And presto—that’s it! Well, at least that’s it for getting started with NAS configuration. Did you notice that once the command aaa new-model was entered, the accounting, authentication, and authorization parameters became available? And did you see that the login local command is no longer available under the line commands? I’ll show you the new commands to use shortly.

While AAA was designed to centralize access control, it still demands configuration on each and every network device. The good news is that once you’ve configured AAA, you’ll rarely find yourself having to alter it. You might need to modify your AAA configuration by changing the encryption key, but other than minor alterations like that, all changes—including those for user accounts—will be invoked at your security server. Nice, huh?

Authentication Configuration on the NAS

Now you’re ready for the next step. This section will explain how to configure authentication, authorization, and accounting services on the Todd NAS router using a local database.

Authentication is configured differently on Cisco IOS-based and set-based devices, but the general parameters are similar. In broad terms, you must first instruct the device to use an authentication protocol and then provide the IP address for communications.

After you enable the NAS with AAA, you have to configure the authentication method lists and apply them to the lines and interfaces of the NAS. Here are the possible commands to be specified:

To configure authentication, first specify the service of PPP, ARAP, and NASI, or login authentication. (ARAP is AppleTalk Remote Access Protocol, and NASI is the NetWare Access Server Interface.) For now though, you’re interested only in PPP.

First, you need to identify a list name or default. The list name can be any alphanumeric string you choose. Depending on your needs, you can then assign different authentication methods to each named list.

Finally, you need to specify the method used for authentication and designate how the router should handle any response for the various methods you’ve chosen. Once the lists have been created, you apply them to either the router lines or the interfaces.

46 Chapter 2 Introduction to AAA Security

The aaa authentication login command is used to define the type of authentication protocol you want to use. This command has two options and many variables. Here’s one example:

Todd(config)#aaa authentication login ?

default The default authentication list.

You can create a named list or use the default. The default argument gives you quite a few options:

Todd(config)#aaa authentication login default ?

Todd(config)#aaa authentication login default local

Look at the preceding command. The login default local command tells the router to authenticate using the local username and password, which can then be placed under the console, VTY, and AUX lines with the following commands:

Todd(config)#line console 0

Todd(config-line)#login authentication ?

WORD Use an authentication list with this name. default Use the default authentication list.

Todd(config-line)#login authentication default

Todd(config-line)#line aux 0

Todd(config-line)#login authentication default

Todd(config-line)#line vty 0 4

Todd(config-line)#login authentication default

Todd(config-line)#

The following example illustrates how to use the login command with a named authentication list that I’ll call “dial-in.” This example puts the authentication list on the bri0/0 interface of the router:

Todd(config)#aaa authentication login ?

default The default authentication list.

Todd(config)#aaa authentication login dial-in ?

Todd(config)#aaa authentication login dial-in local

The local keyword at the end of the command tells the router to use the local username and password for authentication.

You still need to set up PPP authentication for the list dial-in using the following command:

Todd(config)#aaa authentication ppp dial-in local

The authentication method for PPP can be a default or a named list. The preceding example uses a named list.

Now place the authentication method under the interface using the following commands:

Todd(config)#int bri0/0

Todd(config-if)#ppp encapsulation

Todd(config-if)#ppp authentication chap dial-in

Here’s another example. Instead of the login command, you can use the enable default command. Doing this specifies whether a user can access the privileged level of a router. There are some options available with this command, as shown next:

Todd(config)#aaa authentication enable default ?

The enable keyword allows the local enable password to be used if network connectivity between the server and router is lost. You could consider this a security risk, but it’s not a major one because an attacker would need to either physically access the router or compromise the internal network enough to change routes or block packets. Choosing the line command designates the local line passwords for authentication. The radius and tacacs+ commands elect a remote server for authentication. Chapter 3 describes this more completely.

48 Chapter 2 Introduction to AAA Security

Authorization Configuration on the NAS

It’s undoubtedly clear to you by now that authorization is what defines the network services that are available to an individual or group. It also provides an easy means of allowing privileged mode (enable mode) access, while restricting the commands that can be executed.

This is a useful option because you might want to restrict most enable commands to be used only by a single administrator or manager and at the same time, to allow operators to perform limited diagnostic functions. You may want your more experienced operators to be granted higher levels of authorization. For example, they could be permitted to shut down an interface. The unrestricted privileged–mode is required in order for the administrator to be able to perform additional functions.

Use care in restricting administrative rights to the router. While this is a helpful option when allocating rights to vendors and other parties, too restrictive a policy will lead to the distribution of the unrestricted account information and create an increased security risk.

Use the following parameters to restrict user access on a network:

Todd(config)#aaa authorization ?

The commands command allows authorization for various levels. It’s defined by the administrator, who must provide the various commands that each individual user can operate. Levels 1 and 15 are defined by default on all Cisco devices, with level 1 having only viewing access and level 15 having “God-like” access.

Here are the available levels:

Todd(config)#aaa authorization commands ?

<0-15> Enable level

Todd(config)#aaa authorization commands 1 ?

WORD Named authorization list. default The default authorization list.

The preceding command sets up a level 1 access, and the command string shown next describes how that access will be authorized. I’ll name it “begin”:

Todd(config)#aaa authorization commands 1 begin ? if-authenticated

local none radius tacacs+

Todd(config)#aaa authorization commands 1 begin local

This begin local command designates the local username database for authorizing the use of all level 1 commands.

Next, let’s set a level 15 access list named “end”. Remember that if you set any access other than level 1 or 15, you have to define each command that can be used at each level:

Todd(config)#aaa authorization commands 15 end local

This end local command sets the use of the local database to authorize the use of all level 15 commands.

Here’s another example of how you can configure AAA authorization on your NAS. Use the following command to run authorization for all network-related service requests. The list name is “admin”:

Todd(config)#aaa authorization network ?

default The default authorization list.

Todd(config)#aaa authorization network admin local none

The preceding command designates the use of the local database to authorize access to all network services such as SLIP, PPP, and ARAP. But if the local server doesn’t respond, the user will be able to use all network services by default.

Remember that authorization is the AAA process responsible for granting permission to access particular components in the network. You have to define these permissions based on corporate policy and user privileges.

The commands associated with authorization include parameters for the protocols you’re going to use. These are the commands you use to specify what happens after the authentication phase of AAA. Table 2.3 lists and describes these commands.