Cisco AAA Implementation Case Study - · PDF fileCisco AAA Implementation Case Study OL-0397-01 1.8.2 Authorization ... A.3 NAS AAA Command ... Authentication and Authorization Session

Cisco AAA Implementation Case StudyInternetworking Solutions GuideMay 2000

170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.com

Cisco Systems, Inc.Corporate Headquarters

Tel:800 553-NETS (6387)408 526-4000

Fax: 408 526-4100

Text Part Number: OL-0397-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, RateMUX, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Voice Line, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0004R)

Cisco AAA Implementation Case StudyCopyright © 2000, Cisco Systems, Inc.All rights reserved.

C O N T E N T S

Preface xi

Purpose xi

Audience xi

Scope xi

Related Documentation and Sites xii

Software Used in This Case Study xii

Hardware Used in This Case Study xii

Document Conventions xiii

Command Syntax Conventions xiii

Cisco Connection Online xiii

Documentation CD-ROM xiv

Providing Documentation Feedback xiv

Acknowledgements xv

C H A P T E R 1 Cisco AAA Case Study Overview 1-1

1.1 AAA Technology Summary 1-1

1.1.1 AAA RFC References 1-2

1.2 TACACS+ Overview 1-2

1.3 RADIUS Overview 1-3

1.4 Comparison of TACACS+ and RADIUS 1-4

1.4.1 UDP and TCP 1-4

1.4.2 Packet Encryption 1-4

1.4.3 Authentication and Authorization 1-5

1.4.4 Multiprotocol Support 1-5

1.4.5 Router Management 1-5

1.4.6 Interoperability 1-6

1.4.7 Attribute-Value Pairs (AVPs) 1-6

1.5 Differences in Implementing Local and Server AAA 1-6

1.6 Scenario Description 1-8

1.7 Planning Your Network 1-9

1.8 Network Service Definitions 1-10

1.8.1 Authentication Policy 1-10

iiiCisco AAA Implementation Case Study

OL-0397-01

Contents

1.8.2 Authorization Policy 1-11

1.8.3 Accounting Policy 1-11

1.9 Security Implementation Policy Considerations 1-12

1.10 Network Equipment Selection 1-13

1.11 Task Check List 1-14

C H A P T E R 2 Implementing the Local AAA Subsystem 2-1

2.1 Implementing Local Dialup Authentication 2-2

2.2 Implementing Local Dialup Authorization 2-5

2.3 Implementing Local Router Authentication 2-8

2.4 Implementing Local Router Authorization 2-10

2.5 Implementing Local Router Accounting 2-12

C H A P T E R 3 Implementing Cisco AAA Servers 3-1

3.1 Installing CiscoSecure for UNIX with Oracle 3-2

3.1.1 Creating Oracle Tablespace 3-2

3.1.2 Verifying the Oracle Database Instance 3-3

3.1.3 Installing CiscoSecure for UNIX 3-5

3.1.4 Creating and Verifying Basic User Profile 3-10

C H A P T E R 4 Implementing the Server-Based AAA Subsystem 4-1

4.1 Implementing Server-Based TACACS+ Dialup Authentication 4-2

4.2 Implementing Server-Based TACACS+ Dialup Authorization 4-4

4.3 Implementing Server-Based RADIUS Dialup Authentication 4-6

4.4 Implementing Server-Based RADIUS Dialup Authorization 4-8

4.5 Implementing Server-Based TACACS+ Router Authentication 4-10

4.6 Implementing Server-Based TACACS+ Router Authorization 4-13

C H A P T E R 5 Implementing Server-Based AAA Accounting 5-1

5.1 Implementing Server-Based RADIUS Dial Accounting 5-1

5.2 Implementing Server-Based TACACS+ Router Accounting 5-4

5.3 AAA Disconnect Cause Code Descriptions 5-6

C H A P T E R 6 Diagnosing and Troubleshooting AAA Operations 6-1

6.1 Overview of Authentication and Authorization Processes 6-2

6.2 Troubleshooting AAA Implementation 6-7

ivCisco AAA Implementation Case Study

OL-0397-01

Contents

6.2.1 Troubleshooting Methodology Overview 6-7

6.2.2 Cisco IOS Debug Command Summary 6-7

6.3 AAA Troubleshooting Basics 6-8

6.3.1 Troubleshooting Dial-Based Local Authentication 6-9

6.3.2 Troubleshooting Dial-Based Server Authentication 6-10

6.3.3 Troubleshooting Dial-Based Local Authorization 6-13

6.3.4 Troubleshooting Dial-Based Server Authorization 6-15

6.3.5 Troubleshooting Router-Based Local Authentication 6-19

6.3.6 Troubleshooting Router-Based Server Authentication 6-21

6.3.7 Troubleshooting Router-Based Local Authorization 6-24

6.3.8 Troubleshooting Router-Based Server Authorization 6-26

6.4 Troubleshooting Scenarios 6-29

6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication) 6-29

6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 6-30

6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 6-31

6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) 6-33

6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 6-34

6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 6-35

6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 6-36

A P P E N D I X A AAA Device Configuration Listings A-1

A.1 Sample Cisco IOS Configuration Listings A-1

A.1.1 Example Local-Based Router AAA Configuration A-2

A.1.2 Example Server-Based TACACS+ NAS Configuration A-5

A.1.3 Example Server-Based RADIUS NAS Configuration A-9

A.2 Router AAA Command Implementation Descriptions A-13

A.3 NAS AAA Command Implementation Descriptions A-13

A.4 CiscoSecure for UNIX Configuration Listings A-15

A.4.1 CSU.cfg Listing A-16

A.4.2 CSConfig.ini Listing A-19

A.4.3 Oracle User Environment Variable A-23

A.4.4 listener.ora Listing A-24

A.5 CiscoSecure Log Files A-25

vCisco AAA Implementation Case Study

OL-0397-01

Contents

A P P E N D I X B AAA Impact on Maintenance Tasks B-1

A P P E N D I X C Server-Based AAA Verification Diagnostic Output C1

C.1 Server-Based TACACS+ Dialup Authentication Diagnostics C1

C.2 Server-Based TACACS+ Dialup Authorization Diagnostics C2

C.3 Server-Based RADIUS Dialup Authentication Diagnostics C4

C.4 Server-Based RADIUS Dialup Authorization Diagnostics C5

C.5 Server-Based TACACS+ Router Authentication Diagnostics C7

C.6 Server-Based TACACS+ Router Authorization Diagnostics C9

C.6.1 Test Results for rtr_low Group C9

C.6.2 Test Results for rtr_tech Group C14

C.6.3 Test Results for rtr_super Group C20

I N D E X

viCisco AAA Implementation Case Study

OL-0397-01

F I G U R E S

Figure 1-1 AAA-Based, Secure Network Access Scenario 1-2

Figure 1-2 Local-Based Access Options 1-7

Figure 1-3 Server-Based Access Options 1-8

Figure 2-1 Local-Based Dial Access Environment 2-2

Figure 2-2 Local-Based Router Environment 2-8

Figure 3-1 AAA-Based, Secure Network Access Scenario 3-1

Figure 4-1 Basic AAA Case Study Environment 4-2

Figure 4-2 Server-Based Dial Environment (TACACS+) 4-2

Figure 4-3 Server-Based Dial Environment (RADIUS) 4-6

Figure 4-4 Server-Based VTY Access (Telnet) 4-10

Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology 4-14

Figure 6-1 Basic AAA Case Study Environment 6-2

Figure 6-2 Dial Access Authentication and Authorization Flow Diagram 6-3

Figure 6-3 RADIUS Dial Access Authentication and Authorization Process 6-4

Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) 6-5

Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) 6-6

viiCisco AAA Implementation Case Study

OL-0397-01

Figures

viiiCisco AAA Implementation Case Study

OL-0397-01

T A B L E S

Table 1-1 Comparison of RADIUS and TACACS+ 1-4

Table 1-2 Examples of RADIUS AVPs 1-6

Table 1-3 Examples of TACACS+ AVPs 1-6

Table 1-4 General Service Definition Checklist 1-9

Table 1-5 AAA Service Definition Checklist 1-10

Table 1-6 AAA Security Checklist 1-12

Table 1-7 AAA Task Checklist 1-14

Table 4-1 Group Profile Command Summary 4-13

Table 5-1 AAA Disconnect Cause Code Listings 5-6

Table 6-1 Single User Failure; Individual Dial-in User Connection Fails 6-9

Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS 6-9

Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) 6-10

Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) 6-12

Table 6-5 User Cannot Start PPP 6-13

Table 6-6 Network Authorization Fails 6-14

Table 6-7 Unable to Access Specific Host or Network Service 6-14

Table 6-8 Multilink Fails 6-14

Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+) 6-16

Table 6-10 Network Authorization Fails (RADIUS and TACACS+) 6-17

Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) 6-17

Table 6-12 Multilink Fails (TACACS+) 6-18

Table 6-13 Multilink Fails (RADIUS) 6-18

Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+) 6-18

Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS) 6-18

Table 6-16 No EXEC Shell for TACACS+ 6-19

Table 6-17 No EXEC Shell for RADIUS 6-19

Table 6-18 Cannot Start Concurrent Sessions (TACACS+) 6-19

Table 6-19 Cannot Start Concurrent Sessions (RADIUS) 6-19

Table 6-20 Single User Failure; Individual Dial-in User Connection Fails 6-20

Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router 6-20

Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both 6-21

ixCisco AAA Implementation Case Study

OL-0397-01

Tables

Table 6-23 Single User Failure; Individual User Unable to Make a Connection 6-22

Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router 6-23

Table 6-25 Users Pass Authentication on Console or VTY, but Not Both 6-24

Table 6-26 User Fails Router Command 6-25

Table 6-27 User Disconnected After Entering a Password 6-25

Table 6-28 Users Access Incorrect Privilege Level Commands 6-26

Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-26

Table 6-30 User Fails Router Command 6-27

Table 6-31 User Disconnected After Entering Password 6-27

Table 6-32 Users Access Incorrect Privilege Level Commands 6-28

Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-28

Table 6-34 Router User Unable to Initiate Shell Session with Router 6-28

Table 6-35 AVPs Not Working on Console Port 6-28

Table A-1 Cisco IOS Commands Required to Set AAA for a Router A-13

Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) A-14

xCisco AAA Implementation Case Study

OL-0397-01

Preface

This case study describes various Cisco-based security and accounting capabilities for monitoring and managing access within a large-scale dial environment.

PurposeThis Internetworking Solutions Guide (ISG) case study provides examples intended to be models for building an effective, Cisco AAA-based security environment for dial-based and router environments. In following the procedures and recommendations provided in this document, readers should be able to:

• Understand the working relationship among various Cisco AAA components, including NASs, AAA servers, and the AAA database.

• Configure and verify operation for these AAA components.

• Troubleshoot typical problems found in AAA environments.

AudienceThe audience for this document consists of network engineers supporting large-scale dial networks. The audience is expected to have a basic understanding of Cisco IOS software, and a working knowledge of both the UNIX operating system and CiscoSecure for UNIX user interface.

ScopeThis case study provides:

• Complete network device configurations and specific fragments to support implementation task descriptions.

• Example diagnostic output showing verification of correct configuration.

• Troubleshooting output supporting problem scenarios show problem configurations and other AAA environment failures.

• A foundation from which effective AAA-based security solutions can be tailored to specific network requirements.

The information provided here does not include advanced tuning tips—nor does it provide a primer for the uninitiated novice. In addition, site planning and preparation are beyond the scope of this case study.

xiCisco AAA Implementation Case Study

PrefaceRelated Documentation and Sites

Related Documentation and SitesThe following URLs provide the essentials for preparing to install Cisco Secure for UNIX and NT:

• CiscoSecure ACS for UNIX

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx

• CiscoSecure ACS for NT

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23

• Oracle database implementation

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csinstl.htm

Software Used in This Case StudyThe features and capabilities described in this case require these software versions:

• Cisco IOS 12.0(7)T

• OS Solaris 2.5(1)

• CiscoSecure for UNIX 2.3(3)

• Oracle DB Server 7.3(4)

• Oracle DB Client 7.3(4)

• SQL*Plus: Release 3.3.4.0.1

To identify other software versions that might apply, please contact your Cisco customer service representative.

Hardware Used in This Case StudyThis case is built on a production environment consisting of a single authentication, authorization, and accounting (AAA) server, an Oracle-based AAA database, a Cisco network access server (NAS), and a router. The diagnostic captures and system configurations provided in this case study were derived from the following systems:

• Cisco AS5300 or Cisco AS5800 network access server (NAS)

• Cisco 7206 VXR router

• Sun Microsystems server (UltraSPARC Enterprise 2 Model)

– Two 200 MHz processors

– One GB RAM

– One internal 4.2 GB disk drive

– CD-ROM drive

The system used as a platform for CiscoSecure ACS for UNIX 2.3 must meet with the minimum system specifications described in the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/instl23.htm

xiiCisco AAA Implementation Case Study

PrefaceDocument Conventions

Document Conventions

Command Syntax Conventions

Cisco Connection OnlineCisco Connection Online (CCO) is the primary, real-time support channel for Cisco Systems. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Convention Description

italic File names, paths to files, user names, and groups names used in descriptions. Example: /var/log/csuslog

< > Angle brackets show nonprinting characters, such as passwords.

! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also displayed by the Cisco IOS software for certain processes.)

[ ] Square brackets show default responses to system prompts.

Convention Description

bold Command or keyword that you must enter. This format is used for commands, paths to files, and file names when used within an example illustrating required input.

italic Argument for which you supply a value.

[x] Optional keyword or argument that you enter.

{x | y | z} Required keyword or argument that you must enter.

[x {y | z}] Optional keyword or argument that you enter with a required keyword or argument.

string Set of characters that you enter. Do not use quotation marks around the character string, or the string will include the quotation marks.

screen Information that appears on the screen.

Important line of text in an example.

^ or Ctrl Control key—for example, ^D means press the Control and the D keys simultaneously.

< > Nonprinting characters, such as passwords.

! Comment line at the beginning of a line of code.

xiiiCisco AAA Implementation Case Study

PrefaceDocumentation CD-ROM

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to customers and business partners of Cisco Systems. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

• http://www.cisco.com

• http://www-europe.cisco.com

• http://www-china.cisco.com

• Telnet: cco.cisco.com

• Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.

For a copy of the CCO Frequently Asked Questions (FAQ), contact [email protected]. For additional information, contact [email protected].

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact the Cisco Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or [email protected]. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or [email protected].

Documentation CD-ROMCisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly; therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

Providing Documentation FeedbackIf you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can also submit feedback on Cisco documentation as follows:

xivCisco AAA Implementation Case Study

PrefaceAcknowledgements

• Mail in the Cisco Reader Comment Card located at the front of this book

• Send an e-mail to [email protected]

• Send a fax to 408 527-8089

We appreciate your comments.

AcknowledgementsThis ISG case study was created as a collaborative effort. The following team members participated in the creation of this document: Joellen Amato, Dave Anderson, Robert “Bob” Brown, Alan Dowling, Dianne Dunlap, Paul Hafeman, Anthony Hall, Kim Lew, Robert Lewis, Dave Leyland, Brian Murphy, Dang Nguyen, Nilesh Panicker, Anjali Puri, Robert Sargent, David Sims, Tim Stevenson, Kris Thompson, Craig Tobias, and Syed Atif Ullah.

xvCisco AAA Implementation Case Study

PrefaceAcknowledgements

xviCisco AAA Implementation Case Study

Cis

C H A P T E R 1
Cisco AAA Case Study Overview
This chapter summarizes the technology behind AAA security solutions, outlines typical network definitions and network assumptions adopted for this case study, and lists tasks associated with implementing, verifying, and troubleshooting the AAA environment presented. Specific sections provided here are:

• 1.1 AAA Technology Summary

• 1.2 TACACS+ Overview

• 1.3 RADIUS Overview

• 1.4 Comparison of TACACS+ and RADIUS

• 1.5 Differences in Implementing Local and Server AAA

• 1.6 Scenario Description

• 1.7 Planning Your Network

• 1.8 Network Service Definitions

• 1.9 Security Implementation Policy Considerations

• 1.10 Network Equipment Selection

• 1.11 Task Check List

1.1 AAA Technology SummaryDial access presents a challenge to network managers entrusted with network security. This case study illustrates essential steps in planning and implementing authentication, authorization, and accounting (AAA) technologies based on Cisco product capabilities.

For the purposes of this case study, the following generic definitions apply:

• Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on.

• Authorization: The act of granting access rights to a user, groups of users, system, or a process.

• Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.

Figure 1-1 illustrates a generalized view of a Cisco-based AAA environment, featuring a network access server (NAS) and AAA server. This basic arrangement forms the foundation for this case study.

1-1co AAA Implementation Case Study

Chapter 1 Cisco AAA Case Study Overview1.2 TACACS+ Overview

Figure 1-1 AAA-Based, Secure Network Access Scenario

In the context of the Cisco-based AAA environment addressed here, the key operational elements are network access servers (NASs), routers, and CiscoSecure Access Control Server for UNIX servers (referred to in this document as AAA servers). Depending on the conventions and requirements of your particular design, you can select a security environment which utilizes Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS). This case study addresses implementation of both environments.

1.1.1 AAA RFC ReferencesRequests for Comments (RFCs) play a crucial role in defining the behavior of devices in complex networking environments. The following RFCs are useful references for TACACS+ and RADIUS:

• TACACS+: http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt

• TACACS: http://www.ietf.org/rfc/rfc1492.txt

• MD5: http://www.ietf.org/rfc/rfc1321.txt

• RADIUS: http://www.ietf.org/rfc/rfc2138.txt

1.2 TACACS+ OverviewKey TACACS+ features:

• TACACS+ separates AAA into three distinct functions (Authentication, Authorization and Accounting).

• TACACS+ supports router command authorization integration with advanced authentication mechanisms, such as Data Encryption Standard (DES) and One-Time Password (OTP) key.

• TACACS+ supports 16 different privilege levels (0-15).

Internet

3508

9

Clients Modems

Network elementmanagement server (NTP, Syslog, SNMP)

AAAserver

Internetfirewall

Defaultgateway

Cisco AS5x00with integrated

modems

PSTNPRI linesAnalog lines

DNSserver

Oracle dB server

IP intranet

1-2Cisco AAA Implementation Case Study

Chapter 1 Cisco AAA Case Study Overview1.3 RADIUS Overview

• TACACS+ permits the control of services, such as Point-to-Point Protocol (PPP), shell, standard log in, enable, AppleTalk Remote Access (ARA) protocol, Novell Asynchronous Services Interface (NASI), remote command (RCMD), and firewall proxy.

• TACACS+ permits the blocking of services to a specific port, such as a TTY or VTY interface on a router.

The most common services supported by TACACS+ are PPP for IP and router EXEC shell access using console or VTY ports. EXEC shell allows users to connect to router shells and select services, such as PPP, Telnet, TN3270, or manage the router itself.

Many TACACS+ servers are available on the market today; however, the AAA server is designed specifically to be scalable and compatible with Cisco's broad line of routers, access servers, and switches. Hence, this case utilizes the Cisco AAA server as the TACACS+ server of choice.

When configured correctly, the AAA server validates AAA and responds to requests from routers and access servers with a pass or fail signal. The AAA server contains an internal database sized to 5000 users; therefore, an external Oracle database is used in our case study for user account attributes and billing information.

The AAA server acts as a proxy server by using TACACS+ to authenticate, authorize, and account for access to Cisco routers and network access servers.

1.3 RADIUS OverviewThe RADIUS protocol was developed by Livingston Enterprises, Inc., as an access server authentication and accounting protocol. The RADIUS specification (RFC 2138) is a proposed standard protocol and RADIUS accounting standard (RFC 2139) is informational.

Although TACACS+ is considered to be more versatile, RADIUS is the AAA protocol of choice for enterprise ISPs because it uses fewer CPU cycles and is less memory intensive.

Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol.

RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver services to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.


Chapter 1 Cisco AAA Case Study Overview1.4 Comparison of TACACS+ and RADIUS

1.4 Comparison of TACACS+ and RADIUSTable 1-1 summarizes the differences between RADIUS and TACACS+.

1.4.1 UDP and TCPRADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best effort delivery. RADIUS requires additional programmable variables, such as retransmit attempts and time-outs to compensate for best-effort transport, and it lacks the level of built-in support that reliable transport offers:

• Using TCP provides a separate acknowledgment that a request has been received, within (approximately) a network RTT, regardless of bandwidth. (TCP ACK).

• TCP provides immediate indication of a crashed (or not running) server (RST packets). You can determine when a server has crashed and come back up if you use long-lived TCP connections. UDP cannot tell the difference between a server that is out-of-service, slow, or non-existent server.

• By using TCP keepalives, you can detect server crashes out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the servers that are known to be up and running.

• TCP is more scalable than UDP.

1.4.2 Packet Encryption RADIUS encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is in the clear. Other information, such as username, authorized services, and accounting, can be captured by a third party.

RADIUS can use encrypted passwords by using the UNIX /etc/password file; however, this process is slow because in involves a linear search of the file.

Table 1-1 Comparison of RADIUS and TACACS+

RADIUS TACACS+

RADIUS uses UDP. TACACS+ uses TCP.

RADIUS encrypts only the password in the access-request packet; less secure.

TACACS+ encrypts the entire body of the packet; more secure.

RADIUS combines authentication and authorization.

TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting.

Industry standard (created by Livingston). Cisco Proprietary.

RADIUS does not support ARA access, Net BIOS Frame Protocol Control protocol, NASI, and X.25 PAD connections.

TACACS+ offers multiprotocol support.

RADIUS does not allow users to control which commands can be executed on a router.

TACACS+ provides two ways to control the authorization of router commands: on a per-user or per-group basis.


Chapter 1 Cisco AAA Case Study Overview1.4 Comparison of TACACS+ and RADIUS

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets in the clear. However, normal operation fully encrypts the body of the packet for more secure communications.

1.4.3 Authentication and AuthorizationRADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information, making it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting. This architecture allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS passes authentication on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate the NAS by using the TACACS+ authentication mechanism. The NAS informs the TACACS+ server that it has successfully passed authentication on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control, compared to RADIUS, over the commands that can be executed on the access server while decoupling the authorization process from the authentication mechanism.

1.4.4 Multiprotocol SupportRADIUS does not support the following protocols (which are supported by TACACS+):

• AppleTalk Remote Access (ARA) protocol

• Net BIOS Frame Protocol Control protocol

• Novell Asynchronous Services Interface (NASI)

• X.25 PAD connection

1.4.5 Router ManagementRADIUS does not allow users to control which commands can be executed on a router and which cannot; therefore, when compared with TACACS+, RADIUS is not as useful for router management and is not as flexible for terminal services.

TACACS+ provides two ways to control the authorization of router commands on a per-user or per-group basis. The first way is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.


Chapter 1 Cisco AAA Case Study Overview1.5 Differences in Implementing Local and Server AAA

1.4.6 Interoperability The RADIUS standard does not guarantee interoperability. Although several vendors implement RADIUS clients, this does not ensure they are interoperable. There are approximately 45 standard RADIUS ATTRIBUTES. Using standard ATTRIBUTES improves the likelihood of interoperability. Using proprietary extensions reduces interoperability.

1.4.7 Attribute-Value Pairs (AVPs)Throughout this case study, implementation tasks and diagnostic procedures refer to attribute-value pairs (AVPs). Each AVP consists of a type identifier associated with one or more assignable values. AVPs specified in user and group profiles define the authentication and authorization characteristics for their respective users and groups. TACACS+ and RADIUS implement an array of AVPs, each with separate type definitions and characteristics. Table 1-2 and Table 1-3 illustrate several typical AVPs.

1.5 Differences in Implementing Local and Server AAAAAA requirements differ between local-based and server-based environments. Throughout this case study, procedures and examples refer to scenarios based on this important distinction.

In local-based AAA access, users are permitted or denied access based on local AAA IOS account configuration. For the purposes of this case study, local-based AAA access features these attributes:

Table 1-2 Examples of RADIUS AVPs

Attribute Type of Value

User-Name String

Password String

CHAP-Password String

Client-Id IP address

Login-Host IP address

Login-Service Integer

Login-TCP-Port Integer

Table 1-3 Examples of TACACS+ AVPs

Attribute Type of Value

Inacl Integer

Addr-pool String

Addr IP address

Idletime Integer

protocol Keyword

timeout Integer

Outacl Integer


Chapter 1 Cisco AAA Case Study Overview1.5 Differences in Implementing Local and Server AAA

• User accounts are stored in router or NAS configurations.

• AVPs only are supported from EXEC shell terminal access.

• Limited set of AVPs are supported.

• AAA negotiation is performed internally by the Cisco IOS and is not protocol specific.

Figure 1-2 illustrates three local-based connectivity situations to consider:

• Local-based console access

• Local-based virtual terminal type (VTY) connections

• Local-based dial access

Figure 1-2 Local-Based Access Options

In server-based AAA access, users and groups are permitted or denied access based on AAA negotiations between s router or NAS and the AAA server. See the following attributes of server-based AAA access features:

• User or group profiles and accounting records stored in an internal or external database

• AVPs supported on both standard and EXEC shell-initiated PPP sessions

• Wide array of AVPs supported, including vendor-specific (non-Cisco) AVPs

Figure 1-3 illustrates the three server-based connectivity situations:

• Server-based console access

• Server-based VTY connections

• Server-based dial access

IP

IP

3134

8

Local-basedconsole access

IP

Local-basedVTY access (Telnet)

Local-baseddial access

PSTNModem


Chapter 1 Cisco AAA Case Study Overview1.6 Scenario Description

Figure 1-3 Server-Based Access Options

Each connectivity scenario illustrated in Figure 1-2 and Figure 1-3 involves situation-specific requirements. As a result, each scenario also contains situation-specific implementation and troubleshooting considerations. The diagnostic chapters that follow present a series of implementation steps (configuring, verifying, and testing) symptoms, problems, and suggested diagnostic processes that reflect both these differences and similarities.

