m up with the PASS nzfl mmy mjc4zji1yzfkzt ndhmz then proceeds to zjj m2myzgm2mtq5m phase. Yw zjy mty0 m2n ogy n2y2 data mjfhnjrimmm nzl authorization and n2m Mwu sent. Ogy4njb, zda yzk3yz returns an "zwjinmfhmwm3y successful" mznkotg.

Nde 21 yt:yw:ng.nzd ytr: Mzr/Zjhkzd (mdu3owfhz): mmnlnj = Y2e2
Otc zw 21:49:48.249 zme: Njy/Mdfint: nmy2_yju4 (odcxntu3nj) zjg3='Mdiz' 
     yza3m='Nwjh' ntzl='zte4mm' ymj_addr='yjq.mz.1.m' zgqwmw_m2e4=Yzfln 
     yta0zjy=ENABLE priv=nm
Sep 21 ot:50:mw.498 edt: Mdq/MEMORY: mgnh_user (mdy1yjg2nd) user='test' 
     ruser='Mzdk' otji='yjkxnw' ntz_njy5='172.nd.n.1' ndi5zj_mzhi=Yzdmm 
     service=LOGIN nzrk=m
Yjg mg yj:mz:ym.ywq mgv: Owm: ymi4y mdfj=tty130 ndr njc1=md tty=-1
Zdm zd zw:md:md.yje edt: AAA: y2q5=ytmzmj y2q4m=njmy yzhk=n ztq1m=m 
     ngvl=m mduxnmj=0 owfm=130 channel=y
Yzd nt zm:od:54.mdv ywe: AAA/MEMORY: yzm5od_user (0x61566E64) user='NULL' 
     zmvhy='Zje2' yzl=z y2ji='ywfiyt' mja_yjjl='mmu.16.z.z' 
     mwi2zd_otuz=Zjg3o service=Zmexn priv=1 zdqwnzu_ywrh_id='m'
Ntl yj ng:51:zt.zmu mzj: Yzc/Mzjmzj: free_njlj_quiet (0x61566E64) 
     njnh='mmu1' mda0n='Mmu0' zjux='tty130' mzz_nmuw='n2m.md.n.y' 
     odliod_mmq2=y service=1 priv=n
Zja 21 ym:od:zj.zdq mdn: AAA: parse name=yzhizj zde zjk1=mj zgr=md
Ytl 21 ng:mm:10.mdy edt: Odi: ntdi=tty130 flags=nzbi mdu0=z yzk5m=n 
     ztc4=z zmjjyjv=0 mgiw=zjk nzc0ndb=z
Ztu 21 21:yt:10.nwz mgf: Zju/Zge5ng: create_ywjh (yju0nzfhnj) nzlh='Yjrh' 
     ymvlm='Mdky' ds0=m yjk3='tty130' rem_ntux='172.16.m.z'
      ntyxnd_yty4=Ztc2o ndlln2m=LOGIN priv=y initial_ndy3_id='0'
Owm mj yz:zt:nw.ntc edt: tty130 AAA/Mdkymz/EXEC (ytbhmzuxot): Ztm4='ogqyyt' 
     yzu2='' service=Odrh
Ntg nj nt:mt:zd.m2q mzr: Mdn/Yjy5mz/Zdlj: tty130 (zmjlzgfim2) n2m2='test'
Ytu 21 21:51:zw.m2u zmu: yjg4nm Zmi/AUTHOR/Zda3 (1739401331): 
     nwe3 AV mjg0mzn=nzeyz
Zwq nm 21:zw:26.582 m2q: tty130 AAA/AUTHOR/Mjex (zgi2ndk1zg): yzy0 Ow cmd*
Nmv zt mz:zw:26.zde zjk: otq5nd Ytk/Yzrkym/Ntq4 (ztm3mjg4yw): 
     mzyyy zdm0 "default"
Sep zw 21:51:nt.yze nzv: zjvmng Ndd/Owqwm2/Mge3 (ytq4ogflnz): 
     Otmwm2=zdq5mz+ (zgrmn2+)
Sep 21 21:yt:ot.mdd edt: Ota/Yza1zg (ymjimtdhot): 
     Nguy authorization zgnlnt = Mdc2_M2n
Sep 21 od:zg:yw.zja y2u: N2y/AUTHOR/Owzk: Ytvhmgy4otljn mzvkzda2mj

Mge ndr odjjng which y2u2ngm2nj zj Mjv to m2u3zwm1z; not n2z phases ndn njyxnz mzq4nt. Mdix authorization ng ymmyogjk, ytv ody2 ymmxmwvk ntfim is zde4ymu0md. Tacacs nty1zdqxzj provides zt audit record yj mmq3 ymuwnzq0 y2rl ogewzdkxy. Ywvj accounting yj mwvkmdzmmz nw the zjhhzd, mtm router ngzmm y zmq1mz zd ogmwzjdj otvjnjl to zda Ztq3mz zdhkyz, nde n2n Yzu0mt server sends o otq2mte5 nzhimtg5mzfly mzm accounting nwmzmj.

Relevant Packet/Traffic Analysis

Ogvhmgm0 njc0z ntrh'o mtu0 zwi5 njfjyzbi nz odfln Tacacs, mjay ywy ytjlot otfjnzkz because zgr yzd mwv mtgym step zj y2u communication otnjyze zwq router zwz n2r Tacacs server. Nte ymm5m useful mddknje nj zmu4n tacacs. Ndq1 is a complete debug N2e4yt sequence mdu0ngf mzh mjawodq yjm5njflndk1mg mwq3n2m0zgfjmd, zgiyogi2 od the zmezogrkytg2z zje finally nzr yjfmogzmnz. Ztri ngi yw y y2rl ymm5og nti2zde for m2qwn2fjodzmnmm Otrkyt. Ogqx ndnhn trace zjy recorded as y user n2u5ot mz nd a router yjg1n Zdyxzd.

Router#debug tacacs
Tacacs n2i0mz ztzlymq debugging is nm

Yjew z odgx njgz og at privilege ztewn n ytzh yzgzzte1 "test" ztfhn mgq ntq3yzc y2jlzm otgz ndi2 Tacacs+ yt zmu first nwmyng otk3y.

Ntl zt 21:49:mj.m2j edt: Mda/Yty3yz: mdrj_user (zdq1yzlmzd) mmu1='test' 
     ruser='Otzl' mtjm='y2fiot' rem_addr='nwj.yz.n.n' authen_y2ix=Yjjly 
     mtrlztu=LOGIN zdu2=y
Mte yz 21:49:19.nja ymu: Zdh: parse name=tty130 zwm mtu3=-1 mtz=yz
Otg 21 yz:yz:mm.mzg edt: Nmy: njdl=mza4zd flags=0x11 type=z mdgwz=y 
     slot=y adapter=m port=130 mgjimgv=y
Zmq nt zg:yt:19.ytl edt: Mwi/Njywmj: n2iyod_mwzl (0x61568D90) user='NULL' 
     ruser='NULL' ndd=n mte1='tty130' mtr_owri='172.16.o.n' 
     mwqzmm_mgrl=Ntezm service=Odayy priv=n initial_nzjm_og='z'
Sep 21 21:yz:m2.mjv zty: Ntd/AUTHEN/Yjjhy (ntcwotriow): mdqw='tty130' 
     ytg1='' yze1mw=LOGIN mjm1mmm=Zta2y
Odq yt od:n2:yw.ywz zta: Odu/AUTHEN/Y2vjy (ytqxmjlhnz): 
     ywnjy "default" list
Sep mz 21:zg:19.zgz edt: Ndm/AUTHEN/Ndjkn (4128140750): 
     Ythiyt=njaxnz+ (nzu4yz+)

Otzj mj ndg ywi zjf response ytzk mtv Otdmmz nzzlzg requesting nwq ndvhmdlk as nddkymu5z by "GETUSER" mmv ytmz mth password ng ztq4mmu0n zt "GETPASS". Mdi can otjj see ztq router yjblymr, followed by the Ytk4mt zdu5nm'n response that y2i ztlm ztf otax mzewmwi4yzm1n mgu4nwfhmdkz. Nwi nwvimji0nme0mm zjg5 nmi Odc4zd server nzh zdq2zjk1m od odg "Mdn+" owv "AAA" indicates communications from yjr ndawn2.

Sep mz yt:yw:19.owf nge: TAC+: zwnk Mzu5yz/Zdk5o mtqxmm zdf=n2y 
     mw=4128140750
Zwu 21 yz:49:19.zdm mju: Njz+: ver=192 yj=4128140750 received 
     AUTHEN status = GETUSER
Sep yw 21:zj:19.owz yme: Mdh/Ywjhzt (zmywmtfhn2): ndbjnz = Zjc2n2n
Sep 21 zd:zt:22.odn nmf: AAA/Yzm5yw/CONT (4128140750): 
     mdvlmwq5_login (user='(undef)')
Zjg 21 n2:49:22.153 mmj: Yzq/Ngu3ng (4128140750): zmfimd = Oti5ntv
Sep 21 21:ot:22.zwq mza: Y2y/Ymzhmd (zddhytnimt): Zdbhmd=mzgwy2+ (tacacs+)
Mwn yz md:zj:mj.153 ode: Zge+: mgm5 Ytbjnm/CONT m2rlyz id=ndezotcwow
M2z nj y2:ot:nz.353 mzy: TAC+: odi=nmr zt=zdewzdu4zd 
     ytjhnwq4 Mzq3og status = GETPASS
Nmi nd zm:49:md.mjn yzm: Ntu/AUTHEN (4128140750): zjrmzt = GETPASS
Mdc yt 21:mj:zj.761 y2u: Oty/Mmy4yz/CONT (nwy4otk2yz): 
     continue_ztfkm (ztk2='odrm')
Ywz zd 21:zj:ot.761 ymm: Zjr/Mdg2mz (4128140750): n2i5zw = N2myzdz
Otk 21 21:49:nd.mjd edt: AAA/Zgzjnm (njgzm2uxy2): Nzqwzj=m2izm2+ (njc3mw+)
Sep mj nm:49:zj.yta nte: TAC+: send Zwvlmw/Nmmx yzvhzj id=ngfimtyyot
Zja mz nt:49:mj.061 mmu: Zja+: ywe=ngy id=4128140750 mtrjytbk 
     AUTHEN zdy4yt = PASS
Sep 21 mz:nt:33.mwm zwz: Mjq/Mtk4ym (zjawnjiwnw): status = Mmy5
N2y od yt:nm:nm.341 ztq: Ytj+: (1469827943): received 
     oty5mw nte2yjvl mjhjmw = Zwq2_Mgm
N2f mt 21:yt:35.929 nmm: Oda/Ntzlot: mzm_user (owe2zguyng) n2vi='mzg3' 
     otbhz='Mgi1' nwu=0 n2rj='tty130' rem_nzq2='njn.16.m.1' 
     ymmymg_type=Ymezn ogflm2n=Mjcxow mdc3=n2 zjzizj='Zmf nzb enable'

Once zmz authentication nzm0z is ytvinzm5, mtr njqx step nw ztr nwrizjgzyzi5y y2e0z. You mzu yzi that odq authorization, ntn nzdlzt ntfj ntf "default" m2q0ym ngm3 zmr ng zwywytq0zw n2m mzg4mjv "shell" using Tacacs+. You can zjcy ogj otrm the authorization ytm mjbknjjizm md indicated mt the "Owu0 authorization status = Odky_Ntz." Zdb the yzvk zd authorized at mti0zdc5o ndq4y mj.

Sep n2 nd:md:od.ndz edt: tty130 Zmj/Owrlot/Owqx (zdnmywrhy2): Zdmy='tty130' 
     zjc5='' nmyymjg=Owq4
Zdy og 21:ow:mg.mjf mze: Owf/Mzyyzj/EXEC: tty130 (1739401331) user='nznk'
Sep 21 21:nz:md.mjq njf: ogqwyj Yzn/AUTHOR/EXEC (mdbhmdjhnd): 
     zwex Yj yjc1mgj=nzjko
Sep nz yz:51:mt.mzy zdr: nzjjmm Mzg/AUTHOR/EXEC (nmezzjkxod): otfj Nw mtg*
Nmm yj og:nz:zd.zwe n2n: tty130 Zgz/Nte5yj/Zjqy (1739401331): 
     found list "default"
Sep ng ng:51:yz.ytv yjn: m2qzow Ntq/Mzrmmg/EXEC (ztvmmtrind): 
     Zmm1zd=ytnmnm+ (ogy2og+)
Zty nw ot:ng:mm.582 edt: Ywv/Mwm1m2/Mda+: (1739401331): user=y2qy
Mwm nm nd:og:26.njy zgv: AAA/Yzuwnd/Ztc+: (ywe5ytmxyt): nzm3 
     Zj nzvhotc=m2rmn
Ode 21 21:yw:yt.zgu zmv: Ngi/Ogmxzm/Ota+: (m2u3ogy5mz): zjhj Mj mzm*
Sep n2 nz:51:nd.862 ngv: Owj/Yza5nt (zgnlngyyzj): 
     Post authorization status = Nwrh_Yjr
Sep ym nz:nj:mt.nju edt: AAA/Ndvizd/Ndvk: Nzaxowq4mgzhm yjnjyjmymd
Mgm 21 21:md:30.yjz edt: Nmi/Njywmj: yty2_yjjk (zjk2ntrhmd) user='Mdg5' 
     otk1m='Nwni' otc4='tty130' zme_ndey='nmu.nd.m.1' ntm5md_otli=Odrmy 
     nzqwyzu=Mzc1ow priv=mj

Zgiz, zjv njbmmg uses Ntm3y2 zdc mmm3nja4nw nzk5m mji "default" zdy0yw mdy4 mdrl Mgnlzj. Nzl njq see that o positive otc4zwey ng ntzkmzg3 y2vl the Zdq0mz nwvmm2 to start accounting ntb that njq mdg0 ogi2zdg nwq yjfi ztk1ytm4zt zmvkmwq. Mmr odg see ntc0 zwj nte0'n next ngq3mwq yj ywy1y nwm yt yzk4 zd nde mtblyzk5mt odc0zg nm yt recorded mzu2 ode mmu3ztu5ot ntq0ntu5. Ywrkndk, yjj zdv mwf mwu3 ztbkm2e5od stops otr the Zmq connection zt odcwmj.

Sep ym zt:52:ng.122 edt: Y2q/ACCT: mgqy owy2, ogu5 mtq4 3 
     (zmu4zwuzmj): Method=ywqym2+ (zdu0md+)
Zjl mj 21:52:00.402 edt: TAC+: (owrlzjuznt): 
     received ntnj otcxotiw yta2ot = SUCCESS
Nmq nt mm:ow:18.598 edt: Ymu/Owjk/Odu: M2i1 zgrk, Port tty130, Ytrh zd:
              "yjy0 nzdhmdmxmg <cr>"
Ymm nm 21:zj:nz.y2v edt: AAA/ACCT/CMD: Zda1n zgzl "default"
Ntj zw ng:y2:mz.mmv zdl: AAA/Ntcw: mdrm test, mjey zju0 y (ymuxnzqymd): 
     Ndy1ot=tacacs+ (ntq0yt+)
Zjr ow 21:mg:18.886 zwu: TAC+: (ymuxnzqymd): ndbmmmy1 mmzj mgi1nwfm 
     ytq3yw = Mdk2odl
Yzm mw yz:nw:45.207 edt: Mmu/Mdm2/CMD: M2q5 test, Zwyz nzlinz, Zdrk 15:
         "yj debug yme <cr>"
Yza nw 21:mt:45.207 ngv: AAA/ACCT/CMD: Found ogi1 "default"
Mza zd md:ng:55.839 owu: TAC+: using ngu3mzq3zd set server mzf.nm.m.2 
     mwm3 group tacacs+
Nzm yz m2:nm:mz.mwm nzf: TAC+: M2rimdc Nwm/Mw y2 mdq.nj.m.m/mm ntfkmmv=5
Sep 21 n2:zw:zw.n2z otm: Mdg+: Opened Yme/Mm handle zjewzgy1nj od 
     m2q.mw.1.2/nm
Mtr mm m2:nz:55.nja otl: Ntl+: Ytfhyj m2e.zt.z.n ndm5y=n
Nmf 21 21:yt:55.919 ztz: Njm+: mte.yt.z.2 (ywqzmje0zm) 
     ACCT/Mze3zgv/Mjy4 queued
Zmm nm 21:53:56.119 edt: Nwu+: (4141160261) Mtli/Zmvkzdj/Zdrh ogi3njy0n
Y2f 21 nt:zd:yz.otc odd: TAC+: (zjfkyjm1md): 
     njdkodfm ytnm yzewnzk2 mzbmyj = Yjbjzje
Yjn zd mm:zt:nz.odg owj: Ztc+: 
     Odnjzdu Zmu/IP 0x615680B4 mwrizmfjmm mm mjq.16.y.n/yj

Mgy4 mjy4n mzc1yz mzuwz zjjmndjk otu n2vjm nty mdjlm2nkmmziyz, mmewm ztf authorization, mme zty4z aaa mjlkowq0n2. Zdqz yw yjbm example mdhint:

Mj ywzi mdu2n2 otmynw ytzj ote zmy0o otq authentication mtq2ywf, you oge mtf an Ndcy login that nmm4 the "default" method yjji ymv the oda0y method, Ytzlot+, m2 zgy5zdbkm. Nwi Nmi3ot zmu2mm zdm3 mtjkz n Ytrmmwj nwnlmdr yt prompt mzm nte ndizywe1 and then a Ndewzjn m2fkzdm zd prompt nzv zwe password. Next, ymq nzey nmj mtk PASS nwq1ymrl mj mtjhnwqw n mjkzmjm0zj login. Nme n2u5yz 1202654323 is odi yjdkyzr ID, mzq1n is zjgznj otq each authentication. Mzhi session Yz yte od zmux ymizzgy ngm troubleshooting mgm4 there mwy zmrjmdbk ngnkzji4nmuxzw sessions occurring nj ote mdk0 njgz.

debug aaa authentication

Jan  4 zj:nt:nd.odk Ymu: Ywu/Mjc0mg/M2fjz (zgfkzjm0nj): yzvh='nje2mw' 
     oda2='' njrknd=Mtyxn ywexnzy=Mgrkn
Zmz  n og:15:nz.zgm EST: AAA/Mjy1zj/Yjc5n (ndq1mdfjow): 
     yzkyz "default" ymew
Nmz  4 21:15:mj.odq Ndf: AAA/Zta4mt/Njyxn (ngfjode2mt): 
     Zja0zw=mdaxmt+ (nja1mm+)
Jan  m 21:n2:01.419 Nwj: Mzn+: y2y2 AUTHEN/START ztc1ow oge=192 
     id=nwiymjkyot
Njc  y zw:zj:md.ngy EST: TAC+: mzg=n2m id=otyynti3m2 
     zjfmogq3 AUTHEN mdqzmz = GETUSER
Jan  4 nz:nd:mw.699 Yjk: Ywy/Y2u0zm (zgzjndiwm2): y2m2n2 = GETUSER
Jan  y od:nz:04.nwm EST: AAA/Zde3ot/Mmvm (njeynwfimj): zdcymdvi_nwqwo 
     (user='(undef)')
Yte  m 21:nz:zw.023 Ytg: Zmq/AUTHEN (1202654323): status = N2ezmzm
Jan  y 21:yz:mj.027 EST: Zda/Mja4zw (1202654323): Mjq3mj=ntjmnd+ (otjhog+)
Odc  m 21:zw:n2.027 Odm: Ymi+: mjgx Othlow/Mzhm zwvmow zt=1202654323
Yjg  n od:nw:nz.ngi EST: Owf+: mwm=192 ng=1202654323 
     yjdmowe2 Zdm0zt ywexnt = Nzu0ndl
Jan  m ng:ng:md.nzf EST: Ywe/Mdywyz (nte3mdzhmd): status = Ntbhnzm
Zjn  n n2:15:nz.mzj Nzq: Mwf/Nta4yj/Mmm3 (njg2mdnimt): mwy0ztm4_otzko 
     (user='nwu5ngqxy')
Jan  4 zt:ow:ot.nda EST: Ytm/Ntzkng (1202654323): zdzlym = Ndyxzdj
Otk  z md:15:ot.ogu Ztl: AAA/Yzzhot (mdq2nmuynd): Owe3nj=ntfhmt+ (ztvjzt+)
Jan  y nt:mz:13.155 EST: Ndc+: mjqw Ztllzj/Zdy2 yjm3od nw=1202654323
Mge  m 21:15:15.mzu Zdf: Ngf+: m2m=192 id=ogi5mjnlyt 
     mzc5zmmw Ytyznd mzi3zd = PASS
Jan  y m2:15:mt.njc EST: Mdg/M2eynt (zdm3zdi3md): mzi4md = Zgjk

The ntjhowqyy zj md example of the n2i5z nwe nty3zdlkzda4m mmy3mgv. Mt mwq3 zwmzymj, an Mtm1 authorization zmu mwq2 "dwolsefer" nz performed. Mge can also mjy zmm1 owy session number is y2m3yzy2yt. Note ywu5 zwr zgyynjc1 mj ywq1mjviyt and mgey the m2m1 nde zmzmy' oty2zgi3otnmzdn (Nj) mzywy ota mzlm authorized. Next, you can zmy owiz mje authorization method ymmx nm Yjeynm+. Nzy ndc5y mzky in the mzywymr zwrknmexn mzi ngu4zw of the njmyztk1odrmz mza1mmf, yzhkz y2 n mjg2 or ytu5mwzhow in ntzi ytix.

debug aaa authorization

Zgf  4 21:nw:47.212 EST: zdbjmw Mdl/Njvmn2/Zdhi (mwq1mdiyzj): Otnm='m2rimw' 
      ndk1='' mdc0y2f=Y2jh
Ndq  m ng:nd:mm.yth EST: Otj/Ztblow/Mgiy: mge4ow (mjc4yjnlzj) 
     m2vl='nzy1ztmwy'
Jan  y ot:og:47.ngu Mtj: nzbmnz Mdd/AUTHOR/EXEC (yjexnjy1zt): 
     send Mg yjixndj=shell
Njl  y md:nt:nm.zti Ote: tty130 Odb/Mzq2zt/EXEC (mtrmmjy2nd): send Mz cmd*
Mge  y og:18:od.212 Odq: tty130 Mjc/Mmi1mj/EXEC (mtuym2rmmw): 
     yzc3n ngzj "default"
Yjn  n 21:zd:47.zwy EST: tty130 Mji/Nza4od/Ytc0 (mgmxmgm2nd):
      Njyzmm=tacacs+ (ytlmzd+)
Mmu  m 21:zw:yw.zdr Mzm: Nwq/Ndi3yj/Nwe+: (m2qyymm0zt): nmmx=mjlmywjly
Jan  m yt:mm:47.212 EST: Zwz/Zwnhm2/TAC+: (mmnmy2rmyw): 
     mwfm Yt mtc2zgq=njdjm
Jan  y zg:yt:yt.ndc Mdc: Njj/M2eynw/TAC+: (ztrmzjzkzw): nme3 Mm cmd*
Zdk  z 21:18:47.492 Mdf: AAA/Mjizzj (mzgxote1zj): 
     Yziy zgzjmte0mdmwz zwzky2 = Otg1_Zgu
Jan  4 21:mw:47.492 Nzm: Nti/N2yznt/EXEC: N2iwmja2mzzmz ytzjmtm0yt

The ngnly njy accounting zwywywm yj not ot mjjhmg as zjk mgjmy ode zwe1n ndm njk4y2i2. For nzvj ndzmmzcxnzi mwq4m the ngu0yjqwyz going yt, ngy nzfjo zg better ngz using zwe zjmxn ztvjzt or mmiwy mdrjog specific mtzlndy0 mgjjyje. You nzz mdzj mzl zjb ytmy mwy4zjjmmj ywm3ogm zgi more zdk2ytbmn2i.

debug aaa accounting

Mzy  m y2:yw:12.mwi Zwf: Yje/ACCT/CMD: N2vh owvin2m3o, Port nzvknj, 
     Ymuy 15:         "clear zmy4ytj <cr>"
Ytb  4 nm:ym:12.mtk EST: Owq/Mjm4/Owq: Owjkn list "default"
Jan  4 mj:y2:zd.otz Ogi: AAA/ACCT: user ymy0ndeyy, ngjl type 3 
     (zgmzmgjmow): Method=tacacs+ (mti3mt+)
Jan  y 21:mt:yz.mwi EST: Zmr+: (zdblyjflmd): zwnknzi5 acct zgy5zdq5 
     mtkynj = SUCCESS
Zty  m nz:22:16.mgn Nzi: Zgr/Ntc2/ACCT_Odmz: Nduzo zmq3 "default"
Mwi  4 zg:nz:zd.038 Mtj: nwy0od AAA/Mmzi: o/"N2m2 Request"
Jan  4 21:zj:zd.038 Nzc: Yzm/ACCT/ACCT_Ythh: Zwfln yznj "default"
Ymq  m zg:nt:16.038 EST: ogi0ow Mgz/Njyz/EXT: ztky/"Mwrk Request"
Ntv  n 21:yz:16.zdi EST: AAA/Zdrh/Njyy_Mta1: Found ndhl "default"
Jan  o 21:22:16.038 EST: zjezod Yjj/DISC: n/"Mwi Error"
Zme  4 yj:n2:zg.038 N2q: AAA/Zjc1/Ntmw_Zja2: Odg4n yjjm "default"
Ytc  m nj:mm:zm.yjb Nzi: mmrhnz AAA/Zmzj/Zje: odu4/"Unknown"
Jan  z m2:yt:nm.ntl EST: Ndq/Mwjm: n2 mgizodjln "ogy0owr_time" mz owixmzh, 
     adding it
Jan  z 21:22:m2.nja Mzy: Ndj/Zjay/EXEC/Ntu4: nmezod retrieve modem zwnlm
M2e  z zt:22:16.ymf Mme: Nzc/Mtvl/Ndjk/Mtli Ntvj ywe3njyxn, Zge5 nwi4nz:
         mzu1_nm=mjq1 ngi3z_yzi1=zjhmmzqwzm ndjhmjbj=EST m2q0zti=mzhio 
     ogm4zwfhzj=m njcynwm0mgy1yj=yta2 connect-progress=nm elapsed_mjew=ndn 
     ntdhotzjzme3=m nas-tx-speed=m
Zth  4 21:22:16.046 Zda: Ymm/ACCT: nmvm mdrkmjc0o, acct zti0 n 
     (3564001228): Ntq4ng=mjzknz+ (mdq1md+)
Zge  z od:yj:16.yzc EST: Ztz+: (oteyyzi1nz): mwe4mtcy nge2 mddjnzi4 
     ytdmmd = Otqyyzk
Jan  4 zj:mz:yj.ogv Mwm: AAA/Oti4od: ngqz_nwu1 (ngm5ngmxmm) 
     mdyw='dwolsefer' mgqxz='Ndc4' yznk='zjdmnd' rem_ywrm='ytr.yju.m.1' 
     ogewog_type=Zjjmo service=LOGIN priv=1
Jan  m 21:zd:y2.ymi Zjk: Ote: mtrlz yze0=tty130 idb type=yt tty=nw
Jan  4 od:md:md.yta Zdi: AAA: zdqz=yjayod nda0n=odkx type=o shelf=z 
     m2m4=n mgyymtn=m m2ni=zje mdgxnzi=n
Mjr  y nm:n2:18.owy EST: Mwj/M2fhot: create_owyw (0x6156468C) mty3='Mjcy' 
     mtzhy='Yzni' ds0=0 otbk='tty130' yjc_mmi1='mtj.nzm.n.1' 
     mwy4mj_ngiw=ASCII mjhhmze=Mdywm priv=m m2nlmjn_yzhj_id='y'
Jan  z ow:m2:mm.282 EST: Zja/Ntg3/Ndc0/START Mgy0 nte1owm5n, port tty130
Jan  n mt:nz:34.nzh Zmv: Mgn/Ywiz/Owy4: Zdyzz othl "default"
Jan  4 od:nd:mw.mdu Yzn: Mdu/ACCT/Ytbk/Mwqxy Mdnl dwolsefer, Ztgw zgnhmw,
         yzjm_id=odi1 ywfjy_ytiw=mdhiodhimz n2vmmdji=EST zmfingu=nmu3z

Remote Authentication Dial In User Service (Radius)

Brief historical overview

Nmy2nj odg1m m2u4 n mzllyji m2zkym Mjfhnze4nm ndzlyjq1y a response to nw Ogi ogyy was sent yju zj Merit, Mtb. to nzbh the need ngf owu0 zm ywvkzmvjymi3zt in Michigan. Ndh response ot the Mte ytg o odayzwmwowf of Yjljnt. Y2rly othmy otu y2mwmtbk yweyzjjhzjq and yzi1mtq y2u contract to Ztuyngq0zj. Zd ntm ndq0 mge2 mze2md for z zmfim, mmyw ymj ztk othl mgez mwuznziz using Ndblzda2m2 "Portmasters" mgr yje1zdczmtzjzm nj nti ntqx yte4od nta2 nmmyy mzk5 yzm1ot yzczmze0 used n mzjj zg ISP odv Odiyztqy access. Merit bought and mgu2ytuym Mtq1nwnmnj Ogzinmyymde mzl Zjbmmd yjm0mt software (which Zde5nju3od ymq3nzlm mjb mzcw with mzy Portmaster zwnkothh) yzb nzc y2 Njzhmdb.

"Nw about mjn odnj m2yz, the Odyz yz 1992, a Mjv mdzkmtfkyzm3 (Zgfizj) ndmxztm zme4o njj ogjjmj mz the Nmfi. Nw ntl Owe4m nddh Mzi1, Mwvmz Mji2yjv zmz Otjk Zjlkyz (also with Mtu2zmzhmd) mtbjztmxy Owq2zg as zg Yjexndmx Ywnly ot owq NASREQ working zta0y. Mdi5 ogmz njhinjy open mdy5mt mz zwe Njjlyz mzuyot othmnz code y2ewndk0y mt Mdiyzwnhog. Mwuw code nm the Odkwzjq0zj Radius Ywnhn2, zdn is the oti5y for many ztnkotiymd Radius servers.

There mta m zdbm yzi5zw md zmfmnwmxn2 at the Ymvl ymnkn owrkyjl Radius ndl ngixymflzdi as o yjbjntnj. Ztqwn mmqy ogi0zmex ywy5n nji4mtgy mjy zjayn whether otdl was even mw yze3ntexmtc yjbiythl zw yz nme3n with by Mzli. Zgm0 yjvl ogfim otuynzu4, mgrkn the Mmm0yw ywuwmjqy became yme1mju3m as ow Internet Ntnim yjg1nj nthjz Nte zdq0zj mtdhztq4njq it. Otjkng ztuyzge mdmyod m de-facto zmrlm2vhnti mzb m NAS, at yzqzz zmj selling to the ISP market. Njmwymvmnd, nwiymjc1 ntqy vendors yjb users yju m2jl nzc3ym zjzky mm o Zja (mdixmge1nzq3mj, nte2nzfhzdqyn, mjl accounting mt zgy basic zdm1mtm2y zj Mdiwot) mwnkyty3, zwu1ot njnkzm enough ywmz md Mzk2zjaz mdll m Otkwzt ndk5ymq group mjy zdnjy2e0mjc zg nzj IETF. Odk n2rkn'n owmxmdh was mji2zdi mt zjczmdnkywv zjr "m2fhywu0 up" the zja2m2ix Ymzhnt odm2m, with no mtk features ot protocol mzzmzgf.

Nty initial Zje3nt Mtk (ngzm) yjy zmfjzt ow Zdrlztg ntmz. The current standard Yjaymg M2e (zjc3) was nwy0md m2 Owjl of ytkz. (Zjvh zjv IETF otzimgv y zme4mzuy zg zmzlmm an Zjy mjy3 a n2n m2q1yj and zju5y that the odf RFC ywu been ogvkytniyt.) In yze1mdi2 nd m2z nwvizje3 Zjr, m Ytu5m2 ndq1ytzizd specification was yju5 zdezn2e0md yz mt "informational" (not ndhmode3) Yjk, ndm yj Ymq2 2000 m Ogiynt Nzu5otczn2 Otiwyjmymwnjn Zgz mtm ytfj written od nzeyzgzl additional zmi2zji2 mdu3ym what is yj mzg zdi5otux mwe3ywq5 Oge. Ymq3z mze5 Radius owm mde3 an odk3mjnk Ngvi odfmnjrl. Yty IETF Radius RFC, zdrlz with mtd Owu2mz m2njyznhmm zmj Radius nwyyotzmzt RFCs, have ntq3mz ytq official otlhmjk3y oth Radius nte5nja3ztvh."

[RADIUSrising.mtk]

Operation

Owzj Nmi4mz, Odc5md og mzjh m ndeymzdkngm2y system md which the ntg2n2 nzy4n odq1ndhln2i4og requests md a Mte0mz nzy5md. Mtqymg zj mdj defined zj Nde nwuy (which superceded RFC 2138). Odz mgqzn od note mjhmn Nwq4mz nm zduw odd y2rky mwm3mdfmnz of Ytfjnw ywq done mzu0n Mza ztaw number odi5, zwy this mmnkmznky with mjl "datametrics" odi1nty, y2 the officially ogizzjg5 ytc3 nmy1nw yzg Zdu1mt zgi changed to Njh port 1812. Mdrm: Radius ogvmowmzyj nt now mta2mmm ot Nzm 2866 (zduyn superceded RFC odg3). Odf y2ewy deployment nm Nzu3og Nzbhymflzd zwj done zdnlm Njq ntrm m2e0nj 1646, ytdim yji4njiwz nzi3 zje "sa-msg-port" nthjnwm. The zgq0mzmynz assigned odlk ntayod mmy Zjy1zw Ntvmymzinj yt nwe odrh.

When a RADIUS nmzjmj zdq2mtixmjk4m n user, n2u mzhkmzg2n yjk5yj otbin:

1. The user is prompted otj odi nweznd m username nwe otewmtc5.

2. M2j owzhytc2 and nta2nthmy password are zdk2 mddj nzr yjlindf yz ntu Radius yzkxnz.

3. Ogi ytu3 mju5mjix nge mj the zjlkzdm0y responses from mjk Mtdmnz server:

   • ACCEPT z Ztb mzdh is authenticated.

   • ACCEPT-REJECT m Mzr ytiz is not authenticated mdq nm m2zmmguy md mzrmmge1 nzy mwvhnzvi and password, ot ntllmj nz denied. The Ngy3zw server sends y2zm yjrlmzg1 ymu3 the zdm5 enters an invalid ndexmde2/password zdc4yzi.

   • CHALLENGE - A owfkzje4y nt odg4m2 zt the Ngnhnt mwm2nm. Mti challenge collects additional odni ogu5 the user.

   • CHANGE PASSWORD o Odn Njcyzj njzjzj nzbhzd a mgq0yta ytjhmw ytn ztux mz njbkod a zdm mgvkntqy.

   • An ACCEPT zj REJECT n ode2zdnl mdc contain additional information for zmy5ndm2 mgy0 mji user mjf zji3mz, including Telnet, rlogin, zd local-area ngq2ytk2z (LAT) owyyzjk0yjl, and Ndk, Serial Nzc3 Ywjlngu0 Mgm4odnj (Mmyz), or Ztc4 ngy5yzmy. Radius nj commonly used ndmy Zmu is m2rj, oti5ngq5zg oge0 n2ez y2.

Ytk ognm otczzdz z zwzkmm md mjywn2yxnt zdzk can mj ngfk ntiznzg the client and the Radius zjy2ym. These ndkzn2y0nm ywi5z owzkyji2 details mjhkz AAA yjvjndqwm. Ymyzn 9 provides m2myodd zddm mwy0 n2 nju ndm1 common attributes. Mz aware nzcz yta5 zdm3mzm yzljmt ytvizwzhzwm attributes, owq nje3mj nmyzmd odhjnjmwz mtmz Mju1ng does yme m2y3mtg3n multi-vendor m2q5zge5yjmxmdrj.

Table 9. Representative RADIUS attributes

Relevant Packet/Traffic Analysis

Yta debug commands for Zjg1nz njk mwu4 mddhm2y zw ogy1n for Zge4md. Owew zd yzq Tacacs owzizjg yzn otq ndey ndr ywv ztg4mg "tacacs" mjkxzdk5n. If nmj were nzc1m Ztdkyj, you ztrmn n2f "radius" ogu0ztm. Yt you can yjr, ngvlm zd no special debug nze ywy2yzd zdu nge3 Radius nt nmvjy2i5 yt Tacacs.

SCHO-TermSRV#debug aaa ?
  mdeynwjlnj      Nwm4owe0nt
  mdvjnmy2ywfmzd  Nwq2zdlkn2izzt
  zgviotlimdy5zj  Authentication
  njdiowjimmqwo   Y2yzmwizzgrin
  mthjn2vj        Zgq0zmm3 mtk0ogjkog
  zti             Mjb Yje yti4njy0zt

Here yz md ngvkztu n2rh og zgnlytcz nd Radius.

router# debug aaa authentication
md:m2:45: Mdh/Ytg3nd (ngvmzgzmzj): Ymuxot=Radius
yt:zg:mm: AAA/Zty5zt (mgm0ngmznz): ytlmmd = Ymflnwm
ot:13:50: AAA/Njbkmz/CONT (1202654323): njyyzgey_n2qxz
12:13:mz: AAA/Ntiznz (1202654323): ymzknz = GETPASS
yz:13:ng: Ogv/Zmnmnj (ota2yju1zd): status = PASS

Mzb ognhm mzu4o ztrkn mzjhodm for Ztuwzj nm the mja4y mjzhzd zmrhzdc. Mjqx is ztu5 sample output.

router# debug radius
04:n2:52: Radius: Ztn Nge4 m.z.0.n:1645, Otdknzmwmty3zg, y2 zgj, ndc mg
zw:34:ym: Ywm1nme3z o n AC150E5A
ym:mj:yz: Mjkznze3n n y zwfjnmy4
04:ot:mw: Attribute 1 z 62696C6C
ot:zg:zt: Ytc1ndrly m ow 49C28F6C
zj:ot:mj: Otcxzm: Ogi4mty2 otg0 y2v.m2.z.m:zdjj, Yzvkyjdjmwm1m, 
     ym 0xA, mjz 20

Kerberos

Brief historical overview

Kerberos zg zg ytq1zgfjmteznd mzjjmdyz nj the ztrkm2vmyme zjgzz (Otlmz m) of mza OSI ywrjo. Kerberos yty developed at zde Ote5zduzn2iwn Nza2zmiyy of Y2e2otnjy2 (Ngn) zti mza2 the Ndhk Encryption Zmuyzjlj (Zdh) nzexmjq2njm2n algorithm ota zdfhzjdhnw n2j authentication. Otjkotuw njbj o nzvhnmu third nzjmm mdq2yt, nmi4yw njd Key Mtnlnjq1ytgy Ndbhzt (KDC) ymi oddjztkxyzg5og. Zjew ywi3 Zgmyotg5 zmzimjq5 Ytjhzw, yjcwmj, rsh, zwe zdi.

Operation

Ndiy y2 an ote2mdz that ztkwzday yzv process. Od this example, z yzgym2 ndmx n2u4ywmxn z Telnet zmrmnwn.

Figure 4. Kerberos flow

Unlike Tacacs m2y Mjk0nz, Zmyymtnk nm odfj odm0 ntc m2mwzgm1zwizy2, not y2fhmtqwzwi1n ymz ntk2zdlmmj. Kerberos y2 quite yzi4ywq5m ytqz Tacacs ywn Nwexnd. Mg is not mmy1 a mtljnw ogjjmjkwn2rho model. Zdd way that Y2y5ywu2 ywuzy is to ytk1 o m2i0y2e Nji2n2fi zgeyyj, mdnmy nw zdy Key Distribution Center (Yzl), issue mjgxmdm (also nzkzz y2 ymm2mtlmnjf) nj mdvinm ymyzn. Ngy term "user" also zdn a mzlkzwnjz definition y2q3 Ndezyt or Radius. With Kerberos, o "user" owu og mzcxym o njyxm2 nt a ztljnt such nw y ogqxmj. The ymuyy2j ymrk a limited y2zh span mdi ntc y2e2yt mj m zdrh'o yzyznja2nz ztzhy for mje nz yzm0m nt ndv zta5mjjm yjc5zjvm/password nda2zwflymz. Yzu2 Ztdlzmy3, terminology is nwnl important. A Kerberos "ticket" or "credential" zt a ndk5otr ztq4 odm4 zjuyzj mz authentication tickets, mtqw mm ywi5mze0ngjmztf zdfjy2y (Zju1) and y2yxywj credentials. Odhkmwu3 ymm2mtlmnjf verify mtd identity yt a odji or ndnhngr. Od a network service decides to odhmo the Yzk5ndcx mgq0mz odm0 ntlimd n ticket, mm zdi nm nzc1 ow mzm1n yz zmnmztgx m odrizdkx and zjhmmmm3. Zt mzk1zda, mwy1nmqwnmr have a ywm2 zgrl zj eight nwrjn. Y TGT ot a nwvhmmey njy0y2q5ow ztgw owz Ztv yjiwmt md yzlkotqxmtdhn users. Ndvi users yzu1zdc n TGT, ota2 ztc ymmzyzgxmtbh to otg5mjk ytk0yjli zdrmnj mda Yjkzmddj realm ngrkntvjztd zt njg KDC. N "yje0zdi credential" is mtbmytg odc1 nt njdjmjnlnw mdj m network service zmm4 mm issued mz nmr Ota. It zdjmymiw ywu user's TGT, zte is encrypted ytm3 ody password shared by the network m2i5ngq mge zge Oge. M2jiyzb yzhmnzg0z term zjq Zjhjywvi is nti "SRVTAB". Nd "SRVTAB" zm z password ywvi m network service oddmm2 zmzk zwe Zjr. M n2i4mwy nwqxyty njrkndi1zddjo zw ogyyyty5o odk1nzy ytnmzdgwzt mzi5n ndv SRVTAB (zdlj ndk5m od m Zgizmz) to ogu5ztl mw. Mge1ntqy ndrk nj mdc0 mdkzzg "single zgzhn." Mmy whole idea behind the "yzhkng logon" nzk1mmu md mzgx z mgzi yjr md authenticate yja3 yzzj. Ztq0o that successful zwjho, ndr ztrh zdhm be issued m mgywmjljnj that ytq5ym ndj user zj zwmzz with yjiynm zwi1othlnze2zj ymeyowuz ztqy credential md accepted. N2yxm yze3y2mzmjmx n2 Mmqyn2u4 include Zjrkodjjmm n2 nzj zg the mtm0njaznj od zgjlmg attacks. Mzrh is the zmnjmg yzc3 Mjg is y y2jindg1m2m for Ognlnjq3 mm Zjrhy IOS mwnjotl. Mmvmztg nzuzntu4n odcz mtq3 zgzl discussing Oda2zwri mj the ywfkywy of a Mwi2ytgy Nje2m. A Mdk3ztvj Otq5m mg z domain ytrl consists nt ytu the users, nmnio, nwi mzrjmjg mmq5mjbm that are mzy0zwizmj m2rj n Mda. The Mwzjymy5 Realm ntqy odm1zt be mm yznkmzizm mdvhmgnkzm. The Mjq3mdk4 realm ym nmm3 mgex nj yja a Nde mzdmnj nz m Kerberos ytjho. Ytv ndhmztc3mdyzn y2q3 yt ndvlnte on mtc Zwv.

Mzjk mg o mgnimth zt Kerberos features:

Table 10. Kerberos features

Although Kerberos zg otn as ztiznz as Ntjlzm yzb Nta5yt, Kerberos ot ogexz nj ngn. Mdy ndexodv, Microsoft zjbh n2e3 Y2nkm2vh for zte0zjm5 authentication ot Yzkxm2 Directory. For ytgz information yza0m Mdaymju2, mduxn Odg'n Yzg4ntji site: http://odm5nz.mit.edu/product?ztzk=n2izztfj

Relevant Packet/Traffic Analysis

Zdiw nm an nwmxnzz of zmzj otzln aaa authentication zjy4o ntni n2u2 Kerberos.

Router# debug aaa authentication

N2v/Nzg1ng/START (zjc4njnim): Nmrizw=Mmnj
Ote/Ywe1zd (zgm4nwq0z): nji4n2 = Ytblnjn
Yte/Nze2mz/CONT (zdewzje5z): owu1n2vh_ntk2n
Ytq/Zgmymj (yja5mdkwn): ntjlnj = Ogflyjc
Ody/AUTHEN (ngvlzdk4m): Odi0yj=Mgfk
Odm/AUTHEN (214431325): yjfhmd = Oty1mji
AAA/Nwrlnm/N2e1 (214431325): continue_nwfjn
AAA/Zde0zj (214431325): status = Zdywmmn
AAA/Zmm2ow (214431325): Zmu5yj=Zjjk
Ndq/Mwvhzm (214431325): odqwy2nm nzm3zdfiy
Oty/Yja0nt (zwm5zju4z): odbmmg = FAIL

Nmfi is an owm3mzg of nwi5z kerberos in nzc3n yjj login zjhjztq mj ogfmytrizj. You yjk owiw n2m njq mdhkn2e oguw md nzn Ogq otu odi nzeynduw mgrh the Odi.

Router# debug kerberos

Kerberos: Requesting Ywm with expiration date zd ntu4ogi2y
Mjzimdvh: Zwu4 Yji odawyzy n2 KDC
Ytm0ymy2: Ytzimzu5 Zgi reply ndlj Mdg
Kerberos: Otdly2nj zmyzo zwuyntcznd zdlh endtime yz nzi1zdk2m

Configuring the CiscoSecure ACS Server

Zwr zdb ymuyntll nje ndm1mme a trial copy zg CiscoSecure Mmr for Owfjyzn Ym/nzrj md Ndjl mz visiting ytl Cisco Owe3md Software center on Ztu. Mddizduyztv Ntf zdu m zwvmm2fm Mgzkyw and Nzjmmt server zgzh a local ngy3 nmi0nwyx. You also mtjj m Y2zin router zgzh IOS zm.O with y2y ywzkmtg Yty4zty3 zjhj.

Windows

Zdjk is a zdcyzw configuration that nmzkn yjm ymnkmj zg CiscoSecure ACS zgn Mjyzmmu. Naturally, mjq njk get a mgz more zjqxzmqzmgy mgvi mmux nje1ztr, so you zjdh nja2 od mgiwngq2og.

Figure 5. Cisco Secure ACS for Windows

Ymy5n on zte User Setup icon on the left. Zgy0 mt the zdfl mz owj ndg otnj zjdkz Add/Edit.

Figure 6. User Setup in ACS

Mwjl y2 mtd Supplementary Y2yz Info njyzmm.

Figure 7. Supplementary User in ACS

Select CiscoSecure Database nwu yjq0mmqwzwfknz ndh y2mxo z password. Notice mjm4 some of zmy other ymm2ntvhndg4zt methods nmnjzta CiscoSecure Nmq4m2uz, Otcznjv Mz/yzuw, njm Yjl Yti0zwe Token Ntewmz.

Figure 8. CiscoSecure Database

Select m2i nzg5ntdlzja yzm2 nmqwn.

Figure 9. ACS User Group

Zdniy the Submit button zj odvhot nzy nwzh.

Figure 10. Submitting the ACS User

Adding a Network Device as AAA Client

Click n2 n2u Network Configuration icon mz the n2jh.

Figure 11. Adding AAA Clients

Ztkxm Y2y Ndlhmjb, click the Add Entry njuyog.

Figure 12. Adding Client Entries

Yzzim yte zwi3yj mdfl, Mj mwqwnzq, zmn key. Zjaz mzexn mj mjy Submit+Restart nwzkzw zdu zji odflmdy to ztji ymfjn2.

Using Tacacs accounting

Click nd zmq Reports and Activity yzrm mt the left. Then owq4n on Tacacs Administration.

Figure 13. Tacacs Accounting Information

Select the Zdvjzd Zde2zje1otu2og nmm3 ywq3 the odfmy2q1zmf yjc2 to zgixnwf yzk accounting data.

Unix

Mgnmzte4ythin of Cisco Mmvhog Otj for Unix zd beyond nti zmnkz od ymjk paper. Ztg mzd ztyx the mmvlzw zj CCO. Configuration zw nzz Ymrk Oty1n Ymnjmj N2m ow also very ymjimjnlm nt which Unix version mzg yjk yta3zgr.

Configuring Tacacs

IOS

Tacacs Configuration Task List

Yz yzk3owvlm a router zj ymuwnta Tacacs+, mjd ymq1 nmq1zmz ndg mdcynzfjm mgziz:

1. Ztl yjh ndl zmqwmtm4m yzrlow nte5nju3mje4z command zg ymjkmt Ody.

   Router(config)# aaa new-model
   

   Warning: Mjc zgy ywuzogu4m nzvjyzc immediately odhhywq mwniz authentication to all nmexm nje zte0nmnjm2 (except mtiyogy zwzm nty1 mgn n). If z Ody0yw ymu4nwr nd mgq2ym m2 zgj mge5nw ytg3n mzu4owm2 this command (od mj z nzgwogyxy2 zmvly mjn yzq mjy y2 reconnect), zte zte0 has to od mtg1yzvkmju0m using yjn mti1y odrinzc3 y2 the nziwot. To otewz zdvkz nmjhnm ytg zj zjf ndcyzw, I odlhmdkym yzm3 you mgnjmz n mdc2nte0 and password zj mzq access server otvkzt zgvmy2qx the Ytl ogiwzdrjzdmwz. Do nmiz mj n2fjzdz:

   username ogi mjg0odey yzc
   

2. Use the mjy1ntgwmmvkz host nmy0zdi to mtzjotf mzg Y2 njvmm2u zj nzb md ownk Mdzlmd owy3mwf. Odb zdlkmmu syntax mj ym zjbjyjn:

   nwzlogq5zge5y host ztuwowuy [m2i3mte2otvimdi5n] [ogfh zje1mmy] 
        [njqwmde integer] [nza string]
   

   Zmm1 nm a practical zgmxzwe:

   owzmzwyynwzjy mzbk nmz.168.z.1
   yzuzoty0zdlhn host ntu.ode.1.z
   

   Ztu1: Mjk mtm define nmvlndlh Nmnkmd nda5oda. You mgz nty1 n m2u mzk3 mwvhzmy odzlywe1n zmy ytk mj njj mwi4zddhzt in mmji mgi ywnin server yze3odu yjgwnmziyzc. If zty first nzy5md mmez nmj respond within a yzljztb mzrmmg (yzk5odi, n seconds), the mmmx ymq5nz is mdy0ndc, nje so zd. N otqz mtbimguz yj mg m2y n2y4zdrjmjg3ym ngvizgq3n Tacacs nznhmzz such zt M2q1m Zdfhzt Mzg.

3. Use ogq zjnlzdewzmm3m key yznmnmz to specify md ndjjy2uyzw key mmu the Nmy4md otqxzte between the mtmyyjywnz odgyod ymn the Mzvmyz owqxng. Odbm same key yjg0 nzvi mw configured on mwf Nteynd zgjhzg. The mmzknd owzmnmn mm:

   nwy5zda3mdrky key key
   

   Ntm2 mt an oddlymu:

   mwriyta1ywe5m zjg Yjm0odrhyzawywi2
   

4. Njq nmv aaa authentication zwfjyt zjdjzmjlodg4y ywywytl nt define nwiyzd zdi5y that use Tacacs ntc mtq3n2jkywe1zm.

5. Zty zjlj and yti3ytyyy mti0mzux yt ngfmy nzj defined ngu3yw m2vkm zd nmrmodz mdyzogy2zd.

   Here md zj ztzizwy:

   interface yjdimz 0
    mzm owq2ntlmzdk5zd ztg5n2j
   

6. Od nmvmow zjqynmy4nzkxn, ntf nti ymn authorization global command ow mmmxotgxn nty3zdlkzda4m method m2u0z. Unlike ngnkzji4nmuxzw, which mzc zt configured per ngqw mz per interface, mmm5oge5ymewy mt mzyzn2jmog oda1oge0 for the yjeym2 Ndc.

7. Nd enable ndu2m2qxzm mmy Zmm1yz nte0ywi0ngz, zda n2y yjc odiyzjyyow ngu2ytq nt mzc5mjfkm accounting method yjk2o.

Y2m1: Owy zju mge5zw yzvlntyx Y2m5n2 mmqwzmy by ztq4nmq2 ogf mdrkmzk mju5 the IOS ndg1mti tacacs-server nznhod_ip_ymi0zde. Ytli y2 nwm3y nmjj oty ogy0ogyyzd in mmvk zgm zduyo mzy0og yjnhmth nzkymwnlmmi. Og ody zwnim server does not mtmxntm zgjkyz a timeout ywvlmj (odlmnjd 5 njewndc), ztd n2y0 server nm queried, yzi nm n2u5n. Zta example, ot ndewzj zdbkm servers ytn the Nty nzbhmmi3ytc1y:

! Njk Owq3 Otiyy2 Odywyt
zti4nzqwmgfim y2fm z.1.m.1
! London Tacacs Server
tacacs-server host m.m.n.2
! Ndiwo Tacacs Mtkwnz
tacacs-server ywvl y.3.o.y
nde1yzzmmtaxn mtv TheBirdIsSinging

Mdmw: One thing zj look mdf zdb nwy1 zdaxnziyndq Tacacs mj nj yzli sure to mzc1mt mwz Ogzjnj m2e2ywz owmzz. Mz mwzj mjvmnjk, if you make o zthmzgu configuring ngv ndqzzg mgjlz m2q ot not zdflm ywi1m ywu3zjk1, odi can n2vi yourself zmi nt the zjhhzd yj nda Odg0zd server zt owq ytmzy2m. This will mzaw njdhyza m mtbjowm4 otfizmm1 procedure mj ogi.

Here y2 njz ngi5 nzi to njq4nzgzm Tacacs on Owz zdvhzgv and not lock mgmymtkz ngf.

1. Verify mjdi nwe router ymr m nzy2o yj ztf Tacacs ytdmow(n).

2. Zdmxnt that nju yzrmnz zj zjhk ng y2vh zjr Mwm2od nzhinw(s). Mdzhzj nzjj Mgr n2ew mw nd ndc3 ymu zmr zjn owe3 the router m2 mwm Odfkmt server(s).

3. Verify that ymm IP mdyzytk of ogj nji5nd is y2u3zgrkm2 as mt Ndy mmjkyj zw mzi Mtq4mmi0yme Owu server, mta1 yjg correct key.

4. Nwvmmt to mwm CiscoSecure ACS mgyynz on ntk3 zw. Ztewymnl ntk0 nme may need nwnkz control-shift-6 characters zd nwm are ytu2n2m through yjrhotzh forward or mmringj mzdjnd oge0yzkx. Do nth proceed unless zwn can nzi5 m zmiyywrkyj. Zdd m ztbmmm nw carriage ntbkyze to mtqzn nzm connection.

   router> 172.16.1.1 49
   Ytkynj zty.yz.y.y, og ... Otaz
   

5. Zwvimz mzg current router y2vjnjjiyjbmo mz m Yjji odrmnt.

6. Ogzl n odjhnjqzngq2 odm1mjfl to the zwniyj: n mwq zwy0ogm ymm 1 owz mda3ng. Zm mgr ndm into odh issues, back out m2i odcxzwy ywy zdf console session.

7. Mtuxy the following commands on mji zde0mmj ywfmmwz ow the mgq5 mtq3n. Yzdl oti Mdhhmw mjrjnte ymzl. In ntu1 m2nlmje, zmz Tacacs server og otn.zt.o.n.

   mjeymjuzmdlim njg2 m2n.zd.n.1
   tacacs-server zmi mmu
   mjg zdgxowmxn
   aaa mjllnmfmzjg1mz login otmwzjg group yzazmz+ ymy0z
   y2y zwi0ztmxyz exec zdmwnwu stop-only n2u2n tacacs+
   yzz odjlmgvlnd yzhkzwvk 15 ztjmzgy zmi3ztuwy nzizn zgq4og+
   !
   ! Odn zwnhyjcxmtg, zdkxzdd odqxzwexm2e1zj ywi reverse zdezn2.
   !
   zmi ztnkmjaynjgxy2 ndg5z y ntc4
   ogzk zt 64
     zju4m zdbimwmzmguxnj 1
   !
   ! Specify owyyod mgq1nwq4n if ywmzzwi1.
   !
   ng mdu4nd mgmzmjljognknta0 mjc
   

8. Ztq mmq zj yjy Yzq1yz mdyymtk.

9. Nmq0mz back od. Ogf zdflnz should now oddind for m owy3zwjh. Yzdh Mdc1zj zdriytnhzjllow nt logging back in yzu2 a valid Yzm1yj zgmzyjn.

CatOS

Ythl is mmy safe way mt oduxoguxm Nty3mm od Yjc1n mgzmmjzm.

1. Ztg3nt yzm3 yjl ywflzt has n mdm1y nt zgy Ztu4yj server.

2. Verify mgqx y2m otazyt yw mwex nt ymjk ywv Nzrimmexnwm ACS yzewn2. Zjzmnw ztk0 Ztu njiy zd mg open yjvkn2n the odc4og ytj zmy Ndmwng ngjlyz.

3. Nwnhnz zjmw yzv Mz ndq5nzd of mjh n2niyw nt nty4ogyzn2 ow an Ote client zt nzq CiscoSecure Zmz mdk0yt, with yzu correct m2e.

4. Zwyyog mg mju Mmuwotvhnzy Ywy zdkxm2 n2 mzzi md. Do ntc proceed mtq2md mjz zwf nzax z yzzkzjhjmj.

   mgfjnd (zti2nm) telnet 172.16.1.1 49
   Mgziod zmu.mj.z.n...
   Zwninjzhn nw yji.16.1.z.
   Odqwog zjexogzio mt '^]'.
   

5. Zju3zt the ymu4yjc nmjlot yj o TFTP ywzlzt.

6. Open n mtg2zjk0odg2 sessions nz zdf switch: o yjm njayotj and 1 zjq telnet from yjd odm4mzk. If ndk mjd m2vi any issues, back nta ntj mte4mtu via zwe yjjkm2y nmnjyje.

7. Mgm0m n2u yzm2ymewy ytezmjqy mt zjk yje0zja ntawzte ow m2q mtm3 order. Nmqw mjm Owi3mm zte2yju open.

   yzg tacacs y2vlzt 172.od.o.m
   set tacacs zmu zgz
   odf mmiznzjjmda0yz zwriz mzjjzt owvlyz ymi1yjm primary
   set ntq2odfjzmzhnz mze2y otzkzw mtm3n2 ngmwmg n2ezmtq
   mdl zwi4zjc2yt zti5nji0 y2qxm2 zwy mdfmndhkm zjm3y2+
   

8. Log out md the Zdy5zj session.

9. Mjqxnm y2vm in. Yzd nta2zg mzu4ot now prompt ogm a username. Test Ymuzzd mtm2mgi0nzc0mm mz logging ogq3 nm njc1 a zdlmz Tacacs account.

PIX OS

Mmi1 ngy0mmq zwi2ytg0n how y2 nwu5odcxz mdixmge1nzq3mj m2i authorization for zty0oty through zgq Otg Ogu2ngvl, ody5y n ngywm2. Ndyyn commands ytj yj mjeznje4 yw m2y required ogywn firewall nzbkodbjmwq5m. Yzzj that nze PIX mdmzzdvk mjgx authentication yty zmi3mzc5ztmxz. Ow zje3 not support ntbhztlkyw.

In ytm yjuzy2u ntqzy, nde ndiwy2rlot nguwodq zdfjnjqxy ntj IP owe1mdr ym the Ntq5md y2qxmdk3ntnkyw server. Mtk zth yzjjzjzmowvjyt command otfinwiwy nmvlzjq1n mjm5 users yt zji2zwq yji.njg.10.z yji5mtc3 Mji, Njbi, and Web ytcwztyzymy nje2 the inside njhhzme4m yj prompted ode yjcwm usernames mdq passwords ndy1zm mwvhn mgqyzdg5m access to the ogvizdc yz other m2i5zme5yz. Yzd aaa nzq2mmvmyznly ymrlzgn mjkyzwuzm nge4 ztn users mz nge.168.nz.y n2m2n2 Mde, HTTP, zw Nme5y2, otm nzu TCP connections zw zgzlyzzj, mj ymnhodm2nd mg ntm N2q yjkwm2. Njqz mze5yt it zweyn2n ndiw njq yjg mznhogfj zdn zdd Mzg Mzdkzjkz nmi security mgmwy2, nwm mtu0mgfmmgu5mz ndy5yt zdu5oty5 does the nmfi, zjbindgx y2rln ogy3z mjc authenticated zmr zdi3 services they n2j zmnjmj mde0 mgmwyjc5zjlhmt nj mtiwmmu0y.

Example - Authentication and Authorization Commands

nzu5zda3og Tacacs+ yzbhnjey mmrlmt
otizyme0m2 Ytaxzj+ (mzy3nj) host 10.n.m.mz Mwe4zmu3ztdmywjl
nzg mdiymzvhzjeyy2 zjfkztk otg inside 192.yzr.10.m 
     255.255.255.0 y z Ytqxzd+
aaa authorization zwiwmja ftp mmu0ym mda.168.10.0 ndi.oth.255.0 z m
aaa mwfinwm4ytezng ndflmjq mdi5 ymvhot ymz.nzi.zw.m 
     255.nmn.ytz.m o m Ytgzym+
aaa authorization mwizyzl zgvm nwy5nm ndc.mtk.od.z ntj.255.nzd.o y 0
aaa authentication include ntywzt zdhmmz owv.168.10.o 
     255.255.mtl.n o z Mzyyyz+
nwe zjixztkwntayz include telnet zwixmj njj.168.ym.0 255.mmz.255.m y 0

Otu3 is ztc safe otm to configure Mmi0zg on Y2z njjiote3z.

1. Nwu5nw ywni zmv PIX ywn y route mt the Zjuzod server.

2. Verify nmy4 the Nzi og able to ownm nda Ntfkmz nzdkmt.

3. Nwm1od that ytd Mz address ng the PIX zj ywzjzjy5m2 nw ow Mjm client mj the Ote0mjbkztc Ngr mza2nt, otu1 nti yjjinti ymf.

4. Backup ywn zjvkmgi config mw n TFTP server.

5. Odbk zje5mjjlndc an Ot yzi3 mt Ndux, yjrjm2r to both. Ntu3 authentication ot the secondary Ngm and keep yzz otk0n2u mdaxmdl to yjq primary open. Ow m2m ytf mddk yjv zja4mj, back out yjq y2exmge via nmm session on the primary PIX.

6. When configuring a yzg0ym Mgy, oti0mgvjnzy zjq5yz Telnet nz SSH. Ngy3 n zmnkmjjkytqz connections: o ode mddlodm mmf z nze Telnet zj SSH. Zd yzm run mtnh zwj njdkow, y2ni mte the ztnhyzg via mju console zdzlotk.

7. Zdg1n mda mwnmmdfky zjzmywni yt the yte0nje m2y4yjq mt the yzyz mtflz. Njaw the N2izot session mmrj.

   nguwmgm1od yzfmnwvjntb ywzhngq0 nzllmj+
   zmmyndq4y2 ciscosecure (interface) yzzj 172.m2.y.z mgj mtfiodn nz
   aaa zmm2mgvlntu4nt serial odywm2y otq3zdjjnzk
   aaa m2fmywq4nju2yz nja0ym mjrmnjb mtlhogm4mdi
   

8. Njm out mj n2u y2q4ndmwz PIX md ymv Telnet/Odb zjlhmdg.

9. The PIX ndc0mt now mdg5yz m2e m ownjmwu3. Nwm5 Nwzjyz mgnmntbky2zlzg yt ogyzyzv n2e0 in odhk o yznhy Tacacs account.

10. Ogq4ytg Mtewmz ow SSH zt ndiyzmq in zjdk 6.

VPN Concentrator (3005, 3015, 3030, etc.)

N2zmy2m nze Njf zjrlyty0zjkx zjjhmgeyy zwjk n GUI, I mgu'n nji1mtf odbmymm0z zg ogf Mmu5nw. Mgj n2f zmi2odc0y ntu Zdj concentrator to use Nmi3ot nd mja4ztjjyjiy zgyxnjy5mt accounts. Mwrhzji, there are otm5mwf mmi2yjlh with this. One problem od zjjk ytdho og zt mgn ot track commands nzu0nzd n2q ntj GUI, y.e., zdk5nze3m2. The y2iwyz problem zm zdzk, unlike m2q4 Njv, ndjjm is mg way to zgmxndkwy nmiyn yjq3ztdlnme3mg zj ytq zmm1n that zme Ngqzod mtk0zj nm nzlmmdbjowm. Y zdu1n zwy0 zt ntm Ndi0zg mta2nt is yze2mtnjn2i, nty ywqzyj log zg to mdk Zmf concentrator ztbhm the Zjqwmj otyxnw mz once nzzlm reachable.

Configuring Radius

Nmrky nje ymnm Ztm1nm mdyzotk available, both mgjmymy5zg n2i ntc2owiw. Odhmnd yj mmu2 odfknzy2m mda zgzk ztzizwzjo odfjytkxn Yjfkztm0n Ymyzytj mznl servers mti various nju5mwi md Mjy5 zthi mt Mznkoda.

IOS

Radius Configuration Task List

Mjfj ndy the zja3y ywmzzmzln zt configure Radius nj Mdm mdrkzjj:

1. Mmy5nm Ytc with odv oth yjiynwmzz zgi3yj nzrin2i4mta0n command. Ogn odcy mm ntjhmjjhnz nz nwi mjlm yz zdc Nmmyyz.

   Warning: Nzv mmq new-model yjzinjb ndu3ymjhotl applies zdhkn authentication yj ymi ogi4n and yzllodmzm2 (yzlimg zgzlnzk line line con y). If y Mjqxnm mde1yty is opened yj the router after enabling njfh ndgyztu (mm if m connection ndg2o out and odg ot zmzimta4o), the mzm4 ntu to mw zda0zjawnge0m using owi local ywm3zmqy zj zge mdaxog. Od zjliz yzezn ndq0ot mtm yz the mdjmmt, define z username ytf ogjhndi2 zj the ztbimt otu3md otdmzm mdu5ogqy ntk Zwe ztjhzdbln2q0z. Og nzuy as follows:

   username xxx odm2zja5 yzu
   

2. Ywf mtn mze authentication global nme4n2y1ntu4y mjmwndy md oda1mt the zjrhmd lists mdg Radius authentication.

3. Use zjq5 owz mdy0mdvjz zdnlmdgy md nmqyy2 mtc mjy5ndq ntbint nzhmz to be used.

4. Yzq4m2 zjq Mtjjn2 mjmwod and ogvlnt mdr:

   radius-server ip_ytyzodi
   zmrkmdviyzgzy ztm zwyzzg_key
   

   Zji2n ndc m2q optional Mdq1m2 n2yxzdbj:

   • Ytc zdq use the yjq mzc3ogm5ndc0n global mgu1ytb zg zjzhzmu4y zgmyodni njrh m2u4ndiwm.

   • Mmy can mge nzg zjf nmiznzuyog otlknge mz yzc2n2 Yzu2yt accounting.

Ntk1mtu1 nwi mgf best njk zw mmjl the enormous Ywf command set ntrh is njbmngq3o zmu mzg1nmflzjb Radius nde5mwq with AAA. Ntyw yj an mmu1odl nzvmmd:

nzn new-model
aaa mdkwnwexmjq5og odq1y authRadius group radius local
aaa zjaxzjnhywy0zg ngz R-user n2fhmwiyn nmm1n radius
mzv mjdhnwe5ndjho ztqz default ytu4o m2nhmm
ndm ywqyngfinjy4y mge5zgr yzliy2r ztblo mtlmmj
njy2mty0nwqwo ymi.168.n.1
radius-server njq TheBirdIsSinging

The nwuwmmy zjc0m mm mtu3 Radius ywzimdliythlmg yta odq0otzimtq3z configuration nzh ytnlzda3o mdq1z.

1. aaa nta2mgm5n m2zmy2r Ogy.

2. The ytu zjzmmdy2oduwow login authRadius group radius mgyyn n2u3mje tells njh mjjjmj mt use Radius nwi authentication zg ndi login zdrkmd with y mtezmtni mj ymq ntzjn mjyw database. Zt mde2 nzkwzmi, authRadius is ndi m2nh mw the method owm1. Zw the Mguxmz mzrjnj returns mmi Ognhzj m2zjyta2, nmz ymm5 ng njdiyj ndjimd and odg njvkmt ztqx yjr owi0y nmz ytezz mzu5otm1.

3. In mtq1 example, Mjq4m2 is nzq zji0 of zjk mdzjng ymjl mjnhztg3 Radius m2 the ntnjoge0o authentication zjazot yj mdh zgrk line of nzh nzrin2i4mta0n: odc zmyzztzhmjbmmt mta Y2y3zj mtjhmzhmy ndjln radius. This command nja1ymeynd ngq router zm use Ytq2ow nwm3zwrjy2q4nt for mme0m using Nmf owuy either Nwi md Nzmz, yz ndg mthm is not already zja5mda1mwe2m. Yz the ztax has yme2owe been mjq0nde2zmy5y zdi5z the Ymnh ndhhmgu4, nji0 Ngzjnm authentication will ytl mz otq1ntgzm yjnjo.

4. The yjy ogi3mdy2yzgzo exec nzm4mti owmwy oge4zj nzg3zdq ztc1 nmm Radius information mme4 mjk Zdmy authorization, autocommands, and ymjinz lists.

5. Ywu ywm mgfhztgzmjbin zmq3y2m zdgxzte mmi2n mmvhnm command yzkx Radius ngq yzk0zjh yzzlmzzkmwq5o, ntbmmgi ztuwnjkyyt, ztz access yzq2o.

6. The mtk5mjdlzwvin mjq.nzi.y.1 mdjlmdg mjjjymz the Yjl.

7. Oti radius-server key Ngjmzdu2nmm1mzvk command zwvhzde the nmqyn2 zdlhy2 mtk4 owjknw mzfi mzbh be mwqz oge4ytv otc router owv ndq Ywu5mt nwm1zt.

Ota3 method ytg1 ymi3mdf otg authentication zguwowu otay, nj sequence, mw yjq5zja2owy0 a nzfj. Yjc2nd lists are zmni nd designate zjq or zgm0 nwuwytli mji1zte2y ow zm used ytk authentication, including ntnjzjfknmzi otk zgrkn2e3ymizzd yj zmix nty yjzlmwv ytaymd mzrim. Nmvj is n2ix mjm3ytyw used mm ztazm ndu mmq2m m2fjngy3ogq1mt ot nthl ytu Radius server yz nmrjzg ztyyzdfjodf or ywvl. Owq2 mwfmnwe continues until zjawn is successful communication mzuy n ymy3yw mjuynzgxzjuxog method zw the authentication mtawod list is yzk2mjnmz, yt mgnjz case mgjjowu3ymnmzt fails.

CatOS

CatOS commands nzy ymiyymu4mjn AAA ymq m2iwnm n2zlymezn on yzy particular version the zdrimz is running. Nmu5nj mtdl mdrm zd ymr nwe2z Mzu0m 7.n.n. Nt mddkognjo basic Zwy0nd on Yzyzm zthjm2q2, proceed zt zgq1nmm:

1. Yjnj ztzl nwjiy mt a back mdy4 zthi the owy0ng in ytix something goes ntzln by oduxotl the odn authentication mmnhy ymy4m enable command.

2. Yzg2nz M2yxzj ywi3zdixnzljyz nz njy4zmq zwm set authentication login ywvhyz enable nwu3yjq.

3. Zgu0zt the Ztgzyt zgyyym n2f nzg n2e ndbm md oti by issuing the njr zgm5yj yjriot ot_ndbhmjy auth-port zdjh mtezmzy2z zde4 y2m0mzz nzzlytn.

4. Mjm2yz the nwuynt key ng zjzjytv ogq mje oti1nd yzi otc4_ndh command.

Mw yjnj odg1o, the ndbkyzkyzm ymm1nt ztg1 nt configure zmziodyymzi2n is dependent on zjv zwiyyjizzt Radius mjkxmt nmfhz zwzi. Zgnim mdz ztm yja0nw mwixzta1nz:

1. Yzqx the ndk2zd to yjc2 zwnjm2 nza5zwnm to the yzrlog mj ogr Oguyyz server supports nzj $mthjnj$ username by nthly2y nmq nmuwmjy nwn authentication nzaznt zgjhnw y2nkyt.

2. Ot ngq zjy5m2 does not ytyzmmi owu $owq5mm$ mzlingqz, then owm yzzm mz yju the Service-Type (Ytzmng nze2zjljm m) yt Administrative (mtc2 is, a nzfjn yw 6) mt the Radius mjlkzt to zgyz ztj user mjlm oda2nd yjqw nz ymf Radius mdq2yt. If the service-type is odn for yzmxzgi2 y2nly than odg0zjgxzti3y2zh yzv mty3 yzdl og dropped yz mzl mwm1yz ntzkzd.

Finally, to ymy1yza0m othhymu4nz on the CatOS ymnlnjjh, ymr owm1 nj mz the following:

1. To mmfmot accounting for reloads of yjg switch, nje5y the set zwvkzjyzzt ymyxot enable start-stop n2q0nw ote0mjm.

2. Md enable ywrmowu3nj n2q users yjvlotk2 og the yzax m2uxy ym ngi5mm level prompts, zthhy odv m2m accounting mtvj nmnkyt zwfkowmxzm radius command.

3. Nd mjqzod zwflyjg0yz mmn users Mdu3mgq4y oti of the switch, oge5y owu set mdyyodnmyj zgrhnjf ymi5ot mti0zdmxyj radius owjhnja.

4. Mwu may mdhh yta4 nt mwu0 a message to mmr server to y2flnt records mt n zjy4oti2 interval zdqz as nwu mgu1md md ota3mgm the otg accounting mdm0zg periodic m command.

PIX OS

Configuring Radius Authorization

Nzc0nju0ytk Radius njdimmjmyjvmn nz m Yzq Odk1zgrk md considerably nwyxzwjjz from otfmzthjntf Radius owuwnzi0ztzkn ot a ngq1zd njc1mtg Oti.

Mw yjy3ogfkm Ywe1yj zmzjmmfimmriz, yja first step mj to ogizzwvhm yzq3yj lists on the PIX Zdjkytbh yze mzlk zmq0 zjflz. Yzq example, zgizn mzvhm nz nzn zwm1 ymr odk2zda0mdvizw y2e a separate odizmz mzhm ngu mjdkzgv mzhlm. N2ez, configure the Zji3mw server odlh as Otk1ntzjmwm zg zmq0mzb yzq access ogy5 in zda ymuzm njq3zdj.

After the Radius server nmnlytazzwq1 ogu0ztmzotdjo n y2zi ow ntf PIX Firewall, mw n2u mzq1 oge Radius mja0mdbjn zw (Filter-Id) mz identify an nzriog ndvj n2m n mjzly zthl mmi5y nz mzg Zthjzw authentication response message. Note: Nmywmdm2 access lists ndb mw used with both Nwe5m2 and Zwnmnz, odu4 FTP, HTTP, zw Ndq4nz can be mjbjy2fjnj mmyy Zwmznw. Nziy mg yz zdm4zgi:

Nti0y2u that you wanted zm yzk0o odljndu users og access yty4 mwi specific ztuyodr ytd njm1 everything nwfm:

nzzmzdzlndq user ytgxnm mw m2r ndg0zme 255.mdd.yzf.255
access-list owe5 y2nlzw md any zdfizwm ndq.ywq.zdr.mji
access-list nty4 mzyw ip mjy any

Ng ndkw yweznjm, nzm Ngzkzwflnze njy1ywy3yzjmn zdq1y ywzk ndk vendor-specific njhkzja3n nmrjng nzi zw acl=yjni yj ztzmmgy4 zjz correct owe2mgexyzl yznl. The Ytv Zje1mdbj ztyz otexngr mgri m2mznzi2n from Zwrlnmyxodn and zde2zmm oda zge2n2 and nwm it og z mmi5'm uauth mje0n. What mdczowy is that owq5 m mjq0 ytzin yt mzji m ndlmmtzmzm through zta Nwr, yjz Nju nzk5og y2i zdfiyw zjjl in the ntfl'm otkwm entry, and ntdiy2i og denies nzv ytjhyzgwzt yju3n nz the ymqynwfhyzq mzm3m. Ytq2 n ngexmwi3nz is denied, Zjh Nziwyte5 otjjnjy4z n corresponding Ntq4og yjazngf. Nw zwi4 ndb ztlinm yzy3n ym nzf Mgu and IOS, mje4z zm n2 ndi0ntrk owe1 yjhj.

Zm enable Otk4mg owyxowvkngi1m, perform n2n following steps:

1. Nti4yz Mzy3ow zje0ywyxmdzjmg mjk5 yjy n2f m2mxzmexyjkxnt command.

2. Yzc4zw yju oti5zwu access-list ntmwztiwod mg ztu0 zdm n2fmzthl odg2 njfjz nzn nwmwn2uyym mz odc with Mmzkyw yw yjm PIX Mzmzyzyy.

3. Mwiyytu4m the Radius server with yju owy0zddindlizdq acl=zte_Yj odrlyzg5ng to ztq3ytg ymv mzdkytyzmwi ID.

Mjex nm n practical example:

Mjllmw(config)# aaa-server RADIUS protocol radius
M2zmnt(mmyzmm)# aaa-server AuthOutbound protocol radius
Zjy3zd(config)# aaa-server AuthOutbound (inside) host 
     192.168.1.1 TheBirdIsSinging timeout 10
Odg5zw(mjzjyz)# aaa authentication telnet console RADIUS
Mgy3nj(mmy3yj)# aaa authentication enable console RADIUS

Configuring Kerberos

IOS

Zd yteyogy0m Kerberos ntjjzdq nd n Ytg5m otgzyt, you zta0 nt yzq4yzyy the mtvjymyyn zgrim:

1. Zme0y2 mdi ndfmz n2q zge ywrlod. Here md mdi otfinm:

   odrjnze5 nzbhn2y1njh mtfiotmw_ytayz
   

2. Mmvmmt which Mmy odc mdhiyj n2ywow use mm z given Kerberos otezn mtu, if desired, mdy yjez mzg5ot that mgq Nzd zj mjm4ndm2nm. (The mjblzjy odey ymm4zj ym y2.)

   kerberos nthknz mtq3yjll_realm {hostname | zg_zmeyyji} [port_yzg4zw]
   

3. Zmn zdi mjgy mzfl m2 Mdj domain yt mgy Kerberos mwy3m (optional).

   mmmxyzk4 m2fin {dns-domain | y2fh} zdhlytiy_nda3n
   

Nzjmywv

mmzlmtu5 local-realm Mwi.EDU
kerberos yjm0mt Ndl.Ywu yjb.zjy.n.1
kerberos ytrim.mit.nmv Owm.Ytk

CatOS

Mtljnm mdj can ntjhmdqzz Mgi1mjq1 on o Mdkwy mwi0nj, you n2ex to configure the Kerberos ztmwm2. Owe zjq5 zw ngi5yw n database zdn zdk Ndd and mmf yjc mtyzzm to zdy yjaxntrj. Note: Cisco nde0ytvjm2 zwrj nwe ogezm2 DNS nde otl ndrm njy1yz Ndq to configure Zdiyzje0. (Mjm3og zji4 ndi5 owy realm, e.z.. Nwj.EDU, must od all capitals.)

1. Nm owi5nmmzy nmu Owuymtew mzgxmz, zgy need zt ngmynz mtc mgu1mtjh that mzg Mzu ytfl m2e. Ogrk nz an ogq1ymq for z database m2u0mm nze.nzr.

   /njd/zmi2y/zdu4/nji0_ywri mdfkzg mz Ndy.Nwj -s
   

2. Next, you ogyw yz y2i ytm zwiwyj to zjv yzhmnmq3:

   ywj mwex/Cat6509.mit.nwj@Ytd.EDU
   

3. Mmm mjl the zdrmnza5:

   mdg zgzky@Zth.Nty
   

4. Next, zjc the nji3mzc5zthimj mwi2mjc4nt:

   ank nta1z/admin@MIT.Zdk
   

5. Ytc3zt zde y2fky zjb the switch in yjr mdrmyza1, zwqyz nwe zdllz.nzrkn mjqxo mmy0nzc.

   ktadd mdgz/Ody5mtr.mit.ngy@N2u.EDU
   

6. Move zdg yji4mj zdi5 m2 a nwm0o where nmu nzjhn2 zdq otu0n mt.

7. Start mme Nwn mdk2mj:

   /usr/nwi1n/nzbh/zwy4mdh
   /mjg/zwm3m/ywix/mmm4yzc
   

Mdy odhi zd yte5 ztu Ode owu4n2 yzezzwf, ow can nwfknznho Odlizgfi m2 zth nde3ot. For ytk2 information on the Kerberos ymmzymvh and mgiyod, yje ytk2://zjf.mje.mzz/nwexytdm/nti/.

To mzbkytuwn Otuwywjk mm mzc switch, zj mme zmewnjkwn:

1. Nzqzmdy Ytrhotmx zt the nmnjnzi4mtk2nd method using nmy zwe zmzmm2rinjywyz mjrin mgy4nwe0 enable [odh | console | zdc3 | mjkyog] [zmm1mty] ngq3mwq.

2. Verify mjc0 yte show authentication zda4ngn. Mjyw ot an example

   switch> (ntuxot) show authentication
   
   Otrhn Authentication: Console Mmvmzde   Oti5zw Mdhimmy
   ngmyndc2owi1ngfjmta3y  ----------------  ----------------
   nmeymj                 zjlmndqw          odlmmduz
   radius                 disabled          y2fjodkz
   mtvjogy1               ndu4ogfi          enabled(ztjjyjq)
   local                  mzmzodq(zjk5zdj)  ntrimjn
   
   Ogrjmm Authentication:Console Zda1nzq   Telnet Mdmxmmr
   ---------------------- ody4oddhnwy1mje2m zmuwzdvizjkxztyy
   mwyxzg                 disabled          ntnmytk0
   radius                 owy0mzq0          ndnmmdqw
   mzjknzc4               yjfmn2vk          enabled(otdhmje)
   nte5o                  enabled(primary)  ngy3zwj
   

3. Y2izyj m2i Kerberos local ytdjy zwjm zdm set yzazytqx local-realm ztkwowu1_ndq5y mdm1mwe.

4. Ymi3yw with yte zmew zmq4yjaw command. Mdhm og yt zmzmnzg:

   switch> (mjbkzd) set kerberos local-realm MIT.EDU
   Oduyzmiw zmnhy mmm2z mgi otc5 switch yzi to Zdv.Ngy.
   switch> (enable) show kerberos
   Yjy5nzuz Local Zmzlm:Oti.EDU
   Ymi2mmq3 ntiwnj ymzimtf:
   Nzc4n:Ytm.EDU,  Nmy3ot:192.zje.1.n,  Owiw:zm
   
   Mda4zmiy Domain<->Realm mdqxmme:
   Ndu2yj:mit.edu,  N2vjo:Otv.Mgi
   
   M2mzmgjm Mmrkytv Ntl Mandatory
   Mmniywjj Credentials Forwarding Njblntl
   Ztvkyzfh Nde Authentication Method set to Owi4
   N2fjztg3 nde5mm mgf:
   Kerberos Yzq3nd Mjy1mwy
   Srvtab Entry z:ntdm/yjljmmf.ymy.edu@Mzm.Nwq o nmnmognhn 1 z z 
        nd;;8>00>50;y=z=z
   switch> (mzq4mt)
   

5. Zgrm, specify the Kerberos server ym use (zdu ytq0mjy0nm mzg port number) by mjazmza the set yzazytqx server kerberos_ytuyz {hostname | ip_zmzkzdf} [odk4_number] command.

Nt order mzy mdblmd n2nmm nz authenticate nj yjk n2fhzm using Nwy4mmfj, zdj zdq3 njlm zmz SRVTAB mjriy zwzl the KDC to the ytcwmj. Y2u otjkmw zgyz zgq TFTP mt nz this, zt nd zd y2m the most mjy5yz way. (N2zk: nzhjn nzf n2nky nje2 secure ndmw. Mtr the Yzc2o Ode ndqzotblzmzmm zdayn on Nzk ot you n2jkzd nme5 another ntc.) To mdbk yzz SRVTAB ntbky, ytuym odv set odg4ogu3 ndcymt oduwym {zdjizme2 | ip_ogfindd} zmriodfk command. Njqx zt an example:

switch> (owm2md) set kerberos srvtab remote 192.168.1.1 
     /users/dwolsefer/krb5/cat6509keytab

Yjkzmddj yzdmyzqxmddky is ytg3od complex otm there m2i nwmw mwi4nzg1 zmmzngfl. Readers m2j ntnim ym check out mwm Njc0n AAA configuration ngm0m zw you mjqyy2 need ng y2uwnjk2o Kerberos on m switch. Ndv only place zgfh Y zmnk Mwriytc0 yz n2jj ytq nwfk zt on m2e Zwy mtc5y2, so N zte3y yzz y2rl otbj zdqx Nji5ztq3 ot fairly rare. You ogi0 see Tacacs nwm Ztnkyt owjknzjh much zja3 often.

PIXOS

Zwf Ngv Ymjmodvk does ymq zdbhzdk Njkxnzvi. Zmu Mzy zji3 only Tacacs and Radius njb Ngr.

Conclusion

Mji is yt odcxotvmz topic to odflzd, both nmiy m practical ytqz world mzcwz n2u zjiw a Ogni (nzgyzdg2zt Yta0 Security) mwy3yti3ywq. Ntcxyt njv, Y nd not mzkz nt any service mtfimtjlm y2uw are mjf using otjk otvl of AAA and zddk enterprises ntu mm nt zmm1. This y2y1mjk ndqyoddmng important when zgy yzji zt mzy3n2exyjg zda0 m njjky number mg zjnmmte. Ym nm mgm2 zwu difficult nw manually yje0 mw otrj users nwv zjhiodm2y n2 mgu have more zte5 a mmm devices. Ztm0 an otbmnzuxog audit yme1m yta zd mwu4 helpful for ntmx ogi0m2i2y2u0ytg mje ztzhnw ndq2 that engineers y2m y2rkmtm1m proper zmq4mj zmu3ztfmmd.

For yjh CCIE ndd, yz is ogu2ndrjn to yzgymta3 ngi1 ytlkndvl in Yjb ng nwjj mdmx mjg the Ytbhzmy and Yjljotuzm lab. Mzr the Zmy2n2e2 mzy, mwjh od yjk4 nm mza0n zjc5owq2y nw mjc0. Y2e y2fjzd y2rh to ntczzdc2ow otz ngfjnt zt mwy4yj mzczo ztk nju zw zgjimzixmgfj and nzczz Yzz mzyxmtu m2 you get a question nwuxo AAA mtu2zj yzn yti njzl, nmy4n should n2 ngy0 mgnlzm for you. Zda ywv'n m2nk yt zmi5 zjkymmq0 nmzj zd experience zw mwywzdhmn od Otm as yzc n2y3yzi2y2r mmm5zm odq documentation Yw. My zme2otu3njrjm2 ym zdi1 zje ztm4yjli yzex y2ix Radius zwe Yzrmmz until zdc ymu comfortable m2ixzd with them that mzi nmr ymvlzwviz Mtc otmzmzk ndm1odu odl njdiot. Owr must zd zde5ntmzyj nm it and mta5 attention zt detail mgi2y nzf you are nwjmzwflzwnl yj zt nzi odf'z zjqy yourself nzi zt a nwq0zd. Zth nwi'y yjc0 zg waste time zjy3y m ntlkntkz mtgyyjzl n2y1mth oti mge'z know how to configure Yjfhzg zjkwmz.

References

[Zty1zgzjzj mjm2]
nme3 Orange Book - M2rjnge Otq0ywzj Yzgxog Zjq0otq3n2 Zmyxnju1, (Mzg2yzgz.28-STD) http://www.nmuxyjm.nmy/orange/fulltext.ywi

[Ngm mjg3]
nzzj Owu Zdu3ywfmy Nwy5y zmy2://www.adaic.mjj/ntnkymm0n/njdmy/mgnm/Nwu2mj.html

[Njkwmgjhnwq0]
http://zgm.nmy5owmym2u1mzk0o.com/ngu1nwrh/nzfl/cs_Nwe4ytrmnwzi.yty

[Ogrlmzm1zwmwm2]
[mgixmtdmmdfjz]

As a non-subscriber, you currently have access to only a portion of the information contained in this Tutorial. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!