Configuring Authorization
AAA authorization provides administrators with the power to limit the services that are available to users. After authorization is enabled, the network access server uses the authorization information that was supplied to it by the security server based on the user's profile. This allows the network access server to limit the access granted to the user based on the information in the user's profile.
Just as with authentication method lists are used to define the ways and the sequence in which authorization will be performed. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or until all methods defined are exhausted.
Use the aaa authorization global configuration command to define the parameters that determine what clients are allowed to do. To configure authorization, perform the following steps (Steps 4 and 5 are optional):
1.Enable AAA by using the aaa new−model global configuration command and configuring any security protocol parameters, such as the key value. This step and the steps used to configure the key value were outlined in the sections on configuring TACACS+ and RADIUS.
2.Configure AAA authentication as described in the "Configuring Authentication" section. Authorization generally takes place after authentication and relies on authentication to work properly.
3.Use the following command to enable authorization:
aaa authorization <auth−proxy|network|exec|commands> − <level|reverse−access|configuration|ipmobile> <default|list−name> group <if−
authen|none|local|tacacs+|radius>
4.Define the rights associated with specific users by using the username command if you are using local authorization.
5.Use the no aaa authorization config−commands command to stop the network access server from attempting configuration command authorization. There are some configuration commands that are identical to some EXEC−level commands; this can cause some confusion in the authorization process because the aaa authorization command with the keyword commands attempts authorization for all EXEC−level commands; this includes global configuration commands associated with a specific privilege level.
The command parameters listed in Step 3 are described in Table 2.1.
Table 2.1: Authorization command parameters.
Command Description
Author−proxy Used to apply policies to specific users
72
Network |
Used for network services, such as PPP |
|
|
Exec |
Used for starting the EXEC process |
|
|
Commands |
Used for EXEC mode commands |
|
|
Reverse−access Used for reverse Telnet sessions, such as on a terminal server
Configuration Used for downloading configurations from the security server
Ipmobile |
Used for IP mobile services |
|
|
If−authenticated Allows user to access function if the user is already authenticated
|
None |
No authorization performed |
|
|
|
|
|
|
Local |
Uses the local database for authorization |
|
|
|
|
|
|
tacacs+ |
Uses the TACACS+ database for authorization |
|
|
|
|
|
|
radius |
Uses the RADIUS database for authorization |
|
|
|
|
|
Figure 2.10 displays a network in which multiple users are connected to the corporate office via dial−up and the Internet. After the initial authentication phase, limitations must be placed on each user's session for security purposes. Some users should be allowed full access to the network and networking devices; such is the case with administrators. Other remote users need to be provided with the services that are deemed necessary to perform their job functions. This is done through the use of authorization. Continuing with the examples that were discussed in the section on configuring authentication, the network access server should be configured so that all users connecting to the network are authorized for the proper services via the security server. This can be accomplished using the configuration in Listing 2.8.
Listing 2.8: Authorization configuration.
#config t
#username James privilege 15 password letmein #username admin privilege 15 password adim #username John privilege 15 password cto
#aaa authorization exec default if−authenticated tacacs+ local #aaa authorization exec ADMIN_ONLY none
#aaa authorization commands 15 ADMIN if−authenticated tacacs+ #aaa authorization commands 8 Associate tacacs+ local none #aaa authorization network default tacacs+ local none
# line con 0
#authorization exec ADMIN_ONLY #end
73
The configuration in Listing 2.8 defines three users within the local security database of the network access server. The first authorization command uses the default method list to authorize the EXEC process for all interfaces and lines if the user has already been authenticated during the authentication phase. The second authorization command is applied to the console port of the network access server and overrides the default method list. It creates a named method list called ADMIN_ONLY and specifies that no authorization is to take place. The third authorization command creates a method list named ADMIN and authorizes all level 15 commands if the remote client has already authenticated. If the remote client has not already authenticated, the access server will attempt to authorize the remote client via the TACACS+ security server. If the access server does not receive a response from the security server, it will attempt to authorize the remote client using the locally configured database. The fourth authorization command is similar to the second, only it is authorizing all commands associated with level 8 privileges. The final authorization command that is configured uses the default method list to authorize all network services the remote client attempts to use. It accomplishes this by authorizing the remote client using the configured TACACS+ security server, and if there is no response from the security server, it will attempt to authorize the client by looking into its locally configured security database.