1.6 Scenario DescriptionThe baseline network environment for a hypothetical access network scenario is used as a foundation for assessing the application of various security and management features available from Cisco. Figure 1-1 (presented in “1.1 AAA Technology Summary”) illustrates the underlying network environment and relationship between AAA components. The high-level AAA objectives:

• Enable secure dialup service to access an intranet and the Internet by using the public switched telephone network (PSTN).

• Build a manageable, redundant, and secure access strategy that supports large dialup access implementations.

• Provide versatile means of controlling administrative access to routers.

IP

AAA server

IP

AAA server

3134

7

Server-basedconsole access

IP

AAA server

Server-basedVTY access (Telnet)

Server-baseddial access

PSTNModem


Chapter 1 Cisco AAA Case Study Overview1.7 Planning Your Network

• Account for configuration changes in routers.

1.7 Planning Your NetworkA network design engineer meets with each company to complete the following tasks:

• Complete a needs assessment dial questionnaire.

• Create a user-network service definition.

• Recommend a network implementation and operation strategy.

The following tables present two checklists that were completed for this case study. Table 1-4 focuses on general networking issues. Table 1-5 focuses on AAA implementation issues. Both checklists apply to a hypothetical network referred to in this case as Access Network.

Table 1-4 General Service Definition Checklist

General Access Network Checklist Questions Access Network Policy

What media do you want to use to provide dialup service?

Plain old telephone service (POTS) analog modems

ISDN

How many dial-in users does the new equipment need to support over the next 3 months, 1 year, and 5 years?

3 months: 2000 users

1 Year: 5,000 users

5 Years: 10,000 users

What kind of remote nodes do you want to support?

Modems, terminal adapters, ISDN modems

When users connect to modems, what will they be allowed to do?

Support EXEC shell sessions (async terminal service)

Support PPP sessions

Will you allow users to change their own passwords? If yes, how?

Yes

EXEC shell (character-mode session)

What kind of dialup operating systems do you want to support?

Windows, UNIX, Macintosh

Do you want to support remote routers? Asynch DDR or multiple B-channel access

Do you want to use an external authentication database such as Windows NT or Novel NDS?

Yes, Oracle

Do you want to support per user protocol and attribute definitions?

Yes

Do you want to support dial out? No

Do you want to support PPP timeouts? No

Do you want to work with an existing accounting system?

Yes

Do you have an existing network element server? Yes


Chapter 1 Cisco AAA Case Study Overview1.8 Network Service Definitions

1.8 Network Service DefinitionsBased on the checklist information provided in Table 1-4 and Table 1-5, the following service definitions (stated as policies) can be asserted for this environment.

Dialup and router shell access AAA requirements are characterized in the following sections:

• 1.8.1 Authentication Policy

• 1.8.2 Authorization Policy

• 1.8.3 Accounting Policy

1.8.1 Authentication PolicySeparate the authentication policy into two distinct sections: router administration and dialup PPP.

Policies relating to router administration involve creating support for the following two authentication elements:

• DES passwords stored in external database

• Local user if connection to AAA server is down

Policies relating to dialup PPP involve creating support for the following two authentication elements:

• Password Authentication Protocol (PAP) for dialup PPP authentication

• Challenge Handshake Authentication Protocol (CHAP) for remote ISDN devices

Table 1-5 AAA Service Definition Checklist

Access Network AAA Checklist Questions Access Network Policy

What AAA protocols do you plan to deploy? RADIUS and TACACS+

Where do you want the users’ passwords to be stored?

External Oracle database

Do you plan to support one-time passwords? If so, what tool do you plan to use to support this requirement?

No

Do you intend to implement database replication? No

Do you require support for token caching? No

What type of accounts currently exist? UNIX, NT

Do you plan to implement an AAA server? If so, on which product?

Yes, CiscoSecure for UNIX

What database do you plan to use? External, Oracle


Chapter 1 Cisco AAA Case Study Overview1.8 Network Service Definitions

1.8.2 Authorization PolicySeparate the authorization policy into two distinct sections: router administration and dialup PPP.

Policies relating to router administration involve creating support for the following authorization elements:

• Privilege level 15 command authorization

• Three levels of router administration command control (low, medium, and high)

• Privilege level 15 assigned to local users, which is valid only if an AAA server is down

Policies relating to dialup PPP involve creating support for the following authorization elements:

• Apply autocommand ppp negotiate to all groups other than router administrators

• Access control list filtering as required

• AVP support for all dial access devices

1.8.3 Accounting PolicyAccounting records are exported from an Oracle database using SQL queries. Separate the accounting policy into two distinct sections: router administration and dialup PPP.

Policies relating to router administration involve creating support for the following accounting elements:

• Failed log in attempts

• Privilege level 15 commands

• Failed command authorization

• Start, stop, and elapsed times of sessions

• Source IP address of routers

Policies relating to dialup PPP involve creating support for the following accounting elements:

• Failed log in attempts

• Start, stop, and elapsed time of sessions

• Disconnect cause codes

• Caller ID if applicable


Chapter 1 Cisco AAA Case Study Overview1.9 Security Implementation Policy Considerations

1.9 Security Implementation Policy ConsiderationsTable 1-6 present checklists summarizing the key security policy elements of this case.

Table 1-6 AAA Security Checklist

Access Network AAA Checklist Questions Access Network Policy

What is the current security policy for passwords? PAP for dial-in PPP users

CHAP passwords for dialup routers

DES passwords for router administrators

What services will be denied? Concurrent sessions for dial-in users

EXEC shell access for dial-in PPP users

Access to specific hosts within the corporate intranetwork

Access to specific network services, such as Telnet, FTP, and rlogin

What type of mechanism will exist if AAA server is down?

Local privilege level 15 account

Authentication and authorization disabled on console port

Are local accounts allowed in routers and NASs? Yes

What accounting information is required? Username

Privilege level of clients

Session start and stop times

Elapsed time

Privilege level 15 command usage

Configuration changes

Failed log in attempts

Failed command authorizations

What type of accounting mechanism will be used? Customer written SQL query to Oracle database

Who is responsible for reviewing daily logs? Network managers

Will users be allowed concurrent sessions? Dialup PPP = No

Dialup router = Yes

Router administrator = Yes

What type of administrative access will be assigned to router administrators?

Full control assigned to senior router administrators

Basic control assigned to junior router administrators

Customized command control for mid-level router administrators

Support for Multilink? Yes


Chapter 1 Cisco AAA Case Study Overview1.10 Network Equipment Selection

In addition to these considerations, security-related attributes addressed in this case include:

• Per-User Static IP Address Policy—Static IP addresses are assigned to required personnel to access specific areas within the internetwork.

• Password Authentication and Command Authorization Policy—DES password support is segregated into two elements: privilege level and command authorization. Within that context, three levels of privilege are supported in this case: low, medium, and high, with high having full control assigned. Command authorization at privilege level 15 is enforced. A local user with privilege level 15 is used in the event that the connection to the AAA server is down.

1.10 Network Equipment SelectionFigure 1-1 (presented in “1.1 AAA Technology Summary”) shows the specific devices used in the dialup access environment. Based on the requirements detailed in Table 1-4, Table 1-5, and Table 1-6, the following network entities were selected for this case study:

• Remote clients using modems to access the IP intranet and IP Internet through the public switched telephone network (PSTN).

• An AAA server.

• An password authentication server.

• An external Oracle database server acts as the repository for all user profile information.

• An element management server performs basic dial access system management by using the network time protocol (NTP), system logs (syslog), and simple network management protocol (SNMP).

• A remote AAA server performs basic user authentication.

• A default gateway forwards packets to the IP intranet and IP Internet.


Chapter 1 Cisco AAA Case Study Overview1.11 Task Check List

1.11 Task Check ListTable 1-7 summarizes AAA management implementation and operation activities for the hypothetical network in this case study. This case focuses on illustrating implementation of specific AAA-related security and management options over an Access Path implementation. Refer to Cisco AS5x00 Case Study for Basic IP Modem Service for specifics regarding commissioning Cisco access servers to support modem services at the following URL:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/as5xipmo/index.htm

Table 1-7 AAA Task Checklist

Task Topic

Chapter 2, “Implementing the Local AAA Subsystem”

2.1 Implementing Local Dialup Authentication

2.2 Implementing Local Dialup Authorization

2.3 Implementing Local Router Authentication

2.4 Implementing Local Router Authorization

2.5 Implementing Local Router Accounting

Chapter 3, “Implementing Cisco AAA Servers”

3.1 Installing CiscoSecure for UNIX with Oracle

Chapter 4, “Implementing the Server-Based AAA Subsystem”

4.1 Implementing Server-Based TACACS+ Dialup Authentication

4.2 Implementing Server-Based TACACS+ Dialup Authorization

4.3 Implementing Server-Based RADIUS Dialup Authentication

4.4 Implementing Server-Based RADIUS Dialup Authorization

4.5 Implementing Server-Based TACACS+ Router Authentication

4.6 Implementing Server-Based TACACS+ Router Authorization



Chapter 5, “Implementing Server-Based AAA Accounting”

5.1 Implementing Server-Based RADIUS Dial Accounting

5.2 Implementing Server-Based TACACS+ Router Accounting

Chapter 6, “Diagnosing and Troubleshooting AAA Operations”

6.1 Overview of Authentication and Authorization Processes

6.2 Troubleshooting AAA Implementation

• 6.2.1 Troubleshooting Methodology Overview

• 6.2.2 Cisco IOS Debug Command Summary

6.3 AAA Troubleshooting Basics

6.4 Troubleshooting Scenarios

Table 1-7 AAA Task Checklist

Task Topic




Cis

C H A P T E R 2
Implementing the Local AAA Subsystem
This chapter focuses on local AAA implementation and describes the following topics:

• 2.1 Implementing Local Dialup Authentication

• 2.2 Implementing Local Dialup Authorization

• 2.3 Implementing Local Router Authentication

• 2.4 Implementing Local Router Authorization

Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation.

Server-based authentication, authorization, and accounting issues are described in the following chapters:

• Chapter 3, “Implementing Cisco AAA Servers”

• Chapter 4, “Implementing the Server-Based AAA Subsystem”

• Chapter 5, “Implementing Server-Based AAA Accounting”

• Chapter 6, “Diagnosing and Troubleshooting AAA Operations”

Caution The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment.


Chapter 2 Implementing the Local AAA Subsystem2.1 Implementing Local Dialup Authentication

2.1 Implementing Local Dialup Authentication These steps help you to establish local-based dial authentication as illustrated in Figure 2-1:

1. Configure basic dial access.

2. Verify basic dial access.

Figure 2-1 Local-Based Dial Access Environment

Step 1 Configure basic dial access.

Include the following Cisco IOS configuration commands in your configuration to construct dial access local authentication control:

aaa new-modelaaa authentication login default local aaa authentication ppp default if-needed local username diallocal password xxxxxx

interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48

line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptn

IP

3505

4

Local-baseddial access

PSTNModem



Note See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands.

Step 2 Verify basic dial access.

a. To verify user access, initiate a login process as follows:

maui-nas-01#login

User Access Verification

Username:diallocalPassword: <password>

b. To determine that local dial access authentication is operating correctly, enter the debug aaa authentication and debug ppp authentication commands.

The following debug output contains only pertinent information:

maui-nas-01#

Debugs in NAS then initiate dialup:

maui-nas-01#debug aaa authenticationAAA Authentication debugging is onmaui-nas-01#debug ppp authenticationPPP authentication debugging is onmaui-nas-01#show debugGeneral OS: AAA Authentication debugging is onPPP: PPP authentication debugging is on



The following shell-initiated PPP session example shows the AAA debug output that confirms correct configuration for local authentication:

Note The method used is LOCAL.

113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)')113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal')113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS113136: Feb 4 10:11:32.582 CST: As1 PPP: Treating connection as a callin113137: Feb 4 10:11:32.582 CST: AAA/MEMORY: dup_user (0x61DF306C) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1 source='AAA dup lcp_reset'113138: Feb 4 10:11:32.582 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication needed. user='diallocal' port='tty1' rem_addr='async/81560'113139: Feb 4 10:11:32.582 CST: AAA/MEMORY: free_user (0x619C4940) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1113140: Feb 4 10:11:33.158 CST: AAA/MEMORY: dup_user (0x6193A788) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1 source='AAA dup lcp_reset'113141: Feb 4 10:11:33.158 CST: AAA/MEMORY: free_user (0x61DF306C) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1113142: Feb 4 10:11:33.158 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication needed. user='diallocal' port='tty1' rem_addr='async/81560'


Chapter 2 Implementing the Local AAA Subsystem2.2 Implementing Local Dialup Authorization

The following example of a non-shell-initiated PPP session shows AAA debug output that confirms correct configuration for local authentication:

Note The method used is LOCAL.

113151: Feb 4 10:13:27.670 CST: AAA/MEMORY: create_user (0x61DFE188) user='' ruser='' port='tty2' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1113152: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): port='tty2' list='' action=LOGIN service=LOGIN113153: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): using "default" list113154: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): Method=LOCAL113155: Feb 4 10:13:27.670 CST: AAA/AUTHEN (776784700): status = GETUSER113156: Feb 4 10:13:27.710 CST: AAA/AUTHEN/ABORT: (776784700) because Autoselected.113157: Feb 4 10:13:27.710 CST: AAA/MEMORY: free_user (0x61DFE188) user='' ruser='' port='tty2' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1113158: Feb 4 10:13:29.842 CST: As2 PPP: Treating connection as a callin113159: Feb 4 10:13:34.834 CST: As2 PAP: I AUTH-REQ id 1 len 18 from "diallocal"113160: Feb 4 10:13:34.834 CST: As2 PAP: Authenticating peer diallocal113161: Feb 4 10:13:34.838 CST: AAA: parse name=Async2 idb type=10 tty=2113162: Feb 4 10:13:34.838 CST: AAA: name=Async2 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=2 channel=0113163: Feb 4 10:13:34.838 CST: AAA: parse name=Serial0:3 idb type=12 tty=-1113164: Feb 4 10:13:34.838 CST: AAA: name=Serial0:3 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=3113165: Feb 4 10:13:34.838 CST: AAA/MEMORY: create_user (0x61ABBCE4) user='dialuser' ruser='' port='Async2' rem_addr='async/81560' authen_type=PAP service=PPP priv=1113166: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): port='Async2' list='' action=LOGIN service=PPP113167: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): using "default" list113168: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = UNKNOWN113169: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): Method=LOCAL113170: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = PASS113171: Feb 4 10:13:34.838 CST: As2 PAP: O AUTH-ACK id 1 len 5

2.2 Implementing Local Dialup AuthorizationThese processes help you to accomplish the following tasks:

1. Configure dial access configuration for local authorization on the NAS.

2. Verify and troubleshoot local authorization from NAS.

3. Verify that access list 110 is assigned.

Note Attribute-value pairs (AVPs) only are supported with EXEC shell initiated PPP sessions for local accounts. Configure dial access clients to “Bring Up a Terminal Window After Dial”.



Step 1 Configure dial access configuration for local authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to construct dial access local authorization:

aaa new-modelaaa authentication login default local aaa authentication ppp default if-needed localaaa authorization exec default local if-authenticated aaa authorization network default local if-authenticated username dialclient access-class 110 password ciscorocksusername dialclient autocommand ppp negotiate access-list 110 deny tcp any any eq telnetaccess-list 110 permit tcp any any


Step 2 Verify and troubleshoot local authorization from NAS.

To verify local dial access authorization is operating correctly, enter the debug aaa authorization command.

The following EXEC sequence illustrates that the appropriate command is enabled:

5800-NAS#show debugGeneral OS: AAA Authorization debugging is on

The following example of a shell-initiated session shows the AAA debug output that confirms correct configuration for local authorization. Some points to note about this debug output:

• Method used is LOCAL.

• Autocommand used is PPP negotiate.

• Access list used is 110.

• Authorization is successful.

The following tests illustrate operations described in “2.4 Implementing Local Router Authorization” and include relevant router output:

1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled).

2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed.

3. User diallocal is authorized PPP Network Service.

4. User diallocal is authorized LCP.

5. User diallocal is authorized IPCP.

The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information.



Note The debug command output can vary depending on Cisco IOS versions.

1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled).

NAS debug output:

07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Port='tty10' list='' service=EXEC07:10:52: AAA/AUTHOR/EXEC: As10 (693880654) user='diallocal'07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV service=shell07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV cmd*07:10:52: As10 AAA/AUTHOR/EXEC (693880654): found list "default"07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Method=LOCAL07:10:52: As10 AAA/AUTHOR (693880654): Post authorization status = PASS_ADD

2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed.

NAS debug output:

07:10:52: AAA/AUTHOR/EXEC: Processing AV service=shell07:10:52: AAA/AUTHOR/EXEC: Processing AV cmd*07:10:52: AAA/AUTHOR/EXEC: Processing AV autocmd=ppp07:10:52: AAA/AUTHOR/EXEC: Processing AV acl=11007:10:52: AAA/AUTHOR/EXEC: Authorization successful

3. User diallocal is authorized PPP Network Service.

NAS debug output:

07:10:52: As10 AAA/AUTHOR/PPP (2856468577): Port='tty10' list='' service=NET07:10:52: AAA/AUTHOR/PPP: As10 (2856468577) user='diallocal'07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV service=ppp07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV protocol=ip07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV addr-pool*default07:10:52: As10 AAA/AUTHOR/PPP (2856468577): found list "default"07:10:52: As10 AAA/AUTHOR/PPP (2856468577): Method=LOCAL07:10:52: As10 AAA/AUTHOR (2856468577): Post authorization status = PASS_REPL

4. User diallocal is authorized LCP.

NAS debug output:

07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV service=ppp07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV protocol=ip07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV addr-pool*default07:10:54: AAA/MEMORY: free_user (0x61851148) user='diallocal' ruser='' port='tty10' rem_addr='65004/65301' authen_type=ASCII service=LOGIN priv=107:10:56: AAA/MEMORY: free_user (0x61532710) user='diallocal' ruser='' port='tty10' rem_addr='65004/65301' authen_type=ASCII service=PPP priv=107:10:56: As10 AAA/AUTHOR/FSM: (0): LCP succeeds trivially07:10:58: As10 AAA/AUTHOR/LCP: Authorize LCP07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Port='tty10' list='' service=NET07:10:58: AAA/AUTHOR/LCP: As10 (3185006257) user='diallocal'07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV service=ppp07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV protocol=lcp07:10:58: As10 AAA/AUTHOR/LCP (3185006257): found list "default"07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Method=LOCAL07:10:58: As10 AAA/AUTHOR (3185006257): Post authorization status = PASS_REPL


Chapter 2 Implementing the Local AAA Subsystem2.3 Implementing Local Router Authentication

5. User diallocal is authorized IPCP.

NAS debug output:

07:10:58: As10 AAA/AUTHOR/LCP: Processing AV service=ppp07:10:58: As10 AAA/AUTHOR/LCP: Processing AV protocol=lcp07:10:58: As10 AAA/AUTHOR/FSM: (0): Can we start IPCP?07:10:58: As10 AAA/AUTHOR/FSM (321297806): Port='tty10' list='' service=NET07:10:58: AAA/AUTHOR/FSM: As10 (321297806) user='diallocal'07:10:58: As10 AAA/AUTHOR/FSM (321297806): send AV service=ppp07:10:58: As10 AAA/AUTHOR/FSM (321297806): send AV protocol=ip07:10:58: As10 AAA/AUTHOR/FSM (321297806): found list "default"07:10:58: As10 AAA/AUTHOR/FSM (321297806): Method=LOCAL

07:10:58: As10 AAA/AUTHOR (321297806): Post authorization status = PASS_REPL07:10:58: As10 AAA/AUTHOR/FSM: We can start IPCP

Step 3 Verify that access list 110 is assigned.

To verify that access list 110 is being used to control access, enter the show line command as follows:

maui-nas-03#show line 10 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns IntA 10 TTY - inout - 110 - 1 0 0/0 -

Note Access lists can be defined as either input or output access lists. As configured and applied in this environment, access list 110 is an output access list assigned with the acl=110 AVP. In the show line listing, AccO refers to output access list 110. In this case, AccI is not set (indicated by a dash).

2.3 Implementing Local Router AuthenticationThese processes help you to establish local-based router authentication as illustrated in Figure 2-2:

1. Configure basic router access.

2. Verify local authentication operation.

Figure 2-2 Local-Based Router Environment

3505

3

IP

Local-basedVTY access (Telnet)


Chapter 2 Implementing the Local AAA Subsystem2.3 Implementing Local Router Authentication

Step 1 Configure basic router access.

Include the following Cisco IOS configuration commands in your configuration to enforce local on all interfaces except the console port:

username rtr_super privilege 15 password ciscorules!aaa new-modelaaa authentication login default localaaa authentication login NO_AUTHENT none!line con 0 login authentication NO_AUTHENT

Note The NO_AUTHENT list disables authentication on the console port. See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding Cisco IOS AAA commands.

Step 2 Verify local authentication operation.

a. To verify user access, initiate a login process as follows:

maui-rtr-03#login


Username: rtr_superPassword: <password>

maui-rtr-03#


Chapter 2 Implementing the Local AAA Subsystem2.4 Implementing Local Router Authorization

b. To determine that local dial access authentication is operating correctly, enter the debug aaa authentication command as follows:

maui-rtr-03#debug aaa authenticationAAA Authentication debugging is onmaui-rtr-03#show debugGeneral OS: AAA Authentication debugging is on

maui-rtr-03#terminal monitor

Feb 17 15:34:47.147: AAA: parse name=tty3 idb type=-1 tty=-1Feb 17 15:34:47.147: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0Feb 17 15:34:47.147: AAA/MEMORY: create_user (0x61F88D2C) user='' ruser='' port='tty3' rem_addr='172.22.61.17' authen_type=ASCII service=LOGIN priv=1Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): port='tty3' list='' action=LOGIN service=LOGINFeb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): using "default" listFeb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): Method=LOCALFeb 17 15:34:47.147: AAA/AUTHEN (3701879404): status = GETUSERFeb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): continue_login (user='(undef)')Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETUSERFeb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): Method=LOCALFeb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETPASSFeb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): continue_login (user='rtr_super')Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = GETPASSFeb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): Method=LOCALFeb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = PASS

2.4 Implementing Local Router AuthorizationLocal router authorization is implemented through router command authorization configuration. The following example:

• Shows how to create two privilege levels (1 and 15) with local access and how to control the access to global configuration mode.

• Provides a method to gain access by using the enable password if the local login fails.

Follow a methodical approach when dealing with TACACS+ in routers to prevent the need to perform password recovery.

Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see Appendix B, “AAA Impact on Maintenance Tasks.”

These processes are intended to help you to accomplish the following tasks:

1. Configure local router authorization at privilege level 15.

2. Verify local router authorization is set to privilege level 15.


Chapter 2 Implementing the Local AAA Subsystem2.4 Implementing Local Router Authorization

Step 1 Configure local router authorization at privilege level 15.

Include the following Cisco IOS configuration commands in your configuration to enforce local authorization at privilege level 15 on all interfaces except the console port:

!username rtr_super privilege 15 password ciscorules!aaa new-modelaaa authentication login default local enableaaa authentication login NO_AUTHENT noneaaa authorization exec default local if-authenticatedaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 NO_AUTHOR noneaaa authorization commands 15 local if-authenticated !line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT

Note You must first log out, and then log back into the router following the inclusion of the aaa authorization commands 15 local if-authenticated command (illustrated in the preceding configuration fragment). Doing this ensures that you log in as the user rtr_super (in this case study example). The NO_AUTHENT list disables authentication on the console port. The NO_AUTHOR list disables EXEC and command authorization on the console port. See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands.

Step 2 Verify local router authorization is set to privilege level 15.

Enter the following commands to verify correct authorization:

maui-rtr-03#debug aaa authorizationAAA Authorization debugging is onmaui-rtr-03#show debugGeneral OS: AAA Authorization debugging is on

maui-rtr-03#login


Username: rtr_superPassword:

The following tests illustrate operations described in “2.4 Implementing Local Router Authorization” and include relevant router output.

1. User rtr_super is authorized EXEC shell access.

2. User rtr_super logs is assigned priv-lvl 15 AVP.

3. User rtr_super successfully performs privilege level 15 command.


Chapter 2 Implementing the Local AAA Subsystem2.5 Implementing Local Router Accounting




Router debug output:

Mar 13 14:08:54.871 CST: AAA/MEMORY: create_user (0x6188BD2C) user='' ruser='' port='tty2' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=15Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Port='tty2' list='' service=EXECMar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: tty2 (294199586) user='rtr_super'Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV service=shellMar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV cmd*Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): found list "default"Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Method=LOCALMar 13 14:09:00.511 CST: AAA/AUTHOR (294199586): Post authorization status = PASS_ADD

2. User rtr_super logs is assigned priv-lvl 15 AVP.


Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV service=shellMar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV cmd*Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Authorization successfulMar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): Port='tty2' list='' service=CMD

3. User rtr_super successfully performs privilege level 15 command.


Mar 13 14:09:01.648 CST: AAA/AUTHOR/CMD: tty2 (2192867088) user='rtr_super'Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV service=shellMar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd=configureMar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=terminalMar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=<cr>Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): found list "default"Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): Method=LOCALMar 13 14:09:01.648 CST: AAA/AUTHOR (2192867088): Post authorization status = PASS_ADD

2.5 Implementing Local Router AccountingThese processes help you to accomplish the following tasks:

1. Configure basic local accounting for router access.

2. Verify and troubleshoot local accounting from VTY (Telnet) based access to the router.



Step 1 Configure basic local accounting for router access.

Include the following Cisco IOS configuration commands in your configuration to construct local based router accounting for EXEC and command authorization for privilege level 15 commands:

username rtr_super privilege level 15 password ciscorules

aaa new-modelaaa authentication login default local enableaaa authentication login NO_AUTHENT noneaaa authorization exec default local if-authenticatedaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 default local if-authenticatedaaa authorization commands 15 NO_AUTHOR noneaaa accounting exec default start-stop group tacacs+aaa accounting exec NO_ACCOUNT noneaaa accounting commands 15 default stop-only group tacacs+aaa accounting commands 15 NO_ACCOUNT none

line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR accounting commands 1 NO_ACCOUNT accounting commands 15 NO_ACCOUNT accounting exec NO_ACCOUNT login authentication NO_AUTHENT

Note In the preceding configuration fragment, the start-stop option is entered for EXEC shell sessions and the stop-only option is entered for privilege-level 15 commands. The router sends a start packet in the beginning of a shell service and a stop packet when the session terminates. A stop packet is only sent upon completion of a privilege level 15 command in the router. Additionally, note the use of the NO_ACCOUNT list to disable AAA accounting on the console port.

Step 2 Verify and troubleshoot local accounting from VTY (Telnet) based access to the router.

Enter the debug aaa accounting command to verify local router accounting is operating as expected. The following EXEC sequence illustrates that the appropriate commands are enabled:

maui-rtr-03#show debugGeneral OS:AAA Accounting debugging is on

The following tests illustrate operations described in “2.5 Implementing Local Router Accounting” and include relevant router output.


2. User rtr_super successfully performs configure terminal, a privilege level 15 command.

The following diagnostic results are presented in the order in which they are generated during a typical authorization and command request process. Specific output fragments are separated out with brief explanatory notes to help you identify relevant information.






Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, port tty3Apr 11 16:48:32.483: AAA/ACCT/EXEC: Found list "default"Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, Port tty3, task_id=362 start_time=955471712 timezone=CST service=shellApr 11 16:48:32.483: AAA/ACCT: user rtr_super, acct type 0 (1526108857): Method=tacacs+ (tacacs+)Apr 11 16:48:33.487: TAC+: (1526108857): received acct response status = SUCCESS

2. User rtr_super successfully performs configure terminal, a privilege level 15 command.


Apr 11 16:51:52.741: AAA/ACCT/CMD: User rtr_super, Port tty3, Priv 15: "configure terminal <cr>"Apr 11 16:51:52.741: AAA/ACCT/CMD: Found list "default"Apr 11 16:51:52.741: AAA/ACCT: user rtr_super, acct type 3 (2701117300): Method=tacacs+ (tacacs+)Apr 11 16:51:53.545: TAC+: (2701117300): received acct response status = SUCCESS


Cis

C H A P T E R 3
Implementing Cisco AAA Servers
This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1, “Cisco AAA Case Study Overview” for information regarding this case study’s network requirements and environment details for this case study. Figure 3-1 illustrates the general networking environment in which this CSU is implemented.

These sections focus on the following topics:

• 3.1 Installing CiscoSecure for UNIX with Oracle

• 3.1.4 Creating and Verifying Basic User Profile

Figure 3-1 AAA-Based, Secure Network Access Scenario

Internet

3508

9

Clients Modems


AAAserver

Internetfirewall

Defaultgateway


modems


DNSserver

Oracle dB server

IP intranet


Chapter 3 Implementing Cisco AAA Servers3.1 Installing CiscoSecure for UNIX with Oracle

3.1 Installing CiscoSecure for UNIX with OracleThese processes of help you to install CiscoSecure for UNIX:

• 3.1.1 Creating Oracle Tablespace

• 3.1.2 Verifying the Oracle Database Instance

• 3.1.3 Installing CiscoSecure for UNIX

• 3.1.4 Creating and Verifying Basic User Profile

3.1.1 Creating Oracle TablespaceYou must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section are for reference.

Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the database.

For detailed Oracle installation notes, go to the following location:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csbsdoc.htm

Example of creating a Oracle tablespace:

<CSUserver>$su - oracleSun Microsystems Inc. SunOS 5.5.1 Generic May 1996<CSUserver>$$ORACLE_HOME/bin/svrmgrl Oracle Server Manager Release 2.3.4.0.0 - Production Copyright (c) Oracle Corporation 1994, 1995. All rights reserved. Oracle7 Server Release 7.3.4.0.1 - ProductionWith the distributed optionPL/SQL Release 2.3.4.0.0 - Production SVRMGR>connect internalConnected.SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m;Statement processed.SVRMGR>create user csecure identified by csecure default tablespace cstb;Statement processed.SVRMGR>grant dba to csecure identified by csecure;Statement processed.SVRMGR>exitServer Manager complete.



3.1.2 Verifying the Oracle Database InstanceBefore you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the following five pieces of information:

• The Oracle user account for CiscoSecure (csecure)

• The password for the Oracle account (csecure)

• TNS service name for the Oracle server (ciscosj)

• The location of $ORACLE_HOME (/opt/oracle/product/7.3.4)

• The number of Connections to use for ORACLE RDBMS (50)

Step 1 To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed, enter the following command. Log in to the $ORACLE_HOME as follows:

<CSUserver>$env | grep ORACLE_HOMEORACLE_HOME=/opt/oracle/product/7.3.4

Note This environment variable should have been configured during Oracle installation by the DBA.

Step 2 On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by entering the following command:

<CSUserver>$ps -ef |grep smon oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj

The command returns the ora_smon_<SID> process if the server is running. Notice the database instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this case, with username of csecure and password of csecure) and start the database by using Server Manager (svrmgrl) and Oracle listener (lsnrctl) as follows:

<CSUserver>$$ORACLE_HOME/bin/svrmgrlSVRMGR>connect internalSVRMGR>startupORACLE instance started.Total System Global Area 4576056 bytesFixed Size 39816 bytesVariable Size 4118448 bytesDatabase Buffers 409600 bytesRedo Buffers 8192 bytesDatabase mounted.Database opened.



<CSUserver>$$ORACLE_HOME/bin/lsnrctl startLSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46

Copyright (c) Oracle Corporation 1994. All rights reserved.

Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait...

TNSLSNR for Solaris:Version 2.3.4.0.0 - ProductionSystem parameter file is /opt/oracle/product/7.3.4/network/admin/listener.oraLog messages written to /opt/oracle/product/7.3.4/network/log/listener.logListening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus))Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY))Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521))

Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj))STATUS of the LISTENER------------------------Alias LISTENERVersion TNSLSNR for Solaris:Version 2.3.4.0.0 - ProductionStart Date 12-APR-00 09:40:50Uptime 0 days 0 hr. 0 min. 0 secTrace Level offSecurity OFFSNMP OFFListener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.oraListener Log File /opt/oracle/product/7.3.4/network/log/listener.logServices Summary... ciscoaus has 1 service handler(s)The command completed successfully

Step 3 To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter Security Manager using the sqlplus process:

<CSUserver>$sqlplus csecure/csecure@ciscosj SQL>select * from user_sys_privs;

USERNAME PRIVILEGE ADM------------------------------ ---------------------------------------- ---CSECURE UNLIMITED TABLESPACE NO

Note Ensure that the assigned resource role/privilege for the username and password is as shown.

The command returns a table with a column listing the privileges granted to the Oracle database account. The default tablespace assigned to the Oracle database account must be at least 200MB. The size is verified by the installation script.

Step 4 To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows:

<CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj

TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28

Copyright (c) Oracle Corporation 1995. All rights reserved.

Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521))OK (80 msec)



Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study, at least four of the connections are reserved for mandatory background server processes. In addition, the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during the installation.

3.1.3 Installing CiscoSecure for UNIXThe general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX (CSU) on a Sun Solaris workstation. Installation consists of the following steps:

1. Start the CSU installation process by invoking the pkgadd program.

2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:

3. Create /var/log/csuslog file.

4. Configure the AAA server for maximum level debugging.

5. Restart the AAA server.

6. Restart the syslog daemon.



Step 1 Start the CSU installation process by invoking the pkgadd program.

The process that follows illustrates the general installation sequence. Extraneous output was omitted where noted for brevity.

Note The following installation process requires approximately 20 minutes.

<CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris The following packages are available: 1 CSCEacs CiscoSecure Access Control Software (sun4) 2.3(3) Select package(s) you wish to process (or 'all' to processall packages). (default: all) [?,??,q]:1 Processing package instance <CSCEacs> from </opt/install/ciscosecure/CiscoSecure-2.3.3.solaris> CiscoSecure Access Control Software(sun4) 2.3(3) Copyright(c) 1996-1999 Cisco Systems, Inc.CiscoSecure Access Control ServerVersion 2.3(3)All Rights Reserved. Copyright (c) 1994-1999 Netscape Communications CorporationCopyright (c) 1988-1999 Sybase, Inc.Trade Mark WebLogic, Inc. Notice:By using this product, you agree to be bound by the terms ofthe license supplied with this product. If you do not agreeto these terms, promptly return the unused product, manuals,related equipment, and hardware (with proof of purchase) tothe place of purchase for a full refund. To install this product, you must agree to accept the termsof the enclosed license [accept=y,exit=n,exit=q]: y checking patches... ************************************************************************* Notice: ** This installation program saves your Database files from a previous ** CiscoSecure install. If you have not installed CiscoSecure before, ** you should answer YES to the next question. If you have performed ** a 'package remove' and are installing a new version of CiscoSecure ** and want to retain your previous Database files, you should answer ** NO to the next question. ************************************************************************* Is this a new install (y/n/q) (default: yes, q to quit)?y Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure



IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q] If the hostname of this server is not the same as its fully qualified domainname (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enterto use the default (default: CSUserver) [?,q] Enter the AAA Server License key (default: <none>) [?,q] Enter the TACACS+ NAS name to use (default: <none>) [?,q] Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules Select any or all Token Cards to use 1 CryptoCard 2 Secure-Computing SafeWord 3 SDI SDI Token Card Enter selection (default: none) [?,??,q]: Choose Database 1 SQLAnywhere Sybase SQL Anywhere 2 ORACLE Oracle Enterprise 3 SYBASE Sybase Enterprise Enter selection (default: SQLAnywhere) [?,??,q]:2 Enter the username for the ORACLE DB account [?,q]csecure Enter the password for the ORACLE DB account [?,q]csecure Enter the TNS service name for the Oracle Server [?,q]ciscosj Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4 Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Serverprocess (default: 9900) [0-65535,?,q] Enter a unique name for the CiscoSecure DB Server Process (default:CSdbServer) [?,q] Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50 Enter the directory Path to use for the AAA server profile caching(default: /, q to quit)? Modify any selections below? New CiscoSecure Install YES CiscoSecure Directory /opt/ciscosecure CiscoSecure IP Address 172.23.25.41 CiscoSecure Web Server Name CSUserver Profile Cache Directory / AAA License Key <none> TACACS+ NAS Name <none> TACACS+ NAS Secret Key SECRET12345 Token Cards selected none Data Base ORACLE DB User Account Name csecure DB User Account Passwd csecure Oracle TNS Name ciscosj Oracle Home /opt/oracle/product/7.3.4 CiscoSecure DB Server IP Address 172.23.25.41 CiscoSecure DB Server Port 9900 CiscoSecure DB Server Proc Name CSdbServer



DB Server Connections 50 Modify any values [y,n,q]: n cs_install.log being written to /tmp directory Using </opt/ciscosecure> as the package base directory.## Processing package information.## Processing system information. 6 package pathnames are already properly installed.## Verifying disk space requirements.## Checking for conflicts with packages already installed.## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-userpermission during the process of installing this package. Do you want to continue with the installation of <CSCEacs> [y,n,?]y Installing CiscoSecure Access Control Software as <CSCEacs> ## Executing preinstall script.## Installing part 1 of 1.

Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter.

[ verifying class <TSERVER> ]## Executing postinstall script. Creating the initial database tables and views........ Loading properties from /opt/ciscosecure/config/CSConfig.iniFinished loading properties.Data Source = ORACLEDriver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = csecure password = ******** Connected to jdbc:weblogic:oracle:ciscosjDriver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)Version 2.5.4 sql = select tablespace_name, floor(sum(bytes)/(1024*1024)) from sys.dba_free_space where tablespace_name = (select default_tablespace from sys.dba_users whereusername = USER) group by tablespace_name Total free space in CSTB tablespace is 199 MB.Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql%Executing SQL statements..



Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter.

Successfully done. Initializing RADIUS data in the database........ Loading properties from /opt/ciscosecure/config/CSConfig.iniFinished loading properties.Data Source = ORACLEDriver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = csecure password = ******** Connected to jdbc:weblogic:oracle:ciscosjDriver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)Version 2.5.4 Radius data version: 23Adding SERVER_LISTAdding DICTIONARY_LISTAdding SERVER.172.23.25.41Adding DICTIONARY.IETFAdding DICTIONARY.CiscoAdding DICTIONARY.AscendAdding DICTIONARY.Cisco11.1Adding DICTIONARY.Cisco11.2Adding DICTIONARY.Cisco11.3Adding DICTIONARY.Ascend5No update to dictionary listUpdate radius version: INSERT INTO cs_id (id, type) VALUES (?, ?)

Successfully done. Installation is complete. However, further configuration may be necessary.For more information on the steps necessary to finish configuration, readthe /opt/ciscosecure/DOCS/README.txt file. Results of this install are saved in the /tmp/cs_install.log file and in/opt/ciscosecure/logfiles/cs_install.log.

NOTE: For AAA Server tuning, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm#xtocid192003

Installation of <CSCEacs> was successful.

Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:

Enter the following command:

#added by [email protected] on 02/28/00local0.debug /var/log/csuslog

Note Do not use whitespace to separate the above statements in /etc/syslog.conf. Use only tabs.

Step 3 Create /var/log/csuslog file.



Enter the touch command to create the csulog file.

<CSUserver>$touch /var/log/csuslog;chmod 777 csuslog

Step 4 Configure the AAA server for maximum level debugging.

Modify /opt/ciscosecure/config/CSU.cfg as follows:

NUMBER config_logging_configuration = 0x7ffffffff

Step 5 Restart the AAA server.

Enter the following command to restart the AAA server:

<CSUserver>$/etc/rc0.d/K80CiscoSecure

Stopping CiscoSecure Processes:

CiscoSecure AutoRestart Stopped Fast Track Server Stopped Fast Track Admin Program Stopped Acme Server Stopped AAA Server Stopped DBServer Stopped

<CSUserver>$/etc/rc2.d/S80CiscoSecure

Starting CiscoSecure Processes:

Fast Track Admin Started FastTrack Server (Delayed Start) DBServer Started AAA Server starts in 15 Seconds: 123456789012345 AAA Server Started Acme Server Started Cisco AutoRestart started

Step 6 Restart the syslog daemon.

Enter the follow command to restart the syslog daemon:

<CSUserver>$ps -ef |grep syslog root 150 1 0 Feb 26 ? 0:00 /usr/sbin/syslogd<CSUserver>$kill -HUP 150

3.1.4 Creating and Verifying Basic User ProfileThese processes help you to accomplish basic user profile creation and verification:

1. Create user csu_test.

2. Verify user csu_test.

3. Configure the router for basic authentication.

4. Log in to the router and verify user access.

5. Review the AAA server log.



Step 1 Create user csu_test.

Enter the following commands to add the user csu_test:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocksProfile Successfully Added

Step 2 Verify user csu_test.

Enter the following commands to verify settings for user csu_test:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_testUser Profile Informationuser = csu_test{profile_id = 18profile_cycle = 1password = des "********"}

Step 3 Configure the router for basic authentication.

Log in to the router and include the following commands:

aaa new-modelaaa authentication login default group tacacs+ local

tacacs-server host 172.22.53.201 key ciscorules

Step 4 Log in to the router and verify user access.

Enter the user name and password:

Username:csu_testPassword:<password>

Step 5 Review the AAA server log.

Enter the tail command to assess the csulog file:

Note This CSU log fragment illustrates user csu_test being authenticated and permitted privilege level 15 access.

<CSUserver>$tail -f /var/log/csuslogFeb 29 16:52:28 CSUserver last message repeated 20 times1Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8)Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_testFeb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_testFeb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e)Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG -Feb 29 16:52:30 CSUserver User Access VerificationFeb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username:Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocatedFeb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password:Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS = coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15]




Cis

C H A P T E R 4
Implementing the Server-Based AAA Subsystem
This chapter focuses on the following server-based AAA implementation topics:

• 4.1 Implementing Server-Based TACACS+ Dialup Authentication

• 4.2 Implementing Server-Based TACACS+ Dialup Authorization

• 4.3 Implementing Server-Based RADIUS Dialup Authentication

• 4.4 Implementing Server-Based RADIUS Dialup Authorization

• 4.5 Implementing Server-Based TACACS+ Router Authentication

• 4.6 Implementing Server-Based TACACS+ Router Authorization


Note See Chapter 2, “Implementing the Local AAA Subsystem,” for specifics of local AAA implementation. See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation.


Chapter 4 Implementing the Server-Based AAA Subsystem4.1 Implementing Server-Based TACACS+ Dialup Authentication

Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based AAA components, including a AAA server and its associated AAA database.

Figure 4-1 Basic AAA Case Study Environment

4.1 Implementing Server-Based TACACS+ Dialup Authentication

The following section focuses on server-based dialup authentication configuration. In this context, server-based refers to actions dependent upon an external AAA server. These actions are described in a series of general steps along with related commands, server configurations, and diagnostic steps as appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.

Figure 4-2 Server-Based Dial Environment (TACACS+)

Internet

3508

9

Clients Modems


AAAserver

Internetfirewall

Defaultgateway


modems


DNSserver

Oracle dB server

IP intranet

IP

AAA server

3505

1


PSTNModem


Chapter 4 Implementing the Server-Based AAA Subsystem4.1 Implementing Server-Based TACACS+ Dialup Authentication

These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authentication on NAS.

2. Configure a user profile in the database.

3. Verify the AAA server-based user configuration.

4. Verify and troubleshoot authentication from the AAA server.

5. Verify and troubleshoot PPP authentication from the NAS.

Step 1 Configure TACACS+ server-based authentication on NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with TACACS+:

aaa new-modelaaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ !tacacs-server host 172.22.53.101 key ciscorules


Step 2 Configure a user profile in the database.

Create a user in the AAA server by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules –a 'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’

Caution When entering AddProfile to create users or groups, it is possible to successfully create users or groups that have invalid database parameters that result in profile errors viewable in /var/log/csuslog.

Step 3 Verify the AAA server-based user configuration.

Enter this server command to view the AAA server-based user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial

user = tac_dial{profile_id = 23profile_cycle = 1password = pap "********"service=ppp {protocol=ip {set addr-pool=defaultset inacl=110}protocol=lcp {}}

}


Chapter 4 Implementing the Server-Based AAA Subsystem4.2 Implementing Server-Based TACACS+ Dialup Authorization

Step 4 Verify and troubleshoot authentication from the AAA server.

Enter the tail command:.

<CSUserver>$tail -f /var/log/csuslog

Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for a description of relevant diagnostic output.

Step 5 Verify and troubleshoot PPP authentication from the NAS.

Enter the debug aaa authentication and debug ppp authentication commands to confirm authentication from the NAS perspective.

Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for relevant diagnostic output.

4.2 Implementing Server-Based TACACS+ Dialup AuthorizationThis section focuses on implementing of server-based dialup authorization and presents applicable configuration segments, server commands and file listings, and diagnostic steps.


1. Configure TACACS+ server-based authorization on the NAS.



4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.

5. Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Step 1 Configure TACACS+ server-based authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authorization with TACACS+:

aaa new-modelaaa authentication login default group tacacs+aaa authentication ppp default if-needed group tacacs+aaa authorization exec default group tacacs+ if-authenticatedaaa authorization network default group tacacs+ if-authenticated!tacacs-server host x.x.x.x key ciscorules



Chapter 4 Implementing the Server-Based AAA Subsystem4.2 Implementing Server-Based TACACS+ Dialup Authorization



<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules –pw pap,ciscorules –a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’


Enter this UNIX server command to view the AAA server-based user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest

An example of a ViewProfile output of the user profile looks like this:

User Profile Informationuser = dialtest{profile_id = 25profile_cycle = 1password = pap "********"service=shell {default_cmd=permit}service=ppp {protocol=ip {set addr-pool=defaultset inacl=110}protocol=lcp {}}

}

Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.

Enter the following UNIX server command to confirm that the authorization is operating correctly:

<CSUServer>$tail -f /var/log/csuslog

Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.”

Step 5 Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Enter the debug aaa authorization command to verify server-based authorization is operating correctly for dial access.

Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.”


Chapter 4 Implementing the Server-Based AAA Subsystem4.3 Implementing Server-Based RADIUS Dialup Authentication

4.3 Implementing Server-Based RADIUS Dialup AuthenticationThis section focuses on the configuration of server-based, RADIUS dialup authentication configuration. In this context, server-based refers to actions that depend on an external AAA server. Figure 4-3 illustrates a simplified server-based dial environment.


1. Configure RADIUS server-based authentication on access server.



4. Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.

Figure 4-3 Server-Based Dial Environment (RADIUS)

IP

AAA server

3505

1


PSTNModem


Chapter 4 Implementing the Server-Based AAA Subsystem4.3 Implementing Server-Based RADIUS Dialup Authentication

Step 1 Configure RADIUS server-based authentication on access server.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with RADIUS:

aaa new-modelaaa authentication login default group radius aaa authentication ppp default if-needed group radius !interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48!line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output lat pad telnet rlogin udptn v120 lapb-ta

radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules



a. Create a RADIUS NAS configuration by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a 'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary="DICTIONARY.Cisco"\n }\n'

b. Create a user in the AAA server by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'

Description of attributes specified in AddProfile configuration:

– 6=2 (meaning Framed-Protocol=ppp)

– 7=1 [meaning User-Service-Type (Framed-User)]


Chapter 4 Implementing the Server-Based AAA Subsystem4.4 Implementing Server-Based RADIUS Dialup Authorization


a. Enter this server command to view the AAA server-based NAS configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105User Profile Informationuser = NAS.172.22.53.105{profile_id = 76 profile_cycle = 1 NASName="172.22.53.105" {SharedSecret="ciscorules"RadiusVendor="Cisco"Dictionary="DICTIONARY.Cisco"} }

b. Enter this command to verify the AAA server user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dialUser Profile Informationuser = rad_dial{profile_id = 62 profile_cycle = 1 password = pap "********" radius=Cisco {reply_attributes= {6=27=1} } }

Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.

Note See “C.3 Server-Based RADIUS Dialup Authentication Diagnostics.”

4.4 Implementing Server-Based RADIUS Dialup AuthorizationThese steps help you to accomplish the following tasks:

1. Configure RADIUS server-based authorization on the NAS.



4. Verify and troubleshoot RADIUS network authorization on the NAS.

5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.


Chapter 4 Implementing the Server-Based AAA Subsystem4.4 Implementing Server-Based RADIUS Dialup Authorization

Step 1 Configure RADIUS server-based authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS authorization assigning access-list 110 to the user, rad_dial:

aaa new-modelaaa authentication login default group radiusaaa authentication ppp default if-needed group radiusaaa authorization exec default group radiusaaa authorization network default group radius if-authenticated!radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules!access-list 110 permit tcp any any eq telnetaccess-list 110 permit tcp any any eq ftpaccess-list 110 permit tcp any any eq ftp-dataaccess-list 110 deny tcp any any




<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n'



<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dialUser Profile Informationuser = rad_dial{profile_id = 62profile_cycle = 1password = pap "********"radius=Cisco {reply_attributes= {6=27=19,1="ip:inacl=110"}}

}

Note The Cisco AVP inacl=110 is included to enable an input access-list.

Step 4 Verify and troubleshoot RADIUS network authorization on the NAS.

Enter the debug aaa authorization command to verify dial access server-based authorization is operating correctly for dial access.

Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.”


Chapter 4 Implementing the Server-Based AAA Subsystem4.5 Implementing Server-Based TACACS+ Router Authentication

Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command.

Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.”

4.5 Implementing Server-Based TACACS+ Router Authentication

This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for a router.


1. Configure TACACS+ server-based authentication on the router.

2. Configure and verify the group rtr_basic:

3. Create the member rtr_test and assign this user to group rtr_basic.

4. Verify user rtr_test.

5. Log in to the router and verify proper authentication.

Figure 4-4 Server-Based VTY Access (Telnet)

IP

AAA server

Server-basedVTY access (Telnet)

3505

0



Step 1 Configure TACACS+ server-based authentication on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce AAA server-based command authorization on a router (excluding the console port):

aaa new-modelaaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none

!ip http serverip http authentication aaaip tacacs source-interface Loopback0!tacacs-server host 172.22.53.201 key ciscorules!line con 0 login authentication NO_AUTHENT

Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands.

Step 2 Configure and verify the group rtr_basic:

a. Create the group rtr_basic by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a 'service=shell{\ndefault cmd=deny\n}\n'Profile Successfully Added

b. Verify the group rtr_basic by entering the ViewProfile command

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basicGroup Profile Informationgroup = rtr_low{profile_id = 66profile_cycle = 1service=shell {default cmd=deny}

}

Step 3 Create the member rtr_test and assign this user to group rtr_basic.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr rtr_basicProfile Successfully Added



Step 4 Verify user rtr_test.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_testUser Profile Informationuser = rtr_test{profile_id = 66profile_cycle = 1member = rtr_basicpassword = des "********"}

Step 5 Log in to the router and verify proper authentication.

Enter the login command to access the router command interface and monitor the output of debug aaa authentication from a separate shell session. Monitor the output of the AAA server by consulting the csuslog file using the tail command.

Note See “C.5 Server-Based TACACS+ Router Authentication Diagnostics.”


Chapter 4 Implementing the Server-Based AAA Subsystem4.6 Implementing Server-Based TACACS+ Router Authorization

4.6 Implementing Server-Based TACACS+ Router AuthorizationThe following examples, including authorization-related IOS command listings and AAA server profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups are created with low (rtr_low), medium (rtr_tech), and high (rtr_super) access. The default_cmd AVP (defined in the AAA server profile) is used to control access to privilege level 15 commands. In this case, privilege level 15 is the highest level of command access privilege allowed and is reserved for super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated with each of the administrative groups defined in this section.

Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization between a router and an AAA server. Troubleshooting and verifying is divided into three stages: authentication, EXEC authorization and command authorization. Each stage is accompanied by information particular to that stage:

• Cisco IOS Configuration Fragments (on left)

• Troubleshooting and verification methods for the router and AAA server (on right)

Table 4-1 Group Profile Command Summary

Group

Cisco IOS Command rtr_super rtr_tech rtr_lowdebug all Denied Denied Denied

debug * Permitted Permitted Denied

clear * Permitted Permitted Denied

reload Permitted Denied Denied

show running-configwrite terminal

Permitted Denied Denied

copy running-config startup-configwrite memory

Permitted Permitted Denied

configure terminal Permitted Denied Denied



Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology


1. Configure TACACS+ server-based authorization from the console port on the router.

2. Configure, verify, and test operation of the AAA server group rtr_low.

3. Configure, verify, and test operation of the AAA server group rtr_tech.

4. Configure, verify, and test operation of AAA server Group rtr_super.

3507

6

AAA authorizationcommand begins

(command)

AAA authorizationbegins (EXEC)

Router userrequests loginto TACACS+ server.

aaa new-modelaaa authentication login default group tacacs+

tacacs-server host ip-address key secret-key

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default tacacs+ if-authenticated

Authentication

Cisco IOS Client Decision Flow Troubleshoot/Verify

No

Yes

Didauthentication

succeed?

Didauthorization

succeed?

Didauthorization

succeed?

From Cisco IOS Clientdebug aaa authentication

From AAA Servertail -f /var/log/csuslogVerify user user=rtr_geekpassword=des

From Cisco IOS Clientdebug aaa authorization

From AAA Servertail -f /var/log/csuslogVerify user or group service=shell

From Cisco IOS Clientdebug aaa authorization

From AAA Servertail -f /var/log/csuslogVerify user or group default_cmd=permitor priv_lvl=15or cmd=permit

No

No

Yes

Yes

AAA accountingbegins

EXEC Authorization

Command Authorization



Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see Appendix B, “AAA Impact on Maintenance Tasks.”

Step 1 Configure TACACS+ server-based authorization from the console port on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce router-based security with TACACS+:

aaa new-modelaaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT noneaaa authorization commands 15 NO_AUTHOR noneaaa authorization exec default group tacacs+aaa authorization exec NO_AUTHOR noneaaa authorization commands 15 default group tacacs+!ip http serverip http authentication aaaip tacacs source-interface Loopback0!tacacs-server host 172.22.53.201 key ciscorules!line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT

Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands.



Step 2 Configure, verify, and test operation of the AAA server group rtr_low.

The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the requirements specified in Table 4-1:

a. Create the group rtr_low.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a 'service=shell{\ndefault cmd=deny\n}\n'Profile Successfully Added

b. Verify the group rtr_low.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_lowGroup Profile Informationgroup = rtr_low{profile_id = 66profile_cycle = 1service=shell {default cmd=deny}

}

c. Create the member rtr_dweeb and assign this user to group rtr_low.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw des,ciscorulesProfile Successfully Added

d. Verify the user rtr_dweeb.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweebUser Profile Informationuser = rtr_dweeb{profile_id = 66profile_cycle = 1member = rtr_lowpassword = des "********"}

e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:

– Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file.

– Log in to the router by using a new terminal window with the rtr_dweeb account and enter the commands shown in Table 4-1.

– From the AAA server, enter the following command to obtain the matching csuslog content:


Note See “C.6 Server-Based TACACS+ Router Authorization Diagnostics.”



Step 3 Configure, verify, and test operation of the AAA server group rtr_tech.

The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the requirements specified in Table 4-1:

a. Create the group rtr_tech.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny all\n}\ncmd=configure{\ndeny .*}\n}\n'

b. Verify the group rtr_tech.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_techGroup Profile Informationgroup = rtr_tech{profile_id = 47profile_cycle = 1service=shell {default cmd=permitcmd=debug {deny allpermit .*}cmd=reload {deny all}cmd=configure {deny .*}}

}

c. Create the member rtr_techie and assign this user to group rtr_tech.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw des,ciscorulesProfile Successfully Added

d. Verify the user rtr_techie.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techieUser Profile Informationuser = rtr_techie{profile_id = 39profile_cycle = 1member = rtr_techpassword = des "********"}

e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:


– Log in to the router by using a new terminal window with the rtr_techie account and enter the commands shown in Table 4-1.






Step 4 Configure, verify, and test operation of AAA server Group rtr_super.

The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with the requirements specified in Table 4-1:

a. Create the group rtr_super.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n'Profile Successfully Added

b. Verify the group rtr_super.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_superGroup Profile Informationgroup = rtr_super{profile_id = 40profile_cycle = 1service=shell {default cmd=permitcmd=debug {deny allpermit .*}}

}

c. Create the member rtr_geek and assign this user to group rtr_super.


<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek -pr rtr_super -pw des,ciscorulesProfile Successfully

d. Verify the user rtr_geek.


<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geekUser Profile Informationuser = rtr_geek{profile_id = 45profile_cycle = 1member = rtr_superpassword = des "********"}

e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:




– Log in to the router by using a new terminal window with the rtr_geek account and enter the commands shown in Table 4-1.







Cis

C H A P T E R 5
Implementing Server-Based AAA Accounting
This chapter focuses on the following two topics:

• 5.1 Implementing Server-Based RADIUS Dial Accounting

• 5.2 Implementing Server-Based TACACS+ Router Accounting


Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation.

5.1 Implementing Server-Based RADIUS Dial AccountingThe information compiled by the Cisco IOS client focuses on the performance of intermediate systems in terms of AAA accounting packet output, disconnect cause codes, elapsed time, packets in/out, and other useful information. This section addresses configuring server-based RADIUS dial accounting on the AAA server and the Cisco IOS client or network access server (NAS).


1. Configure the server-based RADIUS dial accounting on the AAA server.

2. Configure server-based RADIUS dial accounting on the NAS.

3. Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle dB instance.

4. Verify AAA accounting from the NAS.

Step 1 Configure the server-based RADIUS dial accounting on the AAA server.

Include the following configuration line in /opt/ciscosecure/CLI/config/CSU.cfg to enable group membership accounting:

config_acct_fn_enable = 1


Chapter 5 Implementing Server-Based AAA Accounting5.1 Implementing Server-Based RADIUS Dial Accounting

For detailed accounting performance, go to:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xtocid84517

Step 2 Configure server-based RADIUS dial accounting on the NAS.

Include the following Cisco IOS commands in your configuration file to support dialup authentication, authorization, and accounting.

aaa new-modelaaa authentication login default group radius localaaa authentication ppp default if-needed group radius localaaa authorization exec default group radius if-authenticatedaaa accounting exec default stop-only group radiusaaa accounting network default stop-only group radius

Step 3 Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle dB instance.

The following examples illustrate the use of SQL query commands to monitor user rad_dial being disconnected due to idletime configured with the line configuration session-timeout command in the NAS:

<CSUServer>$/export/home/oracle> sqlplus

SQL*Plus: Release 3.3.4.0.1 - Production on Mon Apr 17 17:41:52 2000

Copyright (c) Oracle Corporation 1979, 1996. All rights reserved.

Enter user-name:csecure/csecure@ciscoausConnected to:Oracle7 Server Release 7.3.4.0.1 - ProductionPL/SQL Release 2.3.4.0.0 - Production

SQL> select * from cs_accounting_log where blob_data like '%rad_dial%';

LOG_ID BLOB_ORDINAL BLOB_DATA-------------------------------------------------------------------------------- 172.22.87.3 rad_dial Async20 65004 stop server=danvers time=17:36:33 date=04/17/2000 task_id=40 timezone=CST service=ppp protocol=ip addr=172.22.83.12 disc-cause=4 disc-cause-ext=1021 pre-bytes-in=132 pre-bytes-out=139 pre-paks-in=5 pre-paks-out=7 bytes_i

Note The disc-cause and disc-cause-ext output both reflect idle timeouts from Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter.

Step 4 Verify AAA accounting from the NAS.

Review and verify user rad_dial disconnecting session from the NAS by using the Cisco IOS show caller user and debug aaa accounting commands.

The following example illustrates local accounting diagnostic output in which user rad_dial is disconnected because of a line configuration session-timeout command configured in the NAS:


Chapter 5 Implementing Server-Based AAA Accounting5.1 Implementing Server-Based RADIUS Dial Accounting

Note User rad_dial dials into maui-nas-03. Note the session-timeout was applied.

maui-nas-03#show caller user rad_dial detail

User: rad_dial, line tty 20, service Async Active time 00:00:47, Idle time 00:00:00 Timeouts: Absolute Idle Idle Session Exec Limits: 04:00:00 00:15:00 00:48:00 Disconnect in: 03:59:12 00:14:59 - TTY: Line 20, running PPP on As20 Location: PPP: 172.22.83.12 DS0: (slot/unit/channel)=0/0/2 Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits Status: Ready, Active, No Exit Banner, Async Interface Active HW PPP Support Active, Modem Detected Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out Modem Callout, Modem RI is CD, Line usable as async interface, Modem Autoconfigure Integrated Modem Modem State: Ready, Modem Configured

User: rad_dial, line As20, service PPP Active time 00:00:44, Idle time 00:00:08 Timeouts: Absolute Idle Limits: - 00:15:00 Disconnect in: - 00:14:50

User rad_dial is disconnected after 15 minutes of inactivity and an accounting packet is sent to the AAA Server:

maui-nas-03#show debugGeneral OS: AAA Accounting debugging is on

*Apr 17 17:36:35.262 CST: AAA/ACCT/ACCT_DISC: Found list "default"*Apr 17 17:36:35.262 CST: Async20 AAA/DISC: 4/"Idle Timeout"*Apr 17 17:36:35.262 CST: AAA/ACCT/ACCT_DISC: Found list "default"*Apr 17 17:36:35.262 CST: Async20 AAA/DISC/EXT: 1021/"Idle Timeout"*Apr 17 17:36:35.262 CST: Async20 AAA/DISC: 4/"Idle Timeout"*Apr 17 17:36:35.262 CST: Async20 AAA/DISC/EXT: 1021/"Idle Timeout"

Note The disc-cause and disc-cause-ext both reflect idle timeouts from Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter.


Chapter 5 Implementing Server-Based AAA Accounting5.2 Implementing Server-Based TACACS+ Router Accounting

5.2 Implementing Server-Based TACACS+ Router AccountingThese steps help you to accomplish the following tasks:

1. Configure the server-based TACACS+ router accounting on the AAA server.

2. Configure server-based TACACS+ EXEC and command level accounting on the router.

3. Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB instance.

4. Verify and troubleshoot server-based accounting operation from the router.

Step 1 Configure the server-based TACACS+ router accounting on the AAA server.

config_acct_fn_enable = 1

For detailed accounting performance, go to:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xtocid84517

Step 2 Configure server-based TACACS+ EXEC and command level accounting on the router.

Include the following Cisco IOS commands in your configuration file to enable router EXEC and command AAA authentication, authorization, and accounting:

aaa new-modelaaa authentication login default group tacacs+ localaaa authentication login NO_AUTHEN noneaaa authorization exec default group tacacs+ if-authenticatedaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 default group tacacs+aaa authorization commands 15 NO_AUTHOR noneaaa accounting exec default stop-only group tacacs+aaa accounting commands 15 default stop-only group tacacs+

line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN

Note Authentication and authorization is disabled on the console port with the use of the NO_AUTHEN and NO_AUTHOR named lists.


Chapter 5 Implementing Server-Based AAA Accounting5.2 Implementing Server-Based TACACS+ Router Accounting

Step 3 Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB instance.

The following example illustrates the use of the SQL query select command to monitor user rtr_geek entering the configure terminal privilege level 15 command:

SQL>select * from cs_accounting_log where blob_data like '%rtr_geek%';

LOG_ID BLOB_ORDINAL BLOB_DATA--------------------------------------------------------------------------------Mon Apr 17 14:06:27 2000 Client-Id = 172.22.80.3 Client-Port-Id = 0 NAS-Port-Type = Async User-Name = "rtr_geek" Acct-Status-Type = Stop

LOG_ID BLOB_ORDINAL BLOB_DATA--------------------------------------------------------------------------------172.22.87.3 rtr_geek tty0 async stop server=danvers time=18:10:02 date=04/17/2000 task_id=52 timezone=CST service=shell priv-lvl=15 cmd=configure terminal <cr>

Step 4 Verify and troubleshoot server-based accounting operation from the router.

Enter the configure terminal command to test AAA accounting behavior as follows (be sure the debug aaa accounting command is enabled):

maui-nas-03#show debugGeneral OS: AAA Accounting debugging is onmaui-nas-03#configure terminalEnter configuration commands, one per line. End with CNTL/Z.maui-nas-03(config)#^Z

This debug command output results from entering the configure terminal command:

*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: User rtr_geek, Port tty0, Priv 15: "configure terminal <cr>"*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: Found list "default"*Apr 17 18:14:45.726 CST: AAA/ACCT: user rtr_geek, acct type 3 (1057208544): Method=tacacs+ (tacacs+)*Apr 17 18:14:45.930 CST: TAC+: (1057208544): received acct response status = SUCCESS


Chapter 5 Implementing Server-Based AAA Accounting5.3 AAA Disconnect Cause Code Descriptions

5.3 AAA Disconnect Cause Code DescriptionsTable 5-1 lists the disconnect codes reported by Cisco AAA accounting records. The disconnect cause codes are referred to in “5.1 Implementing Server-Based RADIUS Dial Accounting.”

Table 5-1 AAA Disconnect Cause Code Listings

Disconnect Cause Code Description

1 User Request

2 Lost Carrier

3 Lost Service

4 Idle Timeout

5 Session Timeout

6 Admin Reset

7 Admin Reboot

8 Port Error

9 NAS Error

10 NAS Request

11 NAS Reboot

12 Port Unneeded

13 Port Preempted

14 Port Suspended

15 Service Unavailable

16 Callback

17 User Error

18 Host Request

1002 Unknown

1004 CLID Auth Fail

1010 No Carrier

1011 AAA_VAL_DISC_LOST_CARR

1012 No Modem result codes

1020 AAA_VAL_DISC_USER_REQ

1021 AAA_VAL_DISC_IDL_TIMOUT

1022 Exited Telnet

1023 Peer has No IPADDR

1024 AAA_VAL_DISC_LOST_SERV

1025 Password failure

1026 TCP Disabled

1027 Control-C Detected

1028 AAA_VAL_DISC_HOST_REQ



1040 LCP Neg Timeout

1041 LCP Neg Failed

1042 PAP Auth Failed

1043 CHAP Auth Failed

1044 Remote Auth Failed

1045 Received Terminate

1046 Upper Layer Req Close

1100 AAA_VAL_DISC_SES_TIMOUT

1101 Fail Security

1102 AAA_VAL_DISC_CALLBACK

1120 AAA_VAL_DISC_SERV_UNAVAIL

Table 5-1 AAA Disconnect Cause Code Listings

Disconnect Cause Code Description




Cis

C H A P T E R 6
Diagnosing and Troubleshooting AAA Operations
This chapter focuses on diagnosing and troubleshooting negotiations between AAA devices. This section reviews the case study environment and outlines the protocol flows associated with AAA negotiations in the context of this network environment. The subsequent sections focus on specific troubleshooting techniques as follows:

• 6.1 Overview of Authentication and Authorization Processes

• 6.2 Troubleshooting AAA Implementation

• 6.3 AAA Troubleshooting Basics

• 6.4 Troubleshooting Scenarios


Chapter 6 Diagnosing and Troubleshooting AAA Operations6.1 Overview of Authentication and Authorization Processes

6.1 Overview of Authentication and Authorization ProcessesBefore jumping immediately into troubleshooting AAA problems, it is useful to review authentication and authorization processes. Figure 6-1 provides the general scenario this case study is built around. The primary elements of this environment are the AAA server, the AAA database, and the NAS.

Figure 6-1 Basic AAA Case Study Environment

Internet

3508

9

Clients Modems


AAAserver

Internetfirewall

Defaultgateway


modems


DNSserver

Oracle dB server

IP intranet



The negotiation suggested in Figure 6-1 is expanded in Figure 6-2 which presents the logical flow of the authentication and authorization processes and illustrates the relationship between the elements within the TACACS+ based AAA negotiation. While the network access server (NAS) communicates directly with the AAA server, the AAA server in turn exchanges information with the Oracle database server.

Figure 6-2 Dial Access Authentication and Authorization Flow Diagram

2781

5

Networkaccess server

TACACS+query

Valid user

Pass

Password = ?

Pass

Pass

Authorization

SQL Validpassword

Oracledatabase

Pass

Pass

Fail

Fail

Fail

Result

CiscoSecureACS



The RADIUS dial-access authentication and authorization illustrated in Figure 6-3 describes RADIUS negotiation between the NAS and the AAA server. User rad_dial is permitted PPP access through EXEC shell (character mode) or autoselect PPP (packet mode).

Figure 6-3 RADIUS Dial Access Authentication and Authorization Process

Note Unlike TACACS+, the authentication and authorization processes are not handled as separate stages in RADIUS-based AAA access control.

user=rad_dial{

reply_attributes={6=66=27=1}}

Networktime

Access requestSend username password

Access accept

User-Service-Type (Shell-User)

User-Service-Type (Framed-User)

Framed-Protocol = PPP

3504

8

Aut

hent

icat

ion

and

Aut

horiz

atio

n

AAA ServerUser Configuration

password=PAP "****"radius=Cisco{

NAS

AAAserver



Figure 6-4 and Figure 6-5 expand on the basic negotiation flow depicted in Figure 6-2 by illustrating the specific TACACS+ negotiation process associated with particular users, as defined in their respective CSU profiles.

Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled)

The difference in authorization behavior stems from the use of two commands in the AAA server user configurations. The default_cmd=permit command included in the example in Figure 6-4 enables default privilege level 15 commands for user x.

As configured in Figure 6-4, the session for user x depicts a process that involves either a shell initiated or a standard PPP session. The same negotiations are used in initiating shell access to a router.

Access serverAAA server

CSU User Configuration

OracleDB

Aut

hent

icat

ion

Aut

horiz

atio

nA

utho

rizat

ion

user x =

password = PAP

service = shell {default_cmd = permit}

service = shell {protocol = ip {set addr-pool = default}

protocol = lcp {}

Networktime

Send start

Get user

Send user

Get pass

Send password

Pass

User = x

Send AV service = shellAV cmd*

Passuser = x

Send AV service = pppprotocol = IPaddr-pool = default

Passuser = x

Send AV service = pppprotocol = lcp

Passuser = x

Send AV service = pppprotocol = ip

Pass27

812



Both figures depict the stages of dial access authentication and authorization sessions between an access server and an AAA server. The key difference is defined in the CSU user configuration (profiles) included in each illustration. In Figure 6-4, EXEC shell access authorization is permitted while it is not permitted in the illustration depicted in Figure 6-5.

Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled)

The example session illustrated in Figure 6-5 omits the default_cmd=permit AVP and instead includes the autocmd=ppp negotiate AVP disabling EXEC shell access to IOS devices. User y fails any attempt to access the router and receives the message PPP not allowed on this interface as a result of the PPP configuration statement. This distinction provides an element of security, blocking access to routers.

user = y

service = shell {set autocmd = ppp negotiate}service = ppp {protocol = ip{set addr pool = default}protocol = lcp {}

Networktime

Send start

Get user

Send Abort

user = xAuthenticatepeer

Send password

Pass

LCPrequest

Pass

user = yservice = pppprotocol = lcp

Pass

CONFREQfor options

Pass 2781

3

Oracledatabase

Aut

hent

icat

ion

Net

wor

kA

utho

rizat

ion

CSU User Configuration

password = PAP

Access serverAAA server

Autoselect PPP


Chapter 6 Diagnosing and Troubleshooting AAA Operations6.2 Troubleshooting AAA Implementation

6.2 Troubleshooting AAA ImplementationThese sections help you to accomplish the following tasks:

• 6.2.1 Troubleshooting Methodology Overview

• 6.2.2 Cisco IOS Debug Command Summary

6.2.1 Troubleshooting Methodology OverviewThe troubleshooting methodology adopted in this chapter follows these general steps:

1. Isolating the problem.

– Gathering detailed information about trouble.

– Determining the starting point and fault isolation procedures.

2. Correcting the problem.

– Making appropriate hardware, software, or configuration changes to correct the problem.

3. Verifying that the trouble is corrected.

– Performing operational tests to verify that trouble is corrected.

The troubleshooting tables presented in “6.3 AAA Troubleshooting Basics” and the example scenarios presented in “6.4 Troubleshooting Scenarios” generally follow this methodology in listing typical symptoms, and provide associated problems and diagnostics measures.

6.2.2 Cisco IOS Debug Command SummaryOutput from Cisco IOS debug commands provide a valuable source of information and feedback concerning state transitions and functions within the AAA subsystem environment.

Use the debug commands that follow for capturing AAA-related transitions and functions:

• debug condition user username

Enabling this debug command sets conditional debugging for a specific user and generates output debugs related to the user. This command is helpful in an enterprise environment for troubleshooting.

• debug aaa authentication

Enabling this debug command displays authentication information with TACACS+ and RADIUS client/server interaction.

• debug aaa authorization

Enabling this debug command displays authorization information with TACACS+ and RADIUS client/server interaction.

• debug aaa accounting

Enabling this debug command displays accounting information with TACACS+ and RADIUS client/server interaction.

• debug tacacs

Enabling this debug command displays TACACS+ interaction between IOS client and AAA Server.

• debug radius


Chapter 6 Diagnosing and Troubleshooting AAA Operations6.3 AAA Troubleshooting Basics

Enabling this debug command displays RADIUS interaction between the IOS client and the AAA server.

In addition to debug command output gathered directly from devices running Cisco IOS, a Cisco AAA server can be configured to collect important operational diagnostics.

Go to the following link for information regarding configuring and using CSU ACS logs:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/troubles.htm

6.3 AAA Troubleshooting BasicsAAA operational diagnostic activity for access environments is divided into the following basic areas:

• Dial-based versus router-based access

• Local versus server access

• Authentication and authorization processes

These three areas can be associated with eight underlying diagnostic situations which are addressed in the following subsections:

• 6.3.1 Troubleshooting Dial-Based Local Authentication

• 6.3.2 Troubleshooting Dial-Based Server Authentication

• 6.3.3 Troubleshooting Dial-Based Local Authorization

• 6.3.4 Troubleshooting Dial-Based Server Authorization

• 6.3.5 Troubleshooting Router-Based Local Authentication

• 6.3.6 Troubleshooting Router-Based Server Authentication

• 6.3.7 Troubleshooting Router-Based Local Authorization

• 6.3.8 Troubleshooting Router-Based Server Authorization

The following sections address each of the diagnostic topics separately. Detailed scenarios are provided in “6.4 Troubleshooting Scenarios.”

The diagnostics summaries address the troubleshooting process using three basic stages:

1. Identifying symptoms

2. Isolating problems

3. Resolving problems

Each diagnostic table includes suggestions for identifying and isolating problems. Diagnostic information is provided in “6.4 Troubleshooting Scenarios.” Specific diagnostic output is included to illustrate how network entities react to failures and how to discern specific failures.

Note Some of the symptoms described in the following tables can be caused by a variety of problems other than AAA issues. Because this case study focuses on AAA-based security topics, the problems and diagnostics provided here focus on AAA issues.



6.3.1 Troubleshooting Dial-Based Local AuthenticationThe following symptoms are addressed in separate tables in this section:

• Single User Failure; Individual Dial-in User Connection Fails

• Multiple User Failure; All Dial-in Users Unable to Connect to NAS

Table 6-1 Single User Failure; Individual Dial-in User Connection Fails

Problem Suggested Diagnostic Steps

User entered invalid username or password. 1. To verify local account, enter:

<NAS>#debug aaa authentication

Test login with username/password.

Look for “user not found” or “password validation” failure.

2. If user is not found, add the user. If password validation failure, reenter login with username and password combination.

Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS


AAA behavior configured incorrectly in NAS. 1. Enter this diagnostic command in NAS:


2. To verify local authentication is configured correctly, enter:

<router>#show running-config

3. Verify inclusion of one of these commands:

aaa authentication login default local

or

aaa authentication login ppp default local

Shell initiated PPP session passes, but is torn down.

1. Enter this diagnostic command in NAS:


2. To verify AAA is configured correctly in NAS, enter:

<NAS>#show running-config

3. Verify inclusion of this command:

aaa authentication ppp default if-needed local



6.3.2 Troubleshooting Dial-Based Server AuthenticationThe following symptoms are addressed in separate tables in this section:

• Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)

• Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+)

Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)


User name not in server database. 1. To verify user is in database, enter:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile –p 9900 –u username

User entered password incorrectly. 1. Verify password case-sensitivity.

2. Monitor user activity in AAA server:

<CSUserver>$tail –f /var/log/csuslog|grep username

3. Review csuslog file for errors (for example, if user is configured for OTP, verify PASSCODE is accepted from OTP server.

4. Reset user password or synchronize PASSCODE if needed.

User profile configured incorrectly. The error message “bad method for user” reported in csuslog file.

1. To verify user profile is programmed with correct password type, enter:


2. Verify user profile privilege is sufficient to perform task.

3. Verify profile is configured for correct password type. For example, PAP for OTP.

User account disabled due to too many failed logins.

1. To view user profile, enter:

<CSUserver>$/opt/ciscosecure/utils/bin/ViewProfile -p 9900 -u username

2. Verify that the profile is not disabled. If it is disabled, compare set server current-failed-login counters to max failed login setting in CSU.cfg file.

3. If these attributes are the same, reset user profile status to enabled and reset the set server current-failed-login counter by using the web-based administration utility.



User account password or profile expired. 1. To view profile, enter:


2. For TACACS+: Look for expiration in profile, such as:

expires = "24 Jan 2000"

3. For RADIUS: Look for expiration in profile, such as:

Password-Expiration = "24 Jan 2000"

User workstation configured incorrectly. 1. Review user dialup networking setup.

2. To review user profile, enter:


3. Check for setup for parameter such as “Requires encrypted password.”

User exceeded the maximum number of concurrent sessions.

To review user profile, enter:


For TACACS+, look for this AVP:

max-sessions

For RADIUS, look for this AVP:

Maximum-Channels

Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)




Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and

TACACS+)


Connection between NAS and AAA server is down.

Verify network connectivity between NAS and AAA server. Enter these diagnostic commands in NAS:

<NAS>#show tacacs<NAS>#debug tacacs<NAS>#debug radius<NAS>#ping CSU-server-name

TACACS+ or RADIUS key incorrect in NAS or AAA server.

Review NAS and CSU configurations for shared secret.

In NAS, enter:


In AAA server, enter:

<CSUserver>$grep NAS-IP-Address /opt/ciscosecure/config/CSU.cfg


Maximum number of users exceeded. 1. Verify license key is entered correctly in AAA server. Enter the following commands at the CSUserver:

<CSUserver>$grep license-key /opt/ciscosecure/config/CSU.cfg

2. To review expiration date of license key, enter:

<CSUserver>$grep license-key /var/log/csuslog



6.3.3 Troubleshooting Dial-Based Local AuthorizationThe following symptoms are addressed in separate tables in this section:

• User Cannot Start PPP

• Network Authorization Fails

• Unable to Access Specific Host or Network Service

• Multilink Fails

Group profile password type does not match type specified in NAS group-async or dialer interface configuration (for example, PPP authentication PAP).

1. To review NAS configuration, enter:

<NAS># show running-config

2. Verify group-async or dialer interface is configured with correct password type. For example, for OTP, PAP must be specified.

3. Verify group profile matches group-async or dialer interface configuration in NAS.

Shell initiated PPP session passes, but is torn down.



2. To verify correct AAA configuration is configured in NAS, enter:


3. Verify these commands are included in the NAS configuration:

aaa authentication ppp default if-needed tacacs+

or

aaa authentication ppp default if-needed radius

Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and

TACACS+)


Table 6-5 User Cannot Start PPP


User client configuration error. Refer to MS troubleshooting chapter:

http://support.microsoft.com/support/kb/articles/Q130/0/79.asp?LNG=ENG&SA=ALLKB



Table 6-6 Network Authorization Fails


Attribute-value pairs (AVPs) not assigned1.

1. AAA authorization only supported on shell sessions with local accounts.


<NAS>#debug aaa authorization




aaa authorization exec default local

Table 6-7 Unable to Access Specific Host or Network Service


Access list assigned to user. 1. Verify local account not restricted with access-class AVP:


2. Enter these NAS commands to determine whether access list is assigned to user:

<NAS>#show caller user userid detail<NAS>#show line

3. To review access list with this NAS command, enter:

<NAS>#show access-list ACL-number

Table 6-8 Multilink Fails


User profile restricted. To verify user account is not restricted by inclusion of max-links AVP, enter:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u username



6.3.4 Troubleshooting Dial-Based Server AuthorizationThe following symptoms are addressed in separate tables in this section:

• Multiple Users Cannot Start PPP (RADIUS and TACACS+)

• Network Authorization Fails (RADIUS and TACACS+)

• User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+)

• Multilink Fails (TACACS+)

• Multilink Fails (RADIUS)

• Session Fails to Disconnect After Expected Idle Timeout (TACACS+)

• Session Fails to Disconnect After Expected Idle Timeout (RADIUS)

• No EXEC Shell for TACACS+

• No EXEC Shell for RADIUS

• Cannot Start Concurrent Sessions (TACACS+)

• Cannot Start Concurrent Sessions (RADIUS)



Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+)


AAA authorization configured incorrectly in NAS.






aaa authorization network default group tacacs+

or

aaa authorization network default group radius

Does not have PPP service assigned. 1. To view group profile, enter:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile –p 9900 –g groupname

2. For TACACS+, verify the following commands are assigned to group:

service=ppp

protocol=lcp

protocol=ip

3. For RADIUS, verify the following commands are assigned to group:

Service-Type=Framed

Framed-Protocol=ppp

Group lacks shell service assigned (EXEC shell-initiated PPP session only).

1. To view group profile, enter:


2. For TACACS+, verify the following command is assigned to group:

service=shell

3. For RADIUS, verify the following command is assigned to group:

User-Service-Type (Shell-User)



Table 6-10 Network Authorization Fails (RADIUS and TACACS+)


AVPs not assigned. 1. Enter this diagnostic command in NAS:





aaa authorization network default group tacacs+

or

aaa authorization network default group radius

Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS

and TACACS+)


Access list assigned to user. 1. To view group profile, enter:


Verify group account not restricted with inacl AVP.

2. Enter these NAS commands to determine whether access list is assigned to user:

<NAS>#show caller user userid detail<NAS>#show line

3. Review access list with this NAS command:

<NAS>#show access-list ACL-number



Table 6-12 Multilink Fails (TACACS+)


User or group profile lacks proper AVP. 1. To verify group account includes protocol=multilink AVP assigned, enter:


2. Review profile for load-threshold AVP and whether it is configured properly.

User or group profile restricted. To verify group account not restricted with max-links AVP, enter:


Table 6-13 Multilink Fails (RADIUS)


User or group profile lacks proper AVP. To verify group account includes framed-protocol=multilink AVP assigned, enter:


User or group profile restricted. To verify group account not restricted with max-links AVP, enter:


Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+)


The idletime AVP not configured on group profile.

To verify group account includes idletime AVP assigned, enter:


Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS)


The Idle-Timeout AVP not configured on group profile.

To verify group account includes Idle-Timeout AVP assigned, enter:




6.3.5 Troubleshooting Router-Based Local AuthenticationThe following symptoms are addressed in separate tables in this section:

Table 6-16 No EXEC Shell for TACACS+


User or group lacks service=shell AVP assigned. To verify service=shell is assigned to user or group, enter:



Table 6-17 No EXEC Shell for RADIUS


User or group does not have User-Service-Type AVP assigned.

To verify User-Service-Type (Shell-User) is assigned to user or group, enter:



Table 6-18 Cannot Start Concurrent Sessions (TACACS+)


User exceeds the maximum number of concurrent sessions.

1. To review the user profile, enter:


2. Look for the following AVP:

server max sessions

Table 6-19 Cannot Start Concurrent Sessions (RADIUS)






Maximum-Channels



• Single User Failure; Individual Dial-in User Connection Fails

• Multiple User Failure; All Dial-in Users Unable to Connect to Router

• Users Can Access Router by Using Console or VTY, but Not Both

Table 6-20 Single User Failure; Individual Dial-in User Connection Fails


User entered invalid username or password. 1. To verify local account, enter:

<router>#debug aaa authentication

2. Test login with username/password.

3. Look for user not found or password validation failure.

Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router


AAA behavior configured incorrectly in router. 1. Enter this diagnostic command in router:


2. To verify local authentication is configured correctly, enter:



aaa authentication login/ppp default local



6.3.6 Troubleshooting Router-Based Server AuthenticationThe following symptoms are addressed in separate tables in this section:

• Single User Failure; Individual User Unable to Make a Connection

• Multiple User Failure; All Dial-In Users Unable to Connect to the Router

• Users Pass Authentication on Console or VTY, but Not Both

Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both


Incorrect AAA configuration in router. 1. Enter this diagnostic command in router:


2. To verify AAA is configured correctly in router, enter:


3. Verify method used for console authentication matches VTY method.

For example:

• AAA configuration:

aaa authentication login listname group tacacs+

• Console line configuration:

line con 0

login authentication listname

• VTY line configuration:

line vty 0 4




Table 6-23 Single User Failure; Individual User Unable to Make a Connection


User name not in server database. 1. To verify user is in database, enter:


User entered password incorrectly. 1. Verify password case sensitivity.

2. To monitor user activity in AAA server, enter:

<CSUserver>$tail –f /var/log/csuslog|grep username

3. Review csuslog file for errors.

User profile configured incorrectly. The error message “bad method for user” reported in csuslog file.

1. To verify user profile is programmed with correct password type, enter:


2. Verify user profile privilege is sufficient to perform task.

3. Verify profile is configured for correct password type. For example, DES or clear text.

User account disabled due to too many failed logins.

1. To view user profile, enter:


2. Verify that the profile is not disabled. If it is disabled, compared set server current-failed-login counters to max failed login setting in CSU.cfg file.

3. If these attributes are the same, reset user profile status to enabled and reset the set server current-failed-login counter by using the web-based administration utility.

User account password or profile expired. 1. To view profile, enter:


2. Look for expiration in profile, such as:

expires = "24 Jan 2000"





server max sessions



Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router


Connection between router and AAA server down.

Verify network connectivity between router and AAA server. Enter these diagnostic commands in router:

<router>#show tacacs<router>#debug tacacs<router>#debug radius<router>#ping CSU-IP-address

TACACS+ key incorrect in router or AAA server. Review router and CSU configurations for shared secret.

In the router, enter:


In the AAA server, enter:

<CSUserver>$grep router-IP-address /opt/ciscosecure/config/CSU.cfg

Maximum number of users exceeded. 1. Verify license key is entered correctly in AAA server. Enter the following commands at the CSUserver:

<CSUserver>$grep license-key /opt/ciscosecure/config/CSU.cfg

2. To review the expiration date of the license key, enter:

<CSUserver>$grep license-key /var/log/csuslog



6.3.7 Troubleshooting Router-Based Local AuthorizationThe following symptoms are addressed in separate tables in this section:

• User Fails Router Command

• User Disconnected After Entering a Password

• Users Access Incorrect Privilege Level Commands

• Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected”

Table 6-25 Users Pass Authentication on Console or VTY, but Not Both


Incorrect AAA configuration in router.

1. Enter this diagnostic command in router:


2. To verify AAA is configured correctly in router, enter.


3. Verify method used for console authentication matches VTY method.

For example:

• AAA configuration:

aaa authentication login listname group tacacs+

• Console line configuration:

line con 0


• VTY line configuration:

line vty 0 4




Table 6-26 User Fails Router Command


AAA configuration error. 1. Enter this diagnostic command in router to determine method of authorization and failure:

<router>#debug aaa authorization

2. To verify AAA is configured correctly in router, enter:


Example:

If aaa authorization commands is used, ensure method specified is local.

User profile lacks appropriate privilege level to perform command.

To review privilege configuration in router, enter:


Example:

Cisco IOS command aaa authorization commands 15 default local is used, but user does not have a corresponding privilege level assigned.

User profile lacks appropriate enable level to perform command.

To review enable privilege level configuration in router, enter.


Example of relevant Cisco IOS commands:

aaa authentication enable default local

enable 15 secret

enable 10 secret2

In this example, users at enable level 10 cannot perform privilege level 15 commands.

Table 6-27 User Disconnected After Entering a Password


Authorization failed service. Looks like an authentication problem, but is an authorization failure.

To review AAA configuration, enter:


If aaa authorization exec command specifies method other than local, user fails shell access.

For example, aaa authorization exec default tacacs+ results in local user failing authorization.



6.3.8 Troubleshooting Router-Based Server AuthorizationThe following symptoms are addressed in separate tables in this section:

• User Fails Router Command

• User Disconnected After Entering Password

• Users Access Incorrect Privilege Level Commands

• Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected”

• Router User Unable to Initiate Shell Session with Router

• AVPs Not Working on Console Port

Table 6-28 Users Access Incorrect Privilege Level Commands


AAA behavior incorrectly configured. 1. Enter this diagnostic command in router to determine level of command authorization:


2. To review AAA configuration in router, enter:


3. Verify AAA configured properly in router.

For example:

aaa authorization commands 15 default local

Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is

Disconnected”


The autocommand ppp negotiate command assigned to user.

1. To review correct configuration is configured in router, enter:


Look for autocommand ppp negotiate command assigned to user.

2. Delete autocommand ppp negotiate if appropriate.



Table 6-30 User Fails Router Command


AAA configuration error. 1. Enter this diagnostic command in router to determine method of authorization and failure:


2. To review AAA configuration in router, enter:


Example:

If aaa authorization commands is used, ensure method specified is tacacs+.

User profile lacks appropriate privilege level to perform command.

To view user profile for appropriate priv-lvl=x AVP, enter:


User profile lacks appropriate enable privilege level to perform command.

To view user profile for appropriate enable privilege level, enter:


For example:

privilege = des "********" 15

Table 6-31 User Disconnected After Entering Password


Authorization failed service. To review AAA configuration, enter:


If aaa authorization exec command specifies method other than TACACS+, user fails shell access.

For example, aaa authorization exec default local results in TACACS+ user failing authorization.



Table 6-32 Users Access Incorrect Privilege Level Commands


AAA behavior incorrectly configured. 1. Enter this diagnostic command in router to determine level of command authorization:


2. To verify AAA is configured correctly in router, enter


Example of relevant Cisco IOS command:

aaa authorization commands 15 default group tacacs+

User profile configured incorrectly. To view user profile for appropriate priv-lvl=x AVP, enter:


Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is

Disconnected”


The autocommand ppp negotiate AVP assigned to user.

1. To view user profile for inclusion of autocommand ppp negotiate AVP assigned to user, enter:


2. Delete autocommand ppp negotiate if appropriate.

Table 6-34 Router User Unable to Initiate Shell Session with Router


Lack of service=shell AVP; user sees “Authorization failed service” error message.

To view user profile for inclusion of service=shell AVP, enter:


Table 6-35 AVPs Not Working on Console Port


Feature is not supported on console ports. None. Feature not supported.


Chapter 6 Diagnosing and Troubleshooting AAA Operations6.4 Troubleshooting Scenarios

6.4 Troubleshooting ScenariosThe following example troubleshooting scenarios elaborate the process of diagnosing, correcting, and testing several problems addressed in “6.3 AAA Troubleshooting Basics”:

• 6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication)

• 6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication)

• 6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication)

• 6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization)

• 6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization)

• 6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization)

• 6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization)

6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication)

This scenario focuses on a server-authentication failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-4 for additional related problems.

Symptom Multiple user failure; all dial-in users unable to connect to NAS. See Table 6-4.

Possible Cause TACACS+ key incorrect in NAS or AAA server. See Table 6-4.

Action Complete troubleshooting steps to isolate and resolve this possible cause.

Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The last line of this debug output shows the failure expressed for user dial_tac.

088189: Jan 27 18:37:22.972 CST: AAA/MEMORY: create_user (0x61D7A2E0) user=’’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1088190: Jan 27 18:37:22.976 CST: AAA/AUTHEN/START (953379418): port=’tty51’ list= =30356 25154088203: Jan 27 18:37:26.216 CST: TAC+: ver=192 id=3035625154 received AUTHEN status = GETPASS088204: Jan 27 18:37:26.216 CST: AAA/AUTHEN (3035625154): status = GETPASS088205: Jan 27 18:37:30.337 CST: AAA/AUTHEN/CONT (3035625154): continue_login (user=’dial_tac’)088206: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): status = GETPASS088207: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): Method=ADMIN (tacacs+)088208: Jan 27 18:37:30.337 CST: TAC+: send AUTHEN/CONT packet id=3035625154088209: Jan 27 18:37:30.637 CST: TAC+: ver=192 id=3035625154 received AUTHEN status = FAIL

Step 2 Enter the following command to assess warnings and errors reported in the AAA server log file:




The AAA server log file reports the following warning when no key is specified (indicating that there is no encryption key):

Jan 27 18:35:17 coachella CiscoSecure: WARNING - Insecure configuration: No encryption key for NAS <default>

Step 3 Review NAS configurations for shared secret configuration. To obtain the NAS configuration, enter:


The following configuration fragment specifies the TACACS+ server and key. In this case, the key is bobbit.

tacacs-server host 172.22.53.201 key bobbit

Review the AAA server configuration for the corresponding server shared secret configuration. View the CSU.cfg file with vi (or a similar tool):

<CSUserver>$vi /opt/ciscosecure/config/CSU.cfg

Find the key configuration in the CSU.cfg AAA server configuration file and review it for the NAS specification. In this example, this configuration is missing.

NAS config_nas_config = { { "172.22.53.201", "",

If the key is properly configured, it appears between the quotation marks following the IP address specification. In this case, the key is missing. Because it is not specified in the AAA server configuration file, users’ access is blocked.

Step 4 Update key specifications and restart the AAA server. Verify successful dialup operation.

6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication)

This scenario focuses on a server-authentication failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-3 for additional related problems.

Symptom Single user failure; individual dial-in user unable to connect to NAS. See Table 6-3.

Possible Cause User enters invalid password. See Table 6-3.


Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. This command results in a stream of diagnostic output.



The last line in the following output shows the AAA authentication request sent to AAA server for user dial_tac:

092852: Jan 27 22:19:06.713 CST: AAA/AUTHEN (543609479): status = GETPASS092853: Jan 27 22:19:07.985 CST: AAA/AUTHEN/CONT (543609479): continue_login (user=’dial_tac’)

The NAS receives FAIL from AAA server for user:

092854: Jan 27 22:19:07.985 CST: AAA/AUTHEN (543609479): status = GETPASS092855: Jan 27 22:19:07.985 CST: AAA/AUTHEN (543609479): Method=ADMIN (tacacs+)092856: Jan 27 22:19:07.985 CST: TAC+: send AUTHEN/CONT packet id=543609479092857: Jan 27 22:19:08.185 CST: TAC+: ver=192 id=543609479 received AUTHEN status = FAIL092858: Jan 27 22:19:08.185 CST: AAA/AUTHEN (543609479): status = FAIL

The user session is torn down and AAA process is freed:

092859: Jan 27 22:19:10.185 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGINpriv=1

Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file:


In this case, the AAA server log reports an incorrect password for user dial_tac:

Jan 27 22:19:08 coachella CiscoSecure: NOTICE - Authentication - Incorrect password; [NAS = 172.22.63.1, Port = tty51, User = dial_tac, Service = 1, Priv = 1]Jan 27 22:19:08 coachella CiscoSecure: INFO - Profile: user = dial_tac {Jan 27 22:19:08 coachella set server current-failed-logins = 1

Note Following the failure, the current-failed-login counter increments. This counter is described in Table 6-3.

Step 3 If the user does not exist in the database (but should), create a new user, or provide feedback if password or login were entered incorrectly by the user.

6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication)This scenario focuses on a server-authentication failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-3 for additional related problems.

Symptom Single user failure; individual dial-in user unable to connect to NAS. See Table 6-3.

Possible Cause User does not exist in the database. See Table 6-3.


Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS.



The following output fragment shows the AAA process starting on NAS.

092794: Jan 27 22:15:39.132 CST: AAA/MEMORY: create_user (0x61D87A70) user=’’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1092795: Jan 27 22:15:39.132 CST: AAA/AUTHEN/START (3576082779): port=’tty51’ list=’INSIDE’ action=LOGIN service=LOGIN

GETPASS is sent to AAA server for verification for user dial_test:

092806: Jan 27 22:15:41.132 CST: AAA/AUTHEN/START (3285027777): Method=ADMIN (tacacs+)092807: Jan 27 22:15:41.132 CST: TAC+: send AUTHEN/START packet ver=192 id=32850=27777092808: Jan 27 22:15:41.936 CST: TAC+: ver=192 id=3285027777 received AUTHEN status = GETPASS092809: Jan 27 22:15:41.936 CST: AAA/AUTHEN (3285027777): status = GETPASS092810: Jan 27 22:15:43.340 CST: AAA/AUTHEN/CONT (3285027777): continue_login (user=’dial_test’)092811: Jan 27 22:15:43.340 CST: AAA/AUTHEN (3285027777): status = GETPASS092812: Jan 27 22:15:43.340 CST: AAA/AUTHEN (3285027777): Method=ADMIN (tacacs+)

The NAS then receives the authentication FAIL message from the AAA server:

092813: Jan 27 22:15:43.340 CST: TAC+: send AUTHEN/CONT packet id=3285027777092814: Jan 27 22:15:43.540 CST: TAC+: ver=192 id=3285027777 received AUTHEN status = FAIL092815: Jan 27 22:15:43.540 CST: AAA/AUTHEN (3285027777): status = FAIL

The session is torn down and AAA process is freed:

092816: Jan 27 22:15:45.540 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_test’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1092817: Jan 27 22:15:45.540 CST: AAA: parse name=tty51 idb type=-1 tty=-1092818: Jan 27 22:15:45.540 CST: AAA: name=tty51 flags=0x11 type=5 shelf=0 slot

Step 2 Enter the following command to assess warning and errors reported in the AAA server log file:


AAA server log file shows that the AAA server did not find user dial_test in cache (profile caching is enabled):

Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Profile USER = dial_test not found in cache.

The AAA server log file also shows that AAA server did not find user in the database; next, the AAA server conducts a search for the unknown_user account:

Jan 27 22:15:41 coachella CiscoSecure: WARNING - User dial_test not found, using unknown_user

AAA server finally again reports user not found after exhausting its search:

Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Password:Jan 27 22:15:43 coachella CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (c3cd8bc1)Jan 27 22:15:43 coachella CiscoSecure: DEBUG - Authentication - User not found;[NAS = 172.22.63.1, Port = tty51, User = dial_test, Service = 1]

Step 3 Enter the following command to view a user profile in the database:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_testError: Unable to find profileRC = 3



Step 4 If the user does not exist in the database (but should), create a new user, or provide feedback if password or login were entered incorrectly by the user.

6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization)

This scenario focuses on a server-authorization failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-9 for additional related problems.

Symptom Multiple users cannot start PPP. See Table 6-9.

Possible Cause Group does not have service=ppp AVP assigned. See Table 6-9.


Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following output fragment shows the PPP service authorization request being initiated for user dial_tac; then, being denied by the AAA server:

111802: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV service=ppp111803: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV protocol=lcp111804: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): found list "default"111805: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): Method=tacacs+(tacacs+)111806: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): user=dial_tac111807: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV service=ppp111808: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV protocol=lcp111809: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR (153050196): Post authorization status = FAIL111810: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR/LCP: Denied



AAA server log file shows that the AAA server successfully authenticated the user, but that the PPP service request was denied due to an authorization failure:

Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = Async2, User = dial_tac, Priv = 1]Feb 3 20:48:58 coachella CiscoSecure: DEBUG - AUTHORIZATION request (468d69de)Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 172.22.63.1, user = dial_tac, port = Async2, input: service=ppp protocol=lcp output: ]

Step 3 Add service=ppp and related AVPs protocol=ip and protocol=lcp.



6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization)


Symptom Network authorization fails. See Table 6-10.

Possible Cause AVPs not assigned. See Table 6-10.


Step 1 Review the group profile. In this case, the group profile shows inacl=110 is assigned to the aaa_test_group profile:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g aaa_test_groupGroup Profile Informationgroup = aaa_test_group{profile_id = 64profile_cycle = 7service=ppp {protocol=ip {inacl=110}protocol=lcp {}}

}

Step 2 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following output fragment shows that no AAA authorization for service=net taking place.

112037: Feb 3 21:18:04.994 CST: AAA/MEMORY: create_user (0x61DF0AE8) user=’dial_tac’ ruser=’’ port=’Async5’ rem_addr=’async/81560’ authen_type=PAP service=PPP priv=1



The following log file fragment confirms that access is permitted with no AAA authentication.

Feb 3 21:18:05 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = Async5, User = dial_tac, Priv = 1]Feb 3 21:18:05 coachella CiscoSecure: INFO - Profile: user = dial_tac {Feb 3 21:18:05 coachella set server current-failed-logins = 0Feb 3 21:18:05 coachella profile_cycle = 12Feb 3 21:18:05 coachella }

Step 4 Add aaa authorization network default group tacacs+ global command to the NAS configuration.



6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization)


Symptom No EXEC shell (terminal window after dial). See Table 6-16.

Possible Cause User or group does not have service=shell AVP assigned. See Table 6-16.


Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following output fragment shows the request sent to AAA server to start service=shell:

092730: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Port=’tty52’ list=’INSIDE’ service=EXEC092738: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Method=ADMIN (tacacs+)092739: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): user=dial_tac092740: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV service=shell

The following output fragments illustrate notification of the failure from AAA server for service=shell:

092741: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV cmd*092742: Jan 27 21:57:41.559 CST: AAA/AUTHOR (3818889333): Post authorization status = FAIL

The following fragment illustrates the Authorization FAILED message being detected by the debug aaa authorization process:

092743: Jan 27 21:57:41.559 CST: AAA/AUTHOR/EXEC: Authorization FAILED092744: Jan 27 21:57:43.559 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’ ruser=’’ port=’tty52’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1



In this case, the authentication succeeds for user dial_tac, as illustrated in the following csuslog file fragment:

Jan 27 21:57:40 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = tty52, User = dial_tac, Priv = 1]

However, the csuslog file also shows that the authorization failed service for user dial_tac because the service=shell AVP is not assigned:

Jan 27 21:57:40 coachella CiscoSecure: DEBUG -Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075)Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ]



Step 3 Enter the following command to review the user profile. This profile shows that the AVP service=shell is not assigned to user dial_tac:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_tacUser Profile Informationuser = dial_tac{profile_id = 63profile_cycle = 4member = aaa_test_grouppassword = des "********"password = pap "********"}

Step 4 Assign service=shell AVP.

6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization)

This scenarios focuses on a server-authorization failure for a dial-based connection using the RADIUS protocol and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-9 for additional related problems.

Symptom PPP session is not established. See Table 6-9.

Possible Cause User or group does not have correct PPP reply attributes. See Table 6-9.


Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following fragment illustrates the Authorization FAILED message being detected by the debug aaa authorization process:

*Apr 5 23:12:28.228: AAA/AUTHOR/EXEC: Authorization FAILED*Apr 5 23:12:30.228: AAA/MEMORY: free_user (0x612311BC) user='rad_dial' ruser='' port='tty4' rem_addr='408/3241933' authen_type=ASCII service=LOGIN priv=1*Apr 5 23:12:30.936: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown , call lasted 61 seconds*Apr 5 23:12:30.980: %LINK-3-UPDOWN: Interface Serial0:0, changed state to down

Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file:


In this case, the authorization fails for user rad_dial, as illustrated in the following csuslog file fragment:

Apr 6 15:14:03 sleddog CiscoSecure: INFO - RADIUS: Servicing requests from NAS (172.23.84.35), sending host <172.23.84.35>



However, the csuslog file also shows that the authorization failed service for user dial_tac because the service=shell AVP is not assigned:

Jan 27 21:57:40 coachella CiscoSecure: DEBUG -Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075)Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ]

Step 3 Enter the following command to view a user profile in the database:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial

User Profile Informationuser = rad_dial{profile_id = 23set server current-failed-logins = 0profile_cycle = 4password = pap "********"radius=Cisco {reply_attributes= {7=19,1="ip:inacl=110"}}

}

Note In this profile, the missing reply_attribute is 6=2.

Step 4 Add the following RADIUS AVP: Frame-Protocol=ppp (entered as 6=2 in AddProfile command input).




Cis

A P P E N D I X A
AAA Device Configuration Listings
This appendix provides the following configuration listings:

• A.1.1 Example Local-Based Router AAA Configuration

• A.1.2 Example Server-Based TACACS+ NAS Configuration

• A.1.3 Example Server-Based RADIUS NAS Configuration

• A.4.1 CSU.cfg Listing

• A.4.2 CSConfig.ini Listing

• A.4.3 Oracle User Environment Variable

• A.4.4 listener.ora Listing

A.1 Sample Cisco IOS Configuration ListingsThe following listing represents the complete running configuration for the router and NAS used to illustrate AAA implementation in this solution guide. Listings are included for TACACS+ and RADIUS configurations.

A-1co AAA Implementation Case Study

Appendix A AAA Device Configuration ListingsA.1 Sample Cisco IOS Configuration Listings

A.1.1 Example Local-Based Router AAA ConfigurationThe following example of a local-based router configuration includes both dial-in and EXEC shell access configurations.

maui-rtr-03#show running-configBuilding configuration... Current configuration:!! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr!version 12.0service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname maui-rtr-03!no logging consoleaaa new-modelaaa authentication login default local enableaaa authentication login NO_AUTHEN noneaaa authorization exec default localaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 default localaaa authorization commands 15 NO_AUTHOR noneaaa accounting exec default start-stop group tacacs+aaa accounting commands 15 default stop-only group tacacs+enable secret 5 xxxxxxxxxxxxxxxxx!username admin privilege 15 password 7 xxxxxxxxxxxx!!!clock timezone cst -6clock summer-time CST recurringip subnet-zeroip domain-name maui-onions.comip name-server x.x.x.xip name-server x.x.x.x!!!!!!!interface Loopback0 ip address 172.22.255.3 255.255.255.255 no ip directed-broadcast!interface ATM1/0 no ip address no ip directed-broadcast shutdown no atm ilmi-keepalive!interface Serial2/0 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast!

A-2Cisco AAA Implementation Case Study


interface Serial2/1 no ip address no ip directed-broadcast shutdown!interface Serial2/2 no ip address no ip directed-broadcast shutdown!interface Serial2/3 no ip address no ip directed-broadcast shutdown!interface Ethernet3/0 ip address 172.22.241.3 255.255.255.0 no ip directed-broadcast ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5!interface Ethernet3/1 no ip address no ip directed-broadcast shutdown!interface Ethernet3/2 no ip address no ip directed-broadcast shutdown!interface Ethernet3/3 no ip address no ip directed-broadcast shutdown!interface FastEthernet4/0 ip address 172.22.80.1 255.255.255.0 no ip directed-broadcast ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5 half-duplex!router eigrp 69 network 172.22.0.0!ip default-gateway 172.22.53.1ip classlessip http serverip http authentication aaaip tacacs source-interface Loopback0!snmp-server engineID local 00000009020000D0BB7F5054snmp-server community cisco xxsnmp-server community rules xxsnmp-server trap-source Loopback0snmp-server contact snmp-server enable traps isdn call-informationsnmp-server enable traps isdn layer2snmp-server enable traps configsnmp-server enable traps envmontacacs-server host 172.22.53.201 key bitemetacacs-server key ciscorules!line con 0 authorization commands 15 NO_AUTHOR



authorization exec NO_AUTHOR accounting commands 15 NO_ACCOUNT login authentication NO_AUTHEN transport input noneline aux 0line vty 0 4!ntp clock-period 17179912ntp source Loopback0ntp update-calendarntp server 172.22.255.1end



A.1.2 Example Server-Based TACACS+ NAS ConfigurationThe following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for TACACS+ implementations:

maui-nas-03#show running-configBuilding configuration...

Current configuration:

maui-nas-03#sh runBuilding configuration...

Current configuration:!version 12.0service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname maui-nas-03!aaa new-modelaaa authentication login default group tacacs+ localaaa authentication login NO_AUTHEN noneaaa authentication ppp default if-needed group tacacs+ localaaa authorization exec default group tacacs+ if-authenticatedaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 default group tacacs+aaa authorization commands 15 NO_AUTHOR noneaaa accounting exec default stop-only group tacacs+aaa accounting commands 15 default stop-only group tacacs+aaa accounting network default start-stop group tacacs+!username admin privilege 15 password 7 xxxxxxxxxxxxxusername diallocal access-class 110 password 7 xxxxxxxxxxxusername diallocal autocommand pppspe 1/0 1/7 firmware location system:/ucode/mica_port_firmwarespe 2/0 2/7 firmware location system:/ucode/mica_port_firmware!!resource-pool disable!!!!!clock timezone CST -6clock summer-time CST recurringip subnet-zerono ip domain-lookupip domain-name maui-onions.comip name-server 172.22.53.210!isdn switch-type primary-niisdn voice-call-failure 0partition flash 2 24 8!!!controller T1 0



framing esf clock source line primary linecode b8zs pri-group timeslots 1-24!controller T1 1 clock source line secondary 1!controller T1 2 clock source line secondary 2!controller T1 3 clock source line secondary 3!controller T1 4 clock source line secondary 4!controller T1 5 clock source line secondary 5!controller T1 6 clock source line secondary 6!controller T1 7 clock source line secondary 7!!interface Loopback0 ip address 172.22.87.3 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache!interface Loopback1 ip address 172.22.83.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache!interface Ethernet0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown!interface Serial0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232



!interface Serial2 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial0:23 description "PRI D channel" ip unnumbered Dialer1 no ip directed-broadcast encapsulation ppp no ip route-cache no logging event link-status timeout absolute 240 0 dialer rotary-group 1 dialer-group 5 no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue compress stac no cdp enable!interface FastEthernet0 ip address 172.22.80.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto!interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip tcp header-compression passive no ip mroute-cache no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 192!interface Dialer1



no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache no logging event link-statustimeout absolute 240 0 dialer in-band dialer idle-timeout 300 either dialer-group 5 no snmp trap link-status peer default ip address pool default no fair-queue compress stac no cdp enable ppp max-bad-auth 3 ppp multilink!router eigrp 69 network 172.22.0.0!ip local pool default 172.22.83.2 172.22.83.254ip default-gateway 172.22.80.1ip classlessip tacacs source-interface Loopback0ip http server!access-list 110 deny tcp any any eq telnetaccess-list 110 permit tcp any anytacacs-server host 172.22.53.204tacacs-server key ciscorulessnmp-server engineID local 0000000902000050546B87BCsnmp-server community xxxxxxxxx ROsnmp-server community xxxxxxxxx RWradius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorulesbanner login ^CCWelcome to maui-nas-03Maui-onions Lab Learning Rack ISG^C!line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN transport input noneline 1 192 session-timeout 15 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptnline aux 0line vty 0 4!end



A.1.3 Example Server-Based RADIUS NAS ConfigurationThe following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for RADIUS implementations:

maui-nas-03#show running-configBuilding configuration...

Current configuration:

maui-nas-03#sh runBuilding configuration...

Current configuration:!version 12.0service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname maui-nas-03!aaa new-modelaaa authentication login default group radius localaaa authentication login NO_AUTHEN noneaaa authentication ppp default if-needed group radius localaaa authorization exec default group radius if-authenticatedaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 NO_AUTHOR noneaaa accounting exec default stop-only group radiusaaa accounting network default start-stop group radius!username admin privilege 15 password 7 xxxxxxxxxxxxxusername diallocal access-class 110 password 7 xxxxxxxxxxxusername diallocal autocommand pppspe 1/0 1/7 firmware location system:/ucode/mica_port_firmwarespe 2/0 2/7 firmware location system:/ucode/mica_port_firmware!!resource-pool disable!!!!!clock timezone CST -6clock summer-time CST recurringip subnet-zerono ip domain-lookupip domain-name maui-onions.comip name-server 172.22.53.210!isdn switch-type primary-niisdn voice-call-failure 0partition flash 2 24 8!!!controller T1 0 framing esf clock source line primary



linecode b8zs pri-group timeslots 1-24!controller T1 1 clock source line secondary 1!controller T1 2 clock source line secondary 2!controller T1 3 clock source line secondary 3!controller T1 4 clock source line secondary 4!controller T1 5 clock source line secondary 5!controller T1 6 clock source line secondary 6!controller T1 7 clock source line secondary 7!!interface Loopback0 ip address 172.22.87.3 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache!interface Loopback1 ip address 172.22.83.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache!interface Ethernet0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown!interface Serial0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial2



no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232!interface Serial0:23 description "PRI D channel" ip unnumbered Dialer1 no ip directed-broadcast encapsulation ppp no ip route-cache no logging event link-status timeout absolute 240 0 dialer rotary-group 1 dialer-group 5 no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue compress stac no cdp enable!interface FastEthernet0 ip address 172.22.80.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto!interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip tcp header-compression passive no ip mroute-cache no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 192!interface Dialer1 no ip address no ip directed-broadcast



encapsulation ppp no ip route-cache no ip mroute-cache no logging event link-statustimeout absolute 240 0 dialer in-band dialer idle-timeout 300 either dialer-group 5 no snmp trap link-status peer default ip address pool default no fair-queue compress stac no cdp enable ppp max-bad-auth 3 ppp multilink!router eigrp 69 network 172.22.0.0!ip local pool default 172.22.83.2 172.22.83.254ip default-gateway 172.22.80.1ip classlessip tacacs source-interface Loopback0ip http server!access-list 110 deny tcp any any eq telnetaccess-list 110 permit tcp any anytacacs-server host 172.22.53.204tacacs-server key ciscorulessnmp-server engineID local 0000000902000050546B87BCsnmp-server community xxxxxxxxx ROsnmp-server community xxxxxxxxx RWradius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorulesbanner login ^CCWelcome to maui-nas-03Maui-onions Lab Learning Rack ISG^C!line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN transport input noneline 1 192 session-timeout 15 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptnline aux 0line vty 0 4!end


Appendix A AAA Device Configuration ListingsA.2 Router AAA Command Implementation Descriptions

A.2 Router AAA Command Implementation DescriptionsConfigurations addressed in this section focus on router administration configurations. Router administration configurations cause functions to run within the router shell. Examples include commands executed from a the router console, commands executed with a VTY connection, and a shell-initiated session established using a modem. Each is an example of an EXEC function. Table A-1 provides commands relevant for a router in a Cisco IOS AAA environment.

A.3 NAS AAA Command Implementation DescriptionsConfigurations addressed in this section focus on AAA with PPP. These configurations differ from router administration configurations. PPP is a network level function and is separate from router shell functions. You can configure PPP to be initiated automatically or you can initiate PPP with a terminal window after dialing in to a NAS. Table A-2 lists commands relevant for a NAS providing PPP access a Cisco IOS AAA environment.

Note The following table lists Cisco IOS configuration commands required to support both TACACS+ and RADIUS AAA implementations.

Table A-1 Cisco IOS Commands Required to Set AAA for a Router

Cisco IOS Command Description/Application Commenttacacs-server key secret-key Specifies encryption key; must be the same in AAA server.

aaa new-model Enables AAA. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all PPP interfaces.

aaa authentication login default group tacacs+

Causes router to forward all login requests to AAA server.


Use default list for authorization to verify service=shell attribute is assigned to user and download appropriate shell attributes assigned in AAA server.

aaa authorization commands 15 default group tacacs+ if-authenticated

Use command authorization for privilege level 15 commands that must be assigned to router users for successful operation of these commands.

aaa accounting exec default start-stop group tacacs+

Logs EXEC shell information for user profile in start-stop TACACS+ format.

aaa accounting commands 15 default stop-only group tacacs+

Sends TACACS+ accounting stop record at the end of a privilege level 15 command.

aaa accounting system default stop-only group tacacs+

Performs accounting for all system level events not associated with users, such as reloads in stop-start TACACS+ format.

ip tacacs source-interface FastEthernet0/0/0 Specifies this interface IP address for management in the AAA server.

ip http server Enables HTTP server access.

ip http authentication aaa Forces AAA authentication and authorization at privilege level 15.

tacacs-server host IP-address Specifies AAA server.


Appendix A AAA Device Configuration ListingsA.3 NAS AAA Command Implementation Descriptions

Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)

IOS Command Description/Application Commentaaa new-model Enables authentication, authorization, and accounting. Forces an

implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all ppp interfaces.

aaa authentication login default group tacacs+

Causes router to forward all login requests to a TACACS+ server.

aaa authentication login default group radius Causes router to forward all login requests to a RADIUS server.

aaa authentication ppp default if-needed group radius

Use default list for PPP authentication; the if-needed keyword allows clients using “Terminal Window after Dial” option to successfully authenticate to RADIUS server and negotiate PPP, without using Windows dialup networking username and password combination.

aaa authentication ppp default if-needed group tacacs+

Use default list for PPP authentication; the if-needed keyword allows clients using “Terminal Window after Dial” option to successfully authenticate to TACACS+ server and negotiate PPP, without using Windows dialup networking username and password combination.

aaa authorization exec default group radius if-authenticated

Use default list to verify authorization.


Use default list for authorization to verify service=shell attribute is assigned to user and download appropriate shell attributes assigned in AAA server.

aaa authorization network default group tacacs+ if-authenticated

Use default list for authorization to verify service=-ppp attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through TACACS+.

aaa authorization network default group radius if-authenticated

Use default list for authorization to verify Service-Type=Framed attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through RADIUS.

aaa accounting exec default start-stop group tacacs+

Logs EXEC shell information for user profile in start-stop TACACS+ format.

aaa accounting network default start-stop group tacacs+

Logs all network related services requests, such as PPP in stop-start TACACS+ format.

aaa accounting exec default start-stop group radius

Logs EXEC shell information for user profile in start-stop RADIUS format.

aaa accounting network default start-stop group radius

Logs all network related services requests, such as PPP in stop-start RADIUS format.


Appendix A AAA Device Configuration ListingsA.4 CiscoSecure for UNIX Configuration Listings

A.4 CiscoSecure for UNIX Configuration ListingsThis section provides the following listings:

• A.4.1 CSU.cfg Listing

• A.4.2 CSConfig.ini Listing

• A.4.4 listener.ora Listing

• A.4.3 Oracle User Environment Variable

For a complete description of AAA server files, go to:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx

tacacs-server host IP-address key secret-key Specifies AAA server. Specifies encryption key; must be the same in AAA server.

radius-server host IP-address auth-port 1645 acct-port 1646 key secret-keys

Specifies RADIUS AAA server IP address by using default UDP Port 1645 for authentication and authorization and UDP Port 1646 for accounting.

Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)

IOS Command Description/Application Comment



A.4.1 CSU.cfg Listing# cd /opt/ciscosecure/config# lsCSConfig.ini CSU.cfg CSU.cfg.sav# cat CSU.cfgLIST config_license_key = {"a73dc113d300a5ba3459"};STRING config_update_log_filename = "/opt/ciscosecure/logfiles/passwd_chg.log";/* store accounting records here when database fails *//* default = /var/log/CSAccountingLog */STRING config_acct_filename = "/var/log/CSAccountingLog"; /* AAA Server Metrics *//* default = 0 (disable) */NUMBER config_metrics_enable = 0; /* 1 to enable, 0 to disable *//* default = 8 seconds */NUMBER config_metrics_log_interval = 8; /* in seconds */ /* Callerid as Username *//* default = 1 (enable) */NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */ /* Use default user profile when user/callerid can't be found *//* default = 1 (enable) */NUMBER config_defaultuser_enable = 1; /* 1 to enable, 0 to disable */ /* AAA Server MaxSessions Configuration *//* default = 0 (disable) */NUMBER config_maxsessions_enable = 0; /* 1 to enable, 0 to disable *//* default = 24 hours */NUMBER config_maxsessions_session_timeout = 1440; /* in minutes *//* default = 60 minutes */NUMBER config_maxsessions_purge_interval = 60; /* in minutes */ /* AAA Server Distributed MaxSessions Configuration *//* default = 0 (disable) */NUMBER config_distmaxsessions_enable = 0; /* 1 to enable, 0 to disable *//* default = 0 (disabled) */NUMBER config_dms_periodic_stats_interval = 0; /* 0 to disable, otherwise interval in seconds */ /* Cryptocard challenge lookahead *//* default = 0, which is same as 1, do only 1 challenge, don't look ahead *//* the maximum number of challenge look ahead is 20 */NUMBER config_cryptocard_challenge_lookahead = 0; /* Group Profile Cache Timeout; 0 == no timeout *//* default = 5 seconds */NUMBER config_cache_group_timeout = 5; /* in seconds */ /* Per-user accounting function *//* default = 1 (enable) */NUMBER config_acct_fn_enable = 1; /* 1 to enable, 0 to disable */ /* Extended Radius support */NUMBER config_hex_string_support_enable = 0; /* 1 to enable, 0 to disable */ STRING config_server_ip_address = "172.23.25.41";NUMBER config_token_cache_absolute_timeout = 86400;NUMBER config_system_logging_level = 0x80;NUMBER config_logging_configuration = 0xffffffff;NUMBER config_warning_period = 20;NUMBER config_expiry_period = 60;



NUMBER config_local_timezone = -8; /* set this for your timezone */NUMBER config_use_host_timezone = 0; /* set value to 1 to always use system time */NUMBER config_record_write_frequency = 5; /* update frequency in seconds */NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails accepted */ /* before account is disabled. */ NAS config_nas_config = { { "", /* NAS name can go here */ "ciscorules", /* NAS/CiscoSecure secret key */ "", /* message_catalogue_filename */ 1, /* username retries */ 2, /* password retries */ 1 /* trusted NAS for SENDPASS */ }}; AUTHEN config_external_authen_symbols = { { "./libskey.so", "skey" } , { "./libpap.so", "pap" } , { "./libchap.so", "chap" } , { "./libarap.so", "arap" }}; AUTHOR config_external_author_symbols = { { "./libargs.so", "process_input_arguments", "process_input_arguments_ok", "process_input_arguments_fail", "process_output_arguments", "process_output_arguments_ok", "process_output_arguments_fail" }}; /* * Sample of pre/post process configuration. *AUTHOR config_external_author_symbols = { { "./libcustomerprovided.so", "customer_function" }}; *



* end sample */ ACCT config_external_acct_symbols = { { "./libacctmember.so", "acct_member_fn" }}; ADMIN config_external_admin_symbols = { "./libadmin.so"}; DB config_external_database_symbols = { { "./libdb.so", "", "" }}; PARSER config_external_parser_symbols = { "./libt+.so"}; EVENT config_external_event_symbols = { { "./libdb.so", "", "" }}; DMS config_external_dms_symbols = { "./libCiscoDMS.so"};##



A.4.2 CSConfig.ini Listing##cat CSConfig.ini############################################################## $Archive: $## (C) Copyright 1996 Cisco Systems. All rights reserved.## This is CiscoSecure DBServer main initialization file.## $Log: $## $NoKeyWords: $#############################################################;<--------------------- Ruler Line -------------------------------------------->; 1 2 3 4 5 6 7 8;2345678901234567890123456789012345678901234567890123456789012345678901234567890;;-------------------------------------------------------------------------------[System]; Location where the system is installedRootDir=/opt/ciscosecure ; Location of the default profile (default= $RootDir/config/DefaultProfile)DefaultProfile=/opt/ciscosecure/config/DefaultProfile ;-------------------------------------------------------------------------------[System Error]SysErrorFileDir = /opt/ciscosecure/logfiles; DBServer gets the default path for System error handler here; if it was not specified at command line with option; [-LOGPATH path] when starting the DBServer deamon.; DBServer must have sufficient access privilege to create this: path and the log file if it does not already exist. ; log levels are 1 thru 10 where Minor=1, Moderate=5, Severe=8, Catastrophic=10; (note: Catastrophic errors will shutdown the daemon)MinLogLevel = 8 ;-------------------------------------------------------------------------------[SessionMgr]; Session Manager configurables, purge interval is in minutesMaxSessions=1000PurgeInterval=60 ;-------------------------------------------------------------------------------[AccountingMgr] ;If this parameter=enable then log acct packets into cs_accounting_log databasetableLogRawAccountingPacketToDB = enable ;If we are logging accounting records then this parameter decides whether to buffer the records; in memory and then save them to the database using a background process. Enabling this will; increase burst authentication performance.;If enabled the DBServer will create enough buffers to match the value of 2 less than; the number of database connections available.



; NOTE: There is a risk of losing records that are in memory in the event of the DBServer going; down ungracefully.BufferAccountingPackets = enable ;This parameter decides the size of each accounting packet buffer. Legal valuesare from 5 to 1000AccountingBufferSize = 500 ; if parameter=enable then dbserver will process user max session info and savein memory,; if disabled then ArchiveMaxSessionInfoToDB will also be disabled.ProcessInMemoryMaxSessionInfo = enable ; If this parameter=enable then log user max session info into cs_user_accounting database table; Note that if the BufferAccountingPackets parameter is enabled AND ProcessInMemoryMaxSessionInfo; is enabled then max session info records will be buffered as well.ArchiveMaxSessionInfoToDB = enable ; This is how often (in minutes) the system checks for accounting sessions to; purge.; NOTE: The purge interval is actually dependant upon a system background task; that is not guaranteed to run more frequently than 60 minutes. This; value is therefore not accurate to the minute and should not be set to; less than 60.AcctPurgeInterval=60 ; This is how long (in minutes) a session can be considered; active before it is purged.; NOTE: This value is dependent on the AcctPurgeInterval setting and is not; accurate to the minute. It is not intended to be set to less than 60.AcctPurgeTimeOut=1440 ;-------------------------------------------------------------------------------[DBServer]DBServerName = CSdbServerProtocol=TCPMaxPacketSize = 4096 ; Each DBServer process should have it's own unique name.; Do not put the hostname here in case more than one instance; of the DBServer is running on the same machine ;The following is for internal use only by the DBServer;Date format expected from the client application such as the GUI,;to be used for parsing date/time string. The dbserver will reject;inputs that contains other date/time format. This format will also;be used to return date/time strings.;Examples, "d MMM yyyy" => "12 Feb 1997", "EEE MMM d hh:mm:ss z yyyy" => "Tue Apr 1 09:26:55 PST 1997"DateFormat = "d MMM yyyy"DateTimeFormat = "EEE MMM d hh:mm:ss z yyyy" ;-------------------------------------------------------------------------------[ValidClients]100 = sleddog; Add list of trusted clients above ^^^^ in the format:; ClientID = Client's Host Name; CGI stub's clientID=100, and it's host name; For example 100 = localhost or 100 = 192.92.182.2; 101 = 192.92.190.5;



;if ValidateClients=true, then we only allow the clients with ids listed;above to connect to the dbserverValidateClients = false;if FastAdminValidateClients = true, then we only allow the clients with ids;listed below to connect to the FastAdminFastAdminValidateClients = false ;-------------------------------------------------------------------------------[Protocol TCP]HostName = sleddogPort = 9900; Name of host server ; Daemon port number;Port=5001 ;-------------------------------------------------------------------------------[Workers Pool]; Maximum numbers of connection workers in pool, beyond which; newly added workers will be ignored (or deleted).MaxInPool=50 ;-------------------------------------------------------------------------------[Database]DataSource = ORACLEDriverType = JDBC-Weblogic-Oracle; Specify the rdbms installed and the driver type; (ODBC or JDBC) that interfaces with the rdbms.; Driver=ODBC or Driver=JDBC, then go to the [ODBC]; or [JDBC] section to fill in the URL info. # Oracle with ODBC;DataSource = ORACLE;DriverType = ODBC-Visigenic-Oracle # Oracle with JDBC;DataSource = ORACLE;DriverType = JDBC-Weblogic-Oracle # SQLAnywhere with ODBC;DataSource = SQLAnywhere;DriverType = ODBC-SQLAnywhere # Sybase with ODBC;DataSource = SYBASE;DriverType = ODBC-Visigenic-Sybase # Sybase with JDBC;DataSource = SYBASE;DriverType = JDBC-Weblogic-Sybase # Test with some other DB that we did not qualify;DataSource = OtherDB;DriverType = ODBC-Visigenic # names of data dictionaryProfileAttr = cs_profile_attr_dictProfileCol = cs_profile_col_dictUserAcct = cs_user_account_attr_dict ;-------------------------------------------------------------------------------[SQLAnywhere];this is the bundle databaseConnectionLicense = 12



Username = DBAPassword = SQL ;-------------------------------------------------------------------------------[OtherDB];number of open connections allowed to the data source(based on db license)ConnectionLicense = 1Username = csecurePassword = csecure ;-------------------------------------------------------------------------------[ORACLE];number of open connections allowed to the data source(based on db license)ConnectionLicense=4Username = csecurePassword = csecure ;-------------------------------------------------------------------------------[SYBASE];number of open connections allowed to the data source(based on db license)ConnectionLicense = 8Username = csecurePassword = csecure ;-------------------------------------------------------------------------------[ODBC-SQLAnywhere];ODBC driver informationManager = sun.jdbc.odbc.JdbcOdbcDriverDriver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=<database_file>;Start="dbeng50 -ud";Property below is required for internal use only: connection usage propertyPrepareStatement = 0 ;-------------------------------------------------------------------------------[ODBC-Visigenic-Oracle];ODBC driver informationManager = sun.jdbc.odbc.JdbcOdbcDriverDriver = jdbc:odbc:Oracle;Property below is required for internal use only: connection usage propertyPrepareStatement = 1 ;-------------------------------------------------------------------------------[ODBC-Visigenic-Sybase];ODBC driver informationManager = sun.jdbc.odbc.JdbcOdbcDriverDriver = jdbc:odbc:SybaseDBLib;Property below is required for internal use only: connection usage propertyPrepareStatement = 1 ;-------------------------------------------------------------------------------[JDBC-Weblogic-Oracle];JDBC driver informationManager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManagerDriver=jdbc:weblogic:oracle:ciscosj;Property below is required for internal use only: connection usage propertyPrepareStatement = 1 ;-------------------------------------------------------------------------------[JDBC-Weblogic-Sybase];JDBC driver informationManager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManagerDriver=jdbc:weblogic:sybase;Property below is required for internal use only: connection usage propertyPrepareStatement = 1



;-------------------------------------------------------------------------------[ProfileCaching]EnableProfileCaching = OFF;Polling period in minutes for cs_trans_log table; Interval in seconds can be specified by fraction.; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds.; Setting to 0 disbles polling.DBPollInterval = 30;-------------------------------------------------------------------------------

A.4.3 Oracle User Environment Variable#su - oracleSun Microsystems Inc. SunOS 5.5.1 Generic May 1996$envHOME=/export/home/oracleHZ=100LD_LIBRARY_PATH=/opt/oracle/product/7.3.4/lib:/usr/openwin/lib:/usr/dt/lib:/usr/libLOGNAME=oracleORACLE_DOC=/docORACLE_HOME=/opt/oracle/product/7.3.4ORACLE_SID=ciscosjORACLE_TERM=xsun5ORAENV_ASK=NOPATH=/usr/bin::/opt/oracle/product/7.3.4:/opt/oracle/product/7.3.4/bin:/usr/ccs/bin:SHELL=/bin/shTERM=ansiTMPDIR=/var/tmpTNS_ADMIN=/opt/oracle/product/7.3.4/network/adminTZ=GMT-8



A.4.4 listener.ora Listing$cd $ORACLE_HOME/$lsbin jdbc nlsrtl3 orainst precomp sqlplusbook22 lib ocommon otrace rdbms svrmgrdbs network oracore3 plsql slax$cd network/admin$lscsmgen.tcl listener.ora tcl7.4 tnsnames.oracsmman.man sqlnet.fdf tk4.0$cat listener.ora## Installation Generated Net V2 Configuration# Version Date: Sep-16-97# Filename: Listener.ora#LISTENER = (ADDRESS_LIST = (ADDRESS= (PROTOCOL= IPC)(KEY= ciscosj)) (ADDRESS= (PROTOCOL= IPC)(KEY= PNPKEY)) (ADDRESS= (PROTOCOL= TCP)(Host= sleddog)(Port= 1521)) )SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME= sleddog.) (ORACLE_HOME= /opt/oracle/product/7.3.4) (SID_NAME = ciscosj) ) )STARTUP_WAIT_TIME_LISTENER = 0CONNECT_TIMEOUT_LISTENER = 10TRACE_LEVEL_LISTENER = OFF$lscsmgen.tcl listener.ora tcl7.4 tnsnames.oracsmman.man sqlnet.fdf tk4.0$cat tnsnames.ora## Installation Generated NetV2 Configuration# Version Date: Sep-30-97# Filename: Tnsnames.ora#ciscosj = (DESCRIPTION = (ADDRESS = (PROTOCOL= TCP)(Host= sleddog)(Port= 1521)) (CONNECT_DATA = (SID = ciscosj)) )


Appendix A AAA Device Configuration ListingsA.5 CiscoSecure Log Files

A.5 CiscoSecure Log Files$CSUBASE/logfiles/cs_install.log$CSUBASE/logfiles/cs_shutdown.log$CSUBASE/logfiles/cs_startup.log$CSUBASE/logfiles/csdblog_<date>$CSUBASE/logfiles/passwd_chg.log$CSUBASE/ns-home/CSUServer/logs/access$CSUBASE/ns-home/CSUServer/logs/errors$CSUBASE/ns-home/admserver/errors$CSUBASE/ns-home/admserver/access$CSUBASE/ns-home-httpd-csuserver/logs


Appendix A AAA Device Configuration ListingsA.5 CiscoSecure Log Files


Cis

A P P E N D I X B
AAA Impact on Maintenance Tasks
Most BootFlash images do not recognize all Cisco IOS aaa commands. As a result, invoking a BootFlash image can lead to a password recovery situation unless the Cisco IOS fragments listed in this appendix are used to disable AAA. One example of a situation requiring the inclusion of this configuration is a software image upgrade for a Cisco AS5200 access server.

Include the following Cisco IOS commands to disable AAA authentication and authorization on the console and VTY ports of a NAS:

aaa authentication login NO_AUTHENT noneaaa authorization exec NO_AUTHOR noneaaa authorization commands 15 NO_AUTHOR none line con 0 authorization exec NO_AUTHOR login authentication NO_AUTHENT authorization commands 15 NO_AUTHOR

line vty 0 4 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT

Note Refer to “4.6 Implementing Server-Based TACACS+ Router Authorization” for related implementation information.

B-1co AAA Implementation Case Study

Appendix B AAA Impact on Maintenance Tasks

B-2Cisco AAA Implementation Case Study

Cis

A P P E N D I X C
Server-Based AAA Verification Diagnostic Output
This appendix is organized into the following sections:

• C.1 Server-Based TACACS+ Dialup Authentication Diagnostics

• C.2 Server-Based TACACS+ Dialup Authorization Diagnostics

• C.3 Server-Based RADIUS Dialup Authentication Diagnostics

• C.4 Server-Based RADIUS Dialup Authorization Diagnostics

• C.5 Server-Based TACACS+ Router Authentication Diagnostics

• C.6 Server-Based TACACS+ Router Authorization Diagnostics

Diagnostic examples present captured output from debug command (router) and tail command (AAA server) listings.

Note Output fragments provided here are excerpted from the applicable debug command output or AAA server csuslog file—unless otherwise noted. Diagnostic content is gathered from the AAA server by using the tail -f /var/log/csuslog command. Pertinent portions of output are included as fragments of complete listings.

C.1 Server-Based TACACS+ Dialup Authentication DiagnosticsThe following test results for “4.1 Implementing Server-Based TACACS+ Dialup Authentication” provide relevant NAS and AAA server log output:

1. Authentication login is successful for user tac_dial.

2. PAP authentication request for user tac_dial.

3. Creation of user tac_dial, service=ppp.

4. Authentication PASS received from AAA server.

Note Use these debug commands: debug aaa authentication and debug ppp authentication.

C-1co AAA Implementation Case Study

Appendix C Server-Based AAA Verification Diagnostic OutputC.2 Server-Based TACACS+ Dialup Authorization Diagnostics

The following diagnostic results are presented in the order in which they are generated during the authentication process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information.


1. Authentication login is successful for user tac_dial.

AAA server csuslog output:

Feb 4 10:40:13 coachella CiscoSecure: DEBUG - AUTHENTICATION START request (8d2d325f)Feb 4 10:40:13 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = Async3, User = tac_dial, Priv = 1]

2. PAP authentication request for user tac_dial.

NAS debug output:

113288: Feb 4 10:40:13.696 CST: As3 PAP: I AUTH-REQ id 1 len 23 from "tac_dial"113289: Feb 4 10:40:13.696 CST: As3 PAP: Authenticating peer tac_dial

3. Creation of user tac_dial, service=ppp.

NAS debug output:

113290: Feb 4 10:40:13.696 CST: AAA: parse name=Async3 idb type=10 tty=3113291: Feb 4 10:40:13.696 CST: AAA: name=Async3 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=3 channel=0113292: Feb 4 10:40:13.696 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1113293: Feb 4 10:40:13.696 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=4113294: Feb 4 10:40:13.696 CST: AAA/MEMORY: create_user (0x61E09254) user='tac_dial' ruser='' port='Async3' rem_addr='async/81560' authen_type=PAP service=PPP priv=1113295: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): port='Async3' list='' action=LOGIN service=PPP

4. Authentication PASS received from AAA server.

NAS debug output:

113296: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): using "default" list113297: Feb 4 10:40:13.696 CST: AAA/AUTHEN (2368549471): status = UNKNOWN113298: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): Method=tacacs+ (tacacs+)113299: Feb 4 10:40:13.696 CST: TAC+: send AUTHEN/START packet ver=193 id=2368549471113300: Feb 4 10:40:13.900 CST: TAC+: ver=193 id=2368549471 received AUTHEN status = PASS

C.2 Server-Based TACACS+ Dialup Authorization DiagnosticsThe following test results for “4.2 Implementing Server-Based TACACS+ Dialup Authorization” provide relevant NAS and AAA server log output:

1. User dialtest is authorized EXEC shell access to the NAS.

2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs.

3. User dialtest is authorized EXEC shell access to NAS.

4. User dialtest is assigned the addr-pool=default AVP through network authorization.

C-2Cisco AAA Implementation Case Study

Appendix C Server-Based AAA Verification Diagnostic OutputC.2 Server-Based TACACS+ Dialup Authorization Diagnostics

5. User dialtest is assigned the inacl=110 AVP through network authorization.

6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs.

Note Use this debug command: debug aaa authorization.



1. User dialtest is authorized EXEC shell access to the NAS.


Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (365f23d3)Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=shell cmd* output: ]

2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs.


Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (74e5f744)Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip addr-pool*default output: inacl=110]Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (78655fcd)Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=lcp output: ]Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (cae30c69)Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip output: addr-pool=default inacl=110]

3. User dialtest is authorized EXEC shell access to NAS.

NAS debug output:

*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): Port='tty8' list='' service=EXEC*Apr 6 00:12:29.932: AAA/AUTHOR/EXEC: As8 (912204755) user='dialtest'*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): send AV service=shell*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): send AV cmd**Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): found list "default"*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): Method=tacacs+ (tacacs+)*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): user=dialtest*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): send AV service=shell*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): send AV cmd**Apr 6 00:12:30.136: As8 AAA/AUTHOR (912204755): Post authorization status = PASS_ADD


Appendix C Server-Based AAA Verification Diagnostic OutputC.3 Server-Based RADIUS Dialup Authentication Diagnostics

4. User dialtest is assigned the addr-pool=default AVP through network authorization.

NAS debug output:

*Apr 6 00:12:31.480: AAA/AUTHOR/PPP: As8 (1961228100) user='dialtest'*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV service=ppp*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV protocol=ip*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV addr-pool*default*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): found list "default"*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): Method=tacacs+ (tacacs+)*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): user=dialtest*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV service=ppp*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV protocol=ip*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV addr-pool*default*Apr 6 00:12:31.684: As8 AAA/AUTHOR (1961228100): Post authorization status = PASS_ADD

5. User dialtest is assigned the inacl=110 AVP through network authorization.

NAS debug output:

*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV service=ppp*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV protocol=ip*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV addr-pool*default*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV inacl=110

6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs.

NAS debug output:

*Apr 6 00:33:05.860: As9 AAA/AUTHOR/IPCP: Says use pool default*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Pool returned 172.23.25.37*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV service=ppp*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV protocol=ip*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr-pool=default*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV inacl=110*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr*172.23.25.37*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Authorization succeeded

C.3 Server-Based RADIUS Dialup Authentication DiagnosticsThe following test results for “4.3 Implementing Server-Based RADIUS Dialup Authentication” provide relevant NAS output:

1. User rad_dial successfully passes authentication on port Async 5).

2. User rad_dial successfully passes authentication.

Note Use these debug commands: debug aaa authentication and debug ppp authentication.

The following diagnostic results are presented in the order in which they are generated during the authentication process. Specific output fragments are differentiated with brief explanatory notes to help identify relevant information.


Appendix C Server-Based AAA Verification Diagnostic OutputC.4 Server-Based RADIUS Dialup Authorization Diagnostics


1. User rad_dial successfully passes authentication on port Async 5).

NAS debug output:

00:38:42: AAA/MEMORY: create_user (0x61619F48) user='rad_dial' ruser='' port='Async5' rem_addr='65004/65301' authen_type=PAP service=PPP priv=100:38:42: AAA/AUTHEN/START (3896270890): port='Async5' list='' action=LOGIN service=PPP00:38:42: AAA/AUTHEN/START (3896270890): using "default" list00:38:42: AAA/AUTHEN (3896270890): status = UNKNOWN00:38:42: AAA/AUTHEN/START (3896270890): Method=radius (radius)00:38:42: AAA/AUTHEN (3896270890): status = PASS

2. User rad_dial successfully passes authentication.

NAS debug output:

Apr 6 16:18:19 danvers CiscoSecure: INFO - Profile: user = rad_dial {Apr 6 16:18:19 danvers set server current-failed-logins = 0Apr 6 16:18:19 danvers profile_cycle = 9

C.4 Server-Based RADIUS Dialup Authorization DiagnosticsThe following test results for “4.4 Implementing Server-Based RADIUS Dialup Authorization” provide relevant NAS server log output:

1. User rad_dial is authorized for protocol=lcp.

2. User rad_dial is authorized for IPCP.

3. Input access-list is verified as 110 while the output access-list is shown as not set.

Note Use these commands: debug aaa authorization and show caller user rad_dial detail.

The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to you identify relevant information.


Appendix C Server-Based AAA Verification Diagnostic OutputC.4 Server-Based RADIUS Dialup Authorization Diagnostics


1. User rad_dial is authorized for protocol=lcp.

NAS debug output:

01:02:17: AAA/MEMORY: create_user (0x61504AC4) user='rad_dial' ruser='' port='As ync6' rem_addr='65004/65301' authen_type=PAP service=PPP priv=1 01:02:17: As6 AAA/AUTHOR/LCP: Authorize LCP 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Port='Async6' list='' service=NET 01:02:17: AAA/AUTHOR/LCP: As6 (3341570658) user='rad_dial' 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV service=ppp 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV protocol=lcp 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): found list "default" 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Method=radius (radius) 01:02:17: As6 AAA/AUTHOR (3341570658): Post authorization status = PASS_REPL

2. User rad_dial is authorized for IPCP.

NAS debug output:

01:02:17: As6 AAA/AUTHOR/LCP: Processing AV service=ppp 01:02:17: As6 AAA/AUTHOR/FSM: (0): Can we start IPCP? 01:02:17: As6 AAA/AUTHOR/FSM (2347737596): Port='Async6' list='' service=NET 01:02:17: AAA/AUTHOR/FSM: As6 (2347737596) user='rad_dial' 01:02:17: As6 AAA/AUTHOR/FSM (2347737596): send AV service=ppp 01:02:17: As6 AAA/AUTHOR/FSM (2347737596): send AV protocol=ip 01:02:17: As6 AAA/AUTHOR/FSM (2347737596): found list "default" 01:02:17: As6 AAA/AUTHOR/FSM (2347737596): Method=radius (radius) 01:02:17: As6 AAA/AUTHOR (2347737596): Post authorization status = PASS_REPL 01:02:17: As6 AAA/AUTHOR/FSM: We can start IPCP 01:02:17: As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5 01:02:17: As6 AAA/AUTHOR/IPCP: Processing AV service=ppp 01:02:17: As6 AAA/AUTHOR/IPCP: Processing AV inacl=110 01:02:17: As6 AAA/AUTHOR/IPCP: Authorization succeeded 01:02:17: As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5 01:02:18: As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5 01:02:18: As6 AAA/AUTHOR/IPCP: Processing AV service=ppp 01:02:18: As6 AAA/AUTHOR/IPCP: Processing AV inacl=110 01:02:18: As6 AAA/AUTHOR/IPCP: Authorization succeeded 01:02:18: As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5 01:02:18: As6 AAA/AUTHOR/IPCP: Start. Her address 172.22.83.5, we want 172.22.8 3.5

3. Input access-list is verified as 110 while the output access-list is shown as not set.


Appendix C Server-Based AAA Verification Diagnostic OutputC.5 Server-Based TACACS+ Router Authentication Diagnostics

Output from show caller user rad_dial detail from NAS:

User: rad_dial, line tty 116, service Async Active time 00:01:29, Idle time 00:00:40 Timeouts: Absolute Idle Idle Session Exec Limits: 04:00:00 - 00:48:00 Disconnect in: 03:58:30 - - TTY: Line 116, running PPP on As116 Location: PPP: 172.22.83.37 DS0: (slot/unit/channel)=0/0/20 Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits Status: Ready, Active, No Exit Banner, Async Interface Active HW PPP Support Active, Modem Detected Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out Modem Callout, Modem RI is CD, Line usable as async interface, Modem Autoconfigure Integrated Modem Modem State: Ready, Modem Configured

User: rad_dial, line As116, service PPP Active time 00:01:23, Idle time 00:00:35 Timeouts: Absolute Idle Limits: - - Disconnect in: - - PPP: LCP Open, PAP (<- AAA), IPCP, CDPCP LCP: -> peer, ACCM, AuthProto, MagicNumber, PCompression, ACCompression <- peer, ACCM, MagicNumber, PCompression, ACCompression NCP: Open IPCP, CDPCP IPCP: <- peer, Address -> peer, Address IP: Local 172.22.83.1, remote 172.22.83.37 Access list (I/O) is 110/not set, default (I/O) not set/not set Counts: 14 packets input, 1399 bytes, 0 no buffer 1 input errors, 1 CRC, 0 frame, 0 overrun 15 packets output, 1448 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets

C.5 Server-Based TACACS+ Router Authentication DiagnosticsThe following test results for “4.5 Implementing Server-Based TACACS+ Router Authentication” provide relevant router output:

1. Get user and password interaction between router and AAA server.

2. User rtr_test successfully logs in.

Note Use this debug command: debug aaa authentication.

The following diagnostic results are presented in the order in which they are generated during the authentication process. Specific output fragments are differentiated with brief explanatory notes to you identify relevant information.


1. Get user and password interaction between router and AAA server.


Appendix C Server-Based AAA Verification Diagnostic OutputC.5 Server-Based TACACS+ Router Authentication Diagnostics


Feb 24 11:10:27.101 CST: AAA/MEMORY: create_user (0x61F74900) user='' ruser='' port='tty2' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): port='tty2' list='' action=LOGIN service=LOGINFeb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): using "default" listFeb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): Method=tacacs+ (tacacs+)Feb 24 11:10:27.105 CST: TAC+: send AUTHEN/START packet ver=192 id=2925282821Feb 24 11:10:27.305 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETUSERFeb 24 11:10:27.305 CST: AAA/AUTHEN (2925282821): status = GETUSERFeb 24 11:10:30.549 CST: AAA/AUTHEN/CONT (2925282821): continue_login (user='(undef)')Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): status = GETUSERFeb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+)Feb 24 11:10:30.549 CST: TAC+: send AUTHEN/CONT packet id=2925282821Feb 24 11:10:30.749 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETPASSFeb 24 11:10:30.749 CST: AAA/AUTHEN (2925282821): status = GETPASSFeb 24 11:10:33.981 CST: AAA/AUTHEN/CONT (2925282821): continue_login (user='rtr_test')Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): status = GETPASSFeb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+)Feb 24 11:10:33.981 CST: TAC+: send AUTHEN/CONT packet id=2925282821Feb 24 11:10:34.181 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = PASSFeb 24 11:10:34.181 CST: AAA/AUTHEN (2925282821): status = PASSFeb 24 11:10:34.381 CST: TAC+: (2248458861): received author response status = PASS_ADD

2. User rtr_test successfully logs in.


Feb 24 11:10:34 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.255.3, Port = tty2, User = rtr_test, Priv = 1


Appendix C Server-Based AAA Verification Diagnostic OutputC.6 Server-Based TACACS+ Router Authorization Diagnostics

C.6 Server-Based TACACS+ Router Authorization DiagnosticsThe following test results illustrate three separate user types as described in “4.6 Implementing Server-Based TACACS+ Router Authorization”, belonging to three separate user groups: rtr_low, rtr_tech, and rtr_super. The example output is provided in the following sections:

• C.6.1 Test Results for rtr_low Group

• C.6.2 Test Results for rtr_tech Group

• C.6.3 Test Results for rtr_super Group

Note Use this debug command: debug aaa authorization.

C.6.1 Test Results for rtr_low GroupTest results follow for each Cisco IOS command summarized in Table 4-1, including relevant router output and AAA server log output:

1. User rtr_dweeb is authorized EXEC shell access.

2. User rtr_dweeb enters enable mode.

3. User rtr_dweeb fails debug all command.

4. User rtr_dweeb fails debug ip packet command.

5. User rtr_dweeb fails clear ip cache command.

6. User rtr_dweeb fails reload command.

7. User rtr_dweeb fails show running-config command.

8. User rtr_dweeb fails write terminal command.

9. User rtr_dweeb fails copy running-config startup-config command.

10. User rtr_dweeb fails write memory command.

11. User rtr_dweeb fails configure terminal command.





1. User rtr_dweeb is authorized EXEC shell access.


Feb 18 11:44:36.115 CST: AAA/MEMORY: create_user (0x61F883B4) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Port='tty3' list=''service=EXECFeb 18 11:44:42.135 CST: AAA/AUTHOR/EXEC: tty3 (1279405337) user='rtr_dweeb'Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV service=shellFeb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV cmd*Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): found list "default"Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Method=tacacs+ (tacacs+)Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): user=rtr_dweebFeb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV service=shellFeb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV cmd*Feb 18 11:44:42.335 CST: AAA/AUTHOR (1279405337): Post authorization status = PASS_ADDFeb 18 11:44:42.335 CST: AAA/AUTHOR/EXEC: Authorization successful


Feb 18 11:44:41 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.255.3, Port = tty3, User = rtr_dweeb, Priv = 1]Feb 18 11:44:41 coachella CiscoSecure: DEBUG -Feb 18 11:44:42 coachella CiscoSecure: DEBUG - AUTHORIZATION request (4c422d19)Feb 18 11:44:42 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd* output: ]

2. User rtr_dweeb enters enable mode.


Feb 18 11:44:45.651 CST: AAA/MEMORY: free_user (0x61CC44D4) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15

3. User rtr_dweeb fails debug all command.


Feb 18 11:44:49.875 CST: tty3 AAA/AUTHOR/CMD (2800178490): Port='tty3' list='' service=CMDFeb 18 11:44:49.875 CST: AAA/AUTHOR/CMD: tty3 (2800178490) user='rtr_dweeb'Feb 18 11:44:49.875 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV service=shellFeb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd=debugFeb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=allFeb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=<cr>Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): found list "default"Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): Method=tacacs+ (tacacs+)Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): user=rtr_dweebFeb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV service=shellFeb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd=debugFeb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=allFeb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=<cr>Feb 18 11:44:50.079 CST: AAA/AUTHOR (2800178490): Post authorization status = FAIL




Feb 18 11:44:49 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a6e7553a)Feb 18 11:44:49 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug cmd-arg=all cmd-arg=<cr> output: ]

4. User rtr_dweeb fails debug ip packet command.


Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): Port='tty3' list='' service=CMDFeb 18 11:44:55.447 CST: AAA/AUTHOR/CMD: tty3 (4087104408) user='rtr_dweeb'Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV service=shellFeb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd=debugFeb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=ipFeb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=packetFeb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=<cr>Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): found list "default"Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): Method=tacacs+ (tacacs+)Feb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): user=rtr_dweebFeb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV service=shellFeb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd=debugFeb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=ipFeb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=packetFeb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=<cr>Feb 18 11:44:55.647 CST: AAA/AUTHOR (4087104408): Post authorization status = FAIL


Feb 18 11:44:55 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f39c4398)Feb 18 11:44:55 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug cmd-arg=ip cmd-arg=packet cmd-arg=<cr> output: ]

5. User rtr_dweeb fails clear ip cache command.


Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):Port='tty3' list=''service=CMDFeb 18 11:45:00.483 CST:AAA/AUTHOR/CMD:tty3 (3223867754) user='rtr_dweeb'Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV service=shellFeb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd=clearFeb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=ipFeb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=cacheFeb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=<cr>Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):found list "default"Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):Method=tacacs+(tacacs+)Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):user=rtr_dweebFeb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV service=shellFeb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd=clearFeb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=ipFeb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=cacheFeb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=<cr>Feb 18 11:45:00.687 CST:AAA/AUTHOR (3223867754):Post authorization status = FAIL


Feb 18 11:45:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (c028516a)Feb 18 11:45:00 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=clear cmd-arg=ip cmd-arg=cache cmd-arg=<cr> output: ]



6. User rtr_dweeb fails reload command.


Feb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): Port='tty3' list='' service=CMDFeb 18 11:45:03.911 CST: AAA/AUTHOR/CMD: tty3 (410330894) user='rtr_dweeb'Feb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): send AV service=shellFeb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): send AV cmd=reloadFeb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): send AV cmd-arg=<cr>Feb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): found list "default"Feb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): Method=tacacs+ (tacacs+)Feb 18 11:45:03.911 CST: AAA/AUTHOR/TAC+: (410330894): user=rtr_dweebFeb 18 11:45:03.911 CST: AAA/AUTHOR/TAC+: (410330894): send AV service=shellFeb 18 11:45:03.911 CST: AAA/AUTHOR/TAC+: (410330894): send AV cmd=reloadFeb 18 11:45:03.911 CST: AAA/AUTHOR/TAC+: (410330894): send AV cmd-arg=<cr>Feb 18 11:45:04.115 CST: AAA/AUTHOR (410330894): Post authorization status = FAIL


Feb 18 11:45:03 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1875270e)Feb 18 11:45:03 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=reload cmd-arg=<cr> output: ]

7. User rtr_dweeb fails show running-config command.


Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): Port='tty3' list='' service=CMDFeb 18 11:45:08.891 CST: AAA/AUTHOR/CMD: tty3 (2227741892) user='rtr_dweeb'Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV service=shellFeb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV cmd=showFeb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV cmd-arg=running-configFeb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV cmd-arg=<cr>Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): found list "default"Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): Method=tacacs+ (tacacs+)Feb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): user=rtr_dweebFeb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV service=shellFeb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV cmd=showFeb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV cmd-arg=running-configFeb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV cmd-arg=<cr>Feb 18 11:45:09.095 CST: AAA/AUTHOR (2227741892): Post authorization status = FAIL


Feb 18 11:45:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (84c8a4c4)Feb 18 11:45:08 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=showcmd-arg=running-config cmd-arg=<cr> output: ]



8. User rtr_dweeb fails write terminal command.


Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): Port='tty3' list='' service=CMDFeb 18 11:45:12.079 CST: AAA/AUTHOR/CMD: tty3 (2744233862) user='rtr_dweeb'Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV service=shellFeb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd=writeFeb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd-arg=terminalFeb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd-arg=<cr>Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): found list "default"Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): Method=tacacs+ (tacacs+)Feb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): user=rtr_dweebFeb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV service=shellFeb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd=writeFeb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd-arg=terminalFeb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd-arg=<cr>Feb 18 11:45:12.279 CST: AAA/AUTHOR (2744233862): Post authorization status = FAIL


Feb 18 11:45:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a391af86)Feb 18 11:45:11 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=write cmd-arg=terminal cmd-arg=<cr> output: ]

9. User rtr_dweeb fails copy running-config startup-config command.


Feb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): Port='tty3' list='' service=CMDFeb 18 11:45:17.631 CST: AAA/AUTHOR/CMD: tty3 (1138992853) user='rtr_dweeb'Feb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV service=shellFeb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd=copyFeb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd-arg=running-configFeb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd-arg=startup-configFeb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd-arg=<cr>Feb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): found list "default"Feb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): Method=tacacs+ (tacacs+)Feb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): user=rtr_dweebFeb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV service=shellFeb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV cmd=copyFeb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV cmd-arg=running-configFeb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV cmd-arg=startup-configFeb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV cmd-arg=<cr>Feb 18 11:45:17.835 CST: AAA/AUTHOR (1138992853): Post authorization status = FAIL


Feb 18 11:45:17 coachella CiscoSecure: DEBUG - AUTHORIZATION request (43e3a6d5)Feb 18 11:45:17 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=copycmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ]



10. User rtr_dweeb fails write memory command.


Feb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): Port='tty3' list='' service=CMDFeb 18 11:45:20.915 CST: AAA/AUTHOR/CMD: tty3 (1068431717) user='rtr_dweeb'Feb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): send AV service=shellFeb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd=writeFeb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd-arg=memoryFeb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd-arg=<cr>Feb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): found list "default"Feb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): Method=tacacs+ (tacacs+)Feb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): user=rtr_dweebFeb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): send AV service=shellFeb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): send AV cmd=writeFeb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): send AV cmd-arg=memoryFeb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): send AV cmd-arg=<cr>Feb 18 11:45:21.119 CST: AAA/AUTHOR (1068431717): Post authorization status = FAIL


Feb 18 11:45:20 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3faef965)Feb 18 11:45:20 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=writecmd-arg=memory cmd-arg=<cr> output: ]

11. User rtr_dweeb fails configure terminal command.


Feb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): Port='tty3' list='' service=CMDFeb 18 11:45:32.399 CST: AAA/AUTHOR/CMD: tty3 (530570549) user='rtr_dweeb'Feb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): send AV service=shellFeb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): send AV cmd=configureFeb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): send AV cmd-arg=terminalFeb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): send AV cmd-arg=<cr>Feb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): found list "default"Feb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): Method=tacacs+ (tacacs+)Feb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): user=rtr_dweebFeb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): send AV service=shellFeb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): send AV cmd=configureFeb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): send AV cmd-arg=terminalFeb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): send AV cmd-arg=<cr>Feb 18 11:45:32.603 CST: AAA/AUTHOR (530570549): Post authorization status = FAIL


Feb 18 11:45:32 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1f9fdd35)Feb 18 11:45:32 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ]

C.6.2 Test Results for rtr_tech GroupTests results follow for each of the Cisco IOS commands summarized in Table 4-1, including relevant router output and AAA server log output:

1. User rtr_techie is authorized EXEC shell access.

2. User rtr_techie enters enable mode.

3. User rtr_techie is denied the debug all command.



4. User rtr_techie is permitted debug ip packet command.

5. User rtr_techie is permitted clear ip cache command.

6. User rtr_techie is denied reload command.

7. User rtr_techie is permitted show running-config command.

8. User rtr_techie is permitted write terminal command.

9. User rtr_techie is permitted copy running-config starting config command.

10. User rtr_techie is permitted write memory command.

11. User rtr_techie is denied configure terminal command.



1. User rtr_techie is authorized EXEC shell access.


Feb 18 14:27:32.388 CST: AAA/MEMORY: create_user (0x61CC44D8) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Port='tty3' list=''service=EXECFeb 18 14:27:36.984 CST: AAA/AUTHOR/EXEC: tty3 (3820424789) user='rtr_techie'Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV service=shellFeb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV cmd*Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): found list "default"Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Method=tacacs+ (tacacs+)Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): user=rtr_techieFeb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): send AV service=shellFeb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): send AV cmd*Feb 18 14:27:37.184 CST: AAA/AUTHOR (3820424789): Post authorization status = PASS_ADDFeb 18 14:27:37.184 CST: AAA/AUTHOR/EXEC: Authorization successful


Feb 18 14:27:36 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.255.3, Port = tty3, User = rtr_techie, Priv = 1]Feb 18 14:27:36 coachella CiscoSecure: DEBUG -Feb 18 14:27:36 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e3b70e55)Feb 18 14:27:36 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd* output: ]

2. User rtr_techie enters enable mode.


Feb 18 14:27:39.776 CST: AAA/MEMORY: free_user (0x61F5DEC0) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15Feb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): Port='tty3' list='' service=CMD



3. User rtr_techie is denied the debug all command.


Feb 18 14:27:43.976 CST: AAA/AUTHOR/CMD: tty3 (438698848) user='rtr_techie'Feb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): send AV service=shellFeb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): send AV cmd=debugFeb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): send AV cmd-arg=allFeb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): send AV cmd-arg=<cr>Feb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): found list "default"Feb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): Method=tacacs+ (tacacs+)Feb 18 14:27:43.976 CST: AAA/AUTHOR/TAC+: (438698848): user=rtr_techieFeb 18 14:27:43.980 CST: AAA/AUTHOR/TAC+: (438698848): send AV service=shellFeb 18 14:27:43.980 CST: AAA/AUTHOR/TAC+: (438698848): send AV cmd=debugFeb 18 14:27:43.980 CST: AAA/AUTHOR/TAC+: (438698848): send AV cmd-arg=allFeb 18 14:27:43.980 CST: AAA/AUTHOR/TAC+: (438698848): send AV cmd-arg=<cr>Feb 18 14:27:44.180 CST: AAA/AUTHOR (438698848): Post authorization status = FAIL


Feb 18 14:27:43 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1a260360)Feb 18 14:27:43 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug cmd-arg=all cmd-arg=<cr> output: ]

4. User rtr_techie is permitted debug ip packet command.


Feb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): Port='tty3' list=''service=CMDFeb 18 14:27:47.668 CST: AAA/AUTHOR/CMD: tty3 (3962222355) user='rtr_techie'Feb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): send AV service=shellFeb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd=debugFeb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd-arg=ipFeb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd-arg=packetFeb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd-arg=<cr>Feb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): found list "default"Feb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): Method=tacacs+ (tacacs+)Feb 18 14:27:47.668 CST: AAA/AUTHOR/TAC+: (3962222355): user=rtr_techieFeb 18 14:27:47.668 CST: AAA/AUTHOR/TAC+: (3962222355): send AV service=shellFeb 18 14:27:47.668 CST: AAA/AUTHOR/TAC+: (3962222355): send AV cmd=debugFeb 18 14:27:47.668 CST: AAA/AUTHOR/TAC+: (3962222355): send AV cmd-arg=ipFeb 18 14:27:47.668 CST: AAA/AUTHOR/TAC+: (3962222355): send AV cmd-arg=packetFeb 18 14:27:47.668 CST: AAA/AUTHOR/TAC+: (3962222355): send AV cmd-arg=<cr>Feb 18 14:27:47.872 CST: AAA/AUTHOR (3962222355): Post authorization status = PASS_ADD


Feb 18 14:27:47 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ec2ab713)Feb 18 14:27:47 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug cmd-arg=ip cmd-arg=packet cmd-arg=<cr> output: ]



5. User rtr_techie is permitted clear ip cache command.


Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): Port='tty3' list='' service=CMDFeb 18 14:27:51.760 CST: AAA/AUTHOR/CMD: tty3 (1013999614) user='rtr_techie'Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV service=shellFeb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd=clearFeb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=ipFeb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=cacheFeb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=<cr>Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): found list "default"Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): Method=tacacs+ (tacacs+)Feb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): user=rtr_techieFeb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV service=shellFeb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd=clearFeb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=ipFeb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=cacheFeb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=<cr>Feb 18 14:27:51.964 CST: AAA/AUTHOR (1013999614): Post authorization status = PASS_ADD


Feb 18 14:27:51 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3c7067fe)Feb 18 14:27:51 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=clear cmd-arg=ip cmd-arg=cache cmd-arg=<cr> output: ]

6. User rtr_techie is denied reload command.


Feb 18 14:27:54.548 CST: tty3 AAA/AUTHOR/CMD (2672654626): Port='tty3' list='' service=CMDFeb 18 14:27:54.548 CST: AAA/AUTHOR/CMD: tty3 (2672654626) user='rtr_techie'Feb 18 14:27:54.548 CST: tty3 AAA/AUTHOR/CMD (2672654626): send AV service=shellFeb 18 14:27:54.548 CST: tty3 AAA/AUTHOR/CMD (2672654626): send AV cmd=reloadFeb 18 14:27:54.548 CST: tty3 AAA/AUTHOR/CMD (2672654626): send AV cmd-arg=<cr>Feb 18 14:27:54.548 CST: tty3 AAA/AUTHOR/CMD (2672654626): found list "default"Feb 18 14:27:54.548 CST: tty3 AAA/AUTHOR/CMD (2672654626): Method=tacacs+ (tacacs+)Feb 18 14:27:54.548 CST: AAA/AUTHOR/TAC+: (2672654626): user=rtr_techieFeb 18 14:27:54.548 CST: AAA/AUTHOR/TAC+: (2672654626): send AV service=shellFeb 18 14:27:54.548 CST: AAA/AUTHOR/TAC+: (2672654626): send AV cmd=reloadFeb 18 14:27:54.548 CST: AAA/AUTHOR/TAC+: (2672654626): send AV cmd-arg=<cr>Feb 18 14:27:54.752 CST: AAA/AUTHOR (2672654626): Post authorization status = FAIL


Feb 18 14:27:54 coachella CiscoSecure: DEBUG - AUTHORIZATION request (9f4d7922)Feb 18 14:27:54 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=reload cmd-arg=<cr> output: ]



7. User rtr_techie is permitted show running-config command.


Feb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): Port='tty3' list='' service=CMDFeb 18 14:27:57.576 CST: AAA/AUTHOR/CMD: tty3 (3919120170) user='rtr_techie'Feb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): send AV service=shellFeb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): send AV cmd=showFeb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): send AV cmd-arg=running-configFeb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): send AV cmd-arg=<cr>Feb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): found list "default"Feb 18 14:27:57.576 CST: tty3 AAA/AUTHOR/CMD (3919120170): Method=tacacs+ (tacacs+)Feb 18 14:27:57.576 CST: AAA/AUTHOR/TAC+: (3919120170): user=rtr_techieFeb 18 14:27:57.576 CST: AAA/AUTHOR/TAC+: (3919120170): send AV service=shellFeb 18 14:27:57.576 CST: AAA/AUTHOR/TAC+: (3919120170): send AV cmd=showFeb 18 14:27:57.576 CST: AAA/AUTHOR/TAC+: (3919120170): send AV cmd-arg=running-configFeb 18 14:27:57.576 CST: AAA/AUTHOR/TAC+: (3919120170): send AV cmd-arg=<cr>Feb 18 14:27:57.780 CST: AAA/AUTHOR (3919120170): Post authorization status = PASS_ADD


Feb 18 14:27:57 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e999072a)Feb 18 14:27:57 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=show cmd-arg=running-config cmd-arg=<cr> output: ]

8. User rtr_techie is permitted write terminal command.


Feb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): Port='tty3' list='' service=CMDFeb 18 14:28:00.825 CST: AAA/AUTHOR/CMD: tty3 (1409504713) user='rtr_techie'Feb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): send AV service=shellFeb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): send AV cmd=writeFeb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): send AV cmd-arg=terminalFeb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): send AV cmd-arg=<cr>Feb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): found list "default"Feb 18 14:28:00.825 CST: tty3 AAA/AUTHOR/CMD (1409504713): Method=tacacs+ (tacacs+)Feb 18 14:28:00.825 CST: AAA/AUTHOR/TAC+: (1409504713): user=rtr_techieFeb 18 14:28:00.825 CST: AAA/AUTHOR/TAC+: (1409504713): send AV service=shellFeb 18 14:28:00.825 CST: AAA/AUTHOR/TAC+: (1409504713): send AV cmd=writeFeb 18 14:28:00.825 CST: AAA/AUTHOR/TAC+: (1409504713): send AV cmd-arg=terminalFeb 18 14:28:00.825 CST: AAA/AUTHOR/TAC+: (1409504713): send AV cmd-arg=<cr>Feb 18 14:28:01.025 CST: AAA/AUTHOR (1409504713): Post authorization status = PASS_ADD


Feb 18 14:28:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (540355c9)Feb 18 14:28:00 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write cmd-arg=terminal cmd-arg=<cr> output: ]



9. User rtr_techie is permitted copy running-config starting config command.


Feb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): Port='tty3' list='' service=CMDFeb 18 14:28:05.269 CST: AAA/AUTHOR/CMD: tty3 (4281070087) user='rtr_techie'Feb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): send AV service=shellFeb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): send AV cmd=copyFeb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): send AV cmd-arg=running-configFeb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): send AV cmd-arg=startup-configFeb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): send AV cmd-arg=<cr>Feb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): found list "default"Feb 18 14:28:05.269 CST: tty3 AAA/AUTHOR/CMD (4281070087): Method=tacacs+ (tacacs+)Feb 18 14:28:05.269 CST: AAA/AUTHOR/TAC+: (4281070087): user=rtr_techieFeb 18 14:28:05.269 CST: AAA/AUTHOR/TAC+: (4281070087): send AV service=shellFeb 18 14:28:05.269 CST: AAA/AUTHOR/TAC+: (4281070087): send AV cmd=copyFeb 18 14:28:05.269 CST: AAA/AUTHOR/TAC+: (4281070087): send AV cmd-arg=running-configFeb 18 14:28:05.269 CST: AAA/AUTHOR/TAC+: (4281070087): send AV cmd-arg=startup-configFeb 18 14:28:05.269 CST: AAA/AUTHOR/TAC+: (4281070087): send AV cmd-arg=<cr>Feb 18 14:28:05.473 CST: AAA/AUTHOR (4281070087): Post authorization status = PASS_ADD


Feb 18 14:28:05 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ff2bf207)Feb 18 14:28:05 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=copy cmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ]

10. User rtr_techie is permitted write memory command.


Feb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): Port='tty3' list='' service=CMDFeb 18 14:28:08.121 CST: AAA/AUTHOR/CMD: tty3 (192752980) user='rtr_techie'Feb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): send AV service=shellFeb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): send AV cmd=writeFeb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): send AV cmd-arg=memoryFeb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): send AV cmd-arg=<cr>Feb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): found list "default"Feb 18 14:28:08.121 CST: tty3 AAA/AUTHOR/CMD (192752980): Method=tacacs+ (tacacs+)Feb 18 14:28:08.121 CST: AAA/AUTHOR/TAC+: (192752980): user=rtr_techieFeb 18 14:28:08.121 CST: AAA/AUTHOR/TAC+: (192752980): send AV service=shellFeb 18 14:28:08.121 CST: AAA/AUTHOR/TAC+: (192752980): send AV cmd=writeFeb 18 14:28:08.121 CST: AAA/AUTHOR/TAC+: (192752980): send AV cmd-arg=memoryFeb 18 14:28:08.121 CST: AAA/AUTHOR/TAC+: (192752980): send AV cmd-arg=<cr>Feb 18 14:28:08.325 CST: AAA/AUTHOR (192752980): Post authorization status = PASS_ADD


Feb 18 14:28:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b7d2d54)Feb 18 14:28:08 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write cmd-arg=memory cmd-arg=<cr> output: ]



11. User rtr_techie is denied configure terminal command.


Feb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): Port='tty3' list='' service=CMDFeb 18 14:28:11.621 CST: AAA/AUTHOR/CMD: tty3 (3042655042) user='rtr_techie'Feb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): send AV service=shellFeb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): send AV cmd=configureFeb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): send AV cmd-arg=terminalFeb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): send AV cmd-arg=<cr>Feb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): found list "default"Feb 18 14:28:11.621 CST: tty3 AAA/AUTHOR/CMD (3042655042): Method=tacacs+ (tacacs+)Feb 18 14:28:11.621 CST: AAA/AUTHOR/TAC+: (3042655042): user=rtr_techieFeb 18 14:28:11.621 CST: AAA/AUTHOR/TAC+: (3042655042): send AV service=shellFeb 18 14:28:11.621 CST: AAA/AUTHOR/TAC+: (3042655042): send AV cmd=configureFeb 18 14:28:11.621 CST: AAA/AUTHOR/TAC+: (3042655042): send AV cmd-arg=terminalFeb 18 14:28:11.621 CST: AAA/AUTHOR/TAC+: (3042655042): send AV cmd-arg=<cr>Feb 18 14:28:11.825 CST: AAA/AUTHOR (3042655042): Post authorization status = FAIL


Feb 18 14:28:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b55b3b42)Feb 18 14:28:11 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ]

C.6.3 Test Results for rtr_super GroupTests results follow for each of the Cisco IOS commands summarized in Table 4-1, including relevant router output and AAA server log output:

1. User rtr_geek is authorized EXEC shell access.

2. User rtr_geek enters enable mode.

3. User rtr_geek is denied debug all command.

4. User rtr_geek is permitted debug ip packet command.

5. User rtr_geek is permitted reload command.

6. User rtr_geek is permitted show running-config command.

7. User rtr_geek is permitted write terminal command.

8. User rtr_geek is permitted copy running-config startup-config command.

9. User rtr_geek is permitted write memory command.

10. User rtr_geek is permitted configure terminal command.





1. User rtr_geek is authorized EXEC shell access.


Feb 22 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): user=rtr_geekFeb 22 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): send AV service=shellFeb 22 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): send AV cmd*Feb 22 15:26:16.822 CST: AAA/AUTHOR (424410682): Post authorization status = PASS_ADDFeb 22 15:26:16.822 CST: AAA/AUTHOR/EXEC: Authorization successfulFeb 22 15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, port tty3Feb 22 15:26:16.822 CST: AAA/ACCT/EXEC: Found list "default"Feb 22 15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, Port tty3, task_id=310 start_time=951254776 timezone=CST service=shellFeb 22 15:26:16.822 CST: AAA/ACCT: user rtr_geek, acct type 0 (2751112696): Method=tacacs+ (tacacs+)Feb 22 15:26:17.022 CST: TAC+: (2751112696): received acct response status = SUCCESS


Feb 22 15:26:16 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.255.3, Port = tty3, User = rtr_geek, Priv = 1]Feb 22 15:26:16 coachella CiscoSecure: DEBUG -Feb 22 15:26:16 coachella CiscoSecure: INFO - Profile: user = rtr_geek {Feb 22 15:26:16 coachella set server current-failed-logins = 0Feb 22 15:26:16 coachella profile_cycle = 2Feb 22 15:26:16 coachella }Feb 22 15:26:16 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd*output: ]

2. User rtr_geek enters enable mode.


Feb 22 15:26:22.562 CST: AAA/MEMORY: free_user (0x61F55834) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15Feb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): Port='tty3' list='' service=CMD

3. User rtr_geek is denied debug all command.


Feb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): Port='tty3' list='' service=CMDFeb 22 15:26:46.502 CST: AAA/AUTHOR/CMD: tty3 (32101230) user='rtr_geek'Feb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): send AV service=shellFeb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): send AV cmd=debugFeb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): send AV cmd-arg=allFeb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): send AV cmd-arg=<cr>Feb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): found list "default"Feb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): Method=tacacs+ (tacacs+)Feb 22 15:26:46.502 CST: AAA/AUTHOR/TAC+: (32101230): user=rtr_geekFeb 22 15:26:46.502 CST: AAA/AUTHOR/TAC+: (32101230): send AV service=shellFeb 22 15:26:46.502 CST: AAA/AUTHOR/TAC+: (32101230): send AV cmd=debugFeb 22 15:26:46.502 CST: AAA/AUTHOR/TAC+: (32101230): send AV cmd-arg=allFeb 22 15:26:46.502 CST: AAA/AUTHOR/TAC+: (32101230): send AV cmd-arg=<cr>Feb 22 15:26:46.702 CST: AAA/AUTHOR (32101230): Post authorization status = FAILFeb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): Port='tty3' list='' service=CMD




Feb 22 15:26:46 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1e9d36e)Feb 22 15:26:46 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug cmd-arg=all cmd-arg=<cr> output: ]

4. User rtr_geek is permitted debug ip packet command.


Feb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): Port='tty3' list=''service=CMDFeb 22 15:26:53.378 CST: AAA/AUTHOR/CMD: tty3 (1642620731) user='rtr_geek'Feb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): send AV service=shellFeb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd=debugFeb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd-arg=ipFeb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd-arg=packetFeb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd-arg=<cr>Feb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): found list "default"Feb 22 15:26:53.378 CST: tty3 AAA/AUTHOR/CMD (1642620731): Method=tacacs+ (tacacs+)Feb 22 15:26:53.378 CST: AAA/AUTHOR/TAC+: (1642620731): user=rtr_geekFeb 22 15:26:53.378 CST: AAA/AUTHOR/TAC+: (1642620731): send AV service=shellFeb 22 15:26:53.378 CST: AAA/AