Verifying TACACS+ 101

CiscoSecure User Database NAS Configuration for RADIUS

The following example shows the same Cisco 2600 router used in the previous section’s example configured to use RADIUS against an NAS server using the CiscoSecure User Database:

Todd(config)#aaa new-model

Todd(config)#aaa authentication login default radius

Todd(config)#aaa authentication ppp default radius

Todd(config)#aaa authorization exec radius

Todd(config)#aaa authorization network radius

Todd(config)#aaa accounting network start-stop radius

Todd(config)#aaa accounting exec start-stop radius

Todd(config)#aaa accounting network wait-start radius

Todd(config)#radius-server host 172.16.10.5

Todd(config)#radius-server key d$y!tR%e

Todd(config)#enable secret todd

Todd(config)#aaa authentication login no_radius enable

Todd(config)#line con 0

Todd(config-line)#login authentication no_radius

On each interface that services dial-in users, issue the following command to tell the interface to use PPP CHAP authentication:

Todd(config-if)#ppp authentication chap

The only command different from the TACACS+ configuration is this one:

Todd(config)#aaa accounting network wait-start radius

As when using the start-stop keyword, the preceding command sends both a start and a stop accounting record to the accounting server, a RADIUS server in this example. If you use the wait-start keyword, however, the requested service cannot start until the acknowledgment has been received from the RADIUS server. A stop accounting record for network service requests is sent to the RADIUS server.

Basically, the rest of the commands are the same as those used in the TACACS+ configuration, so no additional command explanations are necessary at this point.

Verifying TACACS+

It is imperative that you can verify your configuration, so here are two debugging commands that you can use on the NAS to trace TACACS+ packets:

102 Chapter 3 Configuring CiscoSecure ACS and TACACS+

However, in addition, you can still use the debug aaa commands you learned about in Chapter 2 to see the output for a TACACS+ login attempt:

Todd#debug tacacs

TACACS access control debugging is on

Todd#exit

Todd con0 is now available

Press RETURN to get started.

04:56:38: TAC+: Opened 192.168.254.253 index=1

04:56:38: TAC+: 192.168.254.253 (185613193) ACCT/REQUEST/STOP queued 04:56:38: TAC+: (185613193) ACCT/REQUEST/STOP processed

04:56:38: TAC+: (185613193): received acct response status = SUCCESS User Access Verification

Password:

Todd>

04:56:43: TAC+: Using default tacacs server list.

04:56:43: TAC+: 192.168.254.253 (2537319283) ACCT/REQUEST/START queued 04:56:43: TAC+: (2537319283) ACCT/REQUEST/START processed

04:56:43: TAC+: (2537319283): received acct response status = SUCCESS

Todd#undebug all

All possible debugging has been turned off

There is more information displayed with the debug tacacs events command than with just the debug tacacs command:

Todd#debug tacacs events

TACACS+ events debugging is on

Todd#exit

Todd con0 is now available

Press RETURN to get started.

User Access Verification

Password:

05:01:08: TAC+: periodic timer started

05:01:08: TAC+: 192.168.254.253 req=81490CCC id=3169020093 ver=192 handle=0x0

(NONE) expire=4 ACCT/REQUEST/STOP queued

05:01:08: TAC+: 192.168.254.253 ESTAB 81490CCC wrote 156 of 156 bytes 05:01:09: TAC+: 192.168.254.253 ESTAB read=12 wanted=12 alloc=17 got=12 05:01:09: TAC+: 192.168.254.253 ESTAB read=17 wanted=17 alloc=17 got=5 05:01:09: TAC+: 192.168.254.253 received 17 byte reply for 81490CCC 05:01:09: TAC+: req=81490CCC id=3169020093 ver=192 handle=0x0 (NONE) expire=4

ACCT/REQUEST/STOP processed

Verifying TACACS+ 103

05:01:09: TAC+: periodic timer stopped (queue empty) Todd>en

Password:

05:01:55: TAC+: periodic timer started

05:01:55: TAC+: 192.168.254.253 req=81491914 id=3481072133 ver=192 handle=0x0

(NONE) expire=5 ACCT/REQUEST/START queued

05:01:55: TAC+: 192.168.254.253 ESTAB 81491914 wrote 68 of 68 bytes 05:01:55: TAC+: 192.168.254.253 ESTAB read=12 wanted=12 alloc=17 got=12 05:01:55: TAC+: 192.168.254.253 ESTAB read=17 wanted=17 alloc=17 got=5 05:01:55: TAC+: 192.168.254.253 received 17 byte reply for 81491914 05:01:55: TAC+: req=81491914 id=3481072133 ver=192 handle=0x0 (NONE) expire=4

ACCT/REQUEST/START processed

05:01:55: TAC+: periodic timer stopped (queue empty)

The following is an example of the debug aaa authentication command:

Todd#un all

All possible debugging has been turned off

Todd#

Todd#debug aaa authentication

AAA Authentication debugging is on

Todd#exit

User Access Verification

Password:

05:05:35: AAA/AUTHEN: free_user (0x81420624) user='' ruser='' port='tty0'

rem_addr='async/' authen_type=ASCII service=LOGIN priv=1 05:05:36: AAA: parse name=tty0 idb type=-1 tty=-1

05:05:36: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0

channel=0

05:05:36: AAA/AUTHEN: create_user (0x81420624) user='' ruser='' port='tty0'

rem_addr='async/' authen_type=ASCII service=LOGIN priv=1 05:05:36: AAA/AUTHEN/START (2124362753): port='tty0' list='no_tacacs'

action=LOGIN service=LOGIN

05:05:36: AAA/AUTHEN/START (2124362753): found list no_tacacs 05:05:36: AAA/AUTHEN/START (2124362753): Method=ENABLE 05:05:36: AAA/AUTHEN (2124362753): status = GETPASS

Todd>: AAA/AUTHEN/START (3168314283): found list no_tacacs 05:05:58: AAA/AUTHEN/START (3168314283): Method=ENABLE 05:05:58: AAA/AUTHEN (3168314283): status = GETPASS

104 Chapter 3 Configuring CiscoSecure ACS and TACACS+

05:06:00: AAA/AUTHEN/CONT (3168314283): continue_login (user='(undef)') 05:06:00: AAA/AUTHEN (3168314283): status = GETPASS

05:06:00: AAA/AUTHEN/CONT (3168314283): Method=ENABLE 05:06:00: AAA/AUTHEN (3168314283): status = PASS Todd>en

Password:

05:06:06: AAA/AUTHEN: dup_user (0x814909F8) user='' ruser='' port='tty0'

rem_addr='async/' authen_type=ASCII service=ENABLE priv=15 source='AAA

dup enable'

05:06:06: AAA/AUTHEN/START (338074629): port='tty0' list='' action=LOGIN

service=ENABLE

05:06:06: AAA/AUTHEN/START (338074629): console enable - default to enable

password (if any)

05:06:06: AAA/AUTHEN/START (338074629): Method=ENABLE 05:06:06: AAA/AUTHEN (338074629): status = GETPASS Todd#

05:06:08: AAA/AUTHEN/CONT (338074629): continue_login (user='(undef)') 05:06:08: AAA/AUTHEN (338074629): status = GETPASS

05:06:08: AAA/AUTHEN/CONT (338074629): Method=ENABLE 05:06:08: AAA/AUTHEN (338074629): status = PASS

05:06:08: AAA/AUTHEN: free_user (0x814909F8) user='' ruser='' port='tty0'

rem_addr='async/' authen_type=ASCII service=ENABLE priv=15

The preceding output from the debug aaa authentication command shows that the method was TACACS+, and that it was successful.

Summary

Cisco offers an excellent access control server (ACS) that’s available on a number of platforms. You learned about both the CiscoSecure ACS 3.0 for Windows NT (CSNT) or Windows 2000 and CSU (CiscoSecure ACS 2.3 for Unix) products.

The ACS will be an important element in your overall network security plan, and it can greatly simplify the task of managing user accounts.

As your network grows in complexity and size and you include NASs (network access servers) from multiple vendors, the ACS will scale and continue to both simplify administration and improve security. This chapter provided the information you need to understand the role of the ACS and the communication between the NAS and ACS.