Consider this scenario: James is at home one night watching a really close football game on the television (it's a two−point game in the fourth quarter with two minutes to go), and all at once, the phone rings—it is someone from his network operations center calling to inform him that she is having an issue with a couple of devices on the network. James dials into the network to have a look around. After he connects to the network access server and it uses the configured methods of authentication to authenticate him, James enters privileged mode on the network access server. The process the network access server used to authorize James can be seen in the output of Listing 2.9, using the debug aaa authorization command.
Listing 2.9: Authorization process.
Seminole#debug aaa authorization
AAA Authorization debugging is on\
Seminole#
:AAA: parse name=tty2 idb type=−1 tty=−1
:AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 − port=2 channel=0
:AAA/MEMORY: create_user (0x6251D064) user='' ruser='' − port='tty2' rem_addr='192.168.11.45' authen_type=ASCII − service=LOGIN priv=1
:tty2 AAA/AUTHOR/EXEC (2897440801): Port='tty2' list='' − service=EXEC
:AAA/AUTHOR/EXEC: tty2 (2897440801) user='James'
:tty2 AAA/AUTHOR/EXEC (2897440801): send AV service=shell
:tty2 AAA/AUTHOR/EXEC (2897440801): send AV cmd*
:tty2 AAA/AUTHOR/EXEC (2897440801): found list ''default''
:tty2 AAA/AUTHOR/EXEC (2897440801): Method=tacacs+ (tacacs+)
:AAA/AUTHOR/TAC+: (2897440801): user=James
:AAA/AUTHOR/TAC+: (2897440801): send AV service=shell
:AAA/AUTHOR/TAC+: (2897440801): send AV cmd*
:AAA/AUTHOR (2897440801): Post authorization status = PASS_ADD
:AAA/AUTHOR/EXEC: Authorization successful
:AAA/MEMORY: free_user (0x62558A94) user='James' ruser='' − port='tty2' rem_addr='192.168.11.45' authen_type=ASCII − service=ENABLE priv=15
Notice that the access server first allocates a portion of memory in order to create the user. The
74
network access server then determines that the user is attempting to access privileged exec mode. This can be determined by the output service=EXEC. The access server then determines that the user has a name that equals James. At this point, the network access server determines that method list default is configured and the first configured viable authorization method is to authorize James using the method TACACS+. The network access server passes the TACACS+ security server all of James's information, and the security server sends back a response of PASS.
Configuring Accounting
The accounting portion of the AAA security architecture enables you to track the services users are accessing as well as the amount of network resources they are consuming. When accounting is enabled, the network access server reports user activity to the TACACS+ or RADIUS security server. The accounting service reports to the security server using accounting records. Each accounting record contains accounting attribute−value (AV) pairs and is stored on the security server. This combined data can be analyzed for network management, client billing, and auditing purposes.
Just as authentication and authorization support method lists, accounting uses method lists to define the ways that authorization will be performed and the order in which the methods will be used. Method lists enable you to designate one or more security protocols to be used for accounting, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to account for the network services a client accesses; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed accounting method or until all methods defined are exhausted.
Use the aaa accounting global configuration command to define the parameters that record what services clients have accessed. To configure accounting, perform the following steps:
1.Enable AAA by using the aaa new−model global configuration command and configuring any security protocol parameters, such as the key value. This step and the steps used to configure the key value were outlined in the sections on configuring TACACS+ and RADIUS.
2.Configure AAA authentication and authorization as described in the "Configuring Authentication" and "Configuring Authorization" sections. Accounting generally takes place during and after authentication and authorization.
3.Use the following command to enable the accounting process:
aaa accounting <system|network|exec|connection|commands> level <default| list−name> <start−stop|stop−only|wait−start|none> <tacacs+| radius>
The command parameters listed in Step 3 are described in Table 2.2.
Table 2.2: Accounting command parameters.
Command |
Description |
|
|
system |
Audits all system−level events |
|
|
75
|
network |
Audits network service requests, such as PPP |
|
|
|
|
|
|
exec |
Audits EXEC process |
|
|
|
|
|
|
connection |
Audits outbound connections |
|
|
|
|
|
|
commands |
Audits all commands for the specified privilege level |
|
|
level |
|
|
|
|
|
|
|
default |
Default method list that is applied to all lines |
|
|
|
|
|
|
list name |
Creates a named method list |
|
|
|
|
|
|
start−stop |
Sends start notice at start of the process and stop notice at the end of the process |
|
|
|
|
|
|
wait−start |
Specifies accounting process does not begin until the start accounting notice is |
|
|
|
acknowledged |
|
|
|
|
|
|
stop−only |
Sends accounting notice at the end of the process |
|
|
|
|
|
|
none |
Specifies no accounting service takes place |
|
|
|
|
|
|
tacacs+ |
Accounts the client services using the TACACS+ protocol |
|
|
|
|
|
|
radius |
Accounts the client services using the RADIUS protocol |
|
|
|
|
|
|
|
|
|
Continuing with the example in Figure 2.10, the network access server should be configured to account for all activity that takes place on the access server. This requirement can be met using the configuration in Listing 2.10.
Listing 2.10: Accounting configuration.
!
aaa accounting exec default start−stop group tacacs+
aaa accounting commands 15 default start−stop group tacacs+ aaa accounting system default wait−start group tacacs+
aaa accounting network default stop−only group tacacs+
!
username admin password admin
!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
!
interface Serial0:23 no ip address encapsulation ppp
76
!
interface Group−Async1 ip unnumbered Ethernet0 encapsulation ppp
ip tcp header−compression passive async mode interactive
peer default ip address pool IP ppp callback accept
ppp authentication chap group−range 1 16
!
ip local pool IP 192.168.10.239 192.168.10.254
!
tacacs−server host 192.168.10.4 single−connection timeout 10 − key 1Cisco9
!
line con 0
login authentication ADMIN line 1 16
modem InOut
autoselect during−login autoselect ppp
The configuration in Listing 2.10 sets up accounting on the network access server. Each method list defined uses the default method list, which applies the configured method to all interfaces and lines. Each method list is also configured to use the TACACS+ protocol to perform the accounting function. After James dials into the network and begins his troubleshooting efforts, the accounting process on the network access server starts. The details of the accounting process can be seen in Listing 2.11.
Listing 2.11: Accounting process.
Seminole#debug aaa account
AAA Accounting debugging is on Seminole#
:AAA/ACCT/ACCT_DISC: Found list ''default''
:tty2 AAA/DISC: 1/''User Request''
:AAA/ACCT/EXEC/STOP User James, Port tty2: − task_id=273 start_time=1004308320 timezone=CST − service=shell disc−cause=1 disc−cause−ext=1020 elapsed_time=40
nas−rx−speed=0 nas−tx−speed=0
!
:AAA/ACCT: user James, acct type 0 (3132070800): Method=tacacs+ (tacacs+)
:TAC+: (3132070800): received acct response status = SUCCESS
:AAA/MEMORY: free_user (0x62527B28) user='James' ruser='' port='tty2' rem_addr='192.168.11.45'
authen_type=ASC II service=LOGIN priv=1
:AAA: parse name=tty2 idb type=−1 tty=−1
:AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
:AAA/MEMORY: create_user (0x625249DC) user='' ruser='' − port='tty2' rem_addr='192.168.11.45' authen_type=ASCII − service=LOGIN priv=1
!
:AAA/ACCT/EXEC/START User James, port tty2
:AAA/ACCT/EXEC: Found list ''default''
:AAA/ACCT/EXEC/START User James, Port tty2,task_id=276\ start_time=1004308382
timezone=CST service=shell
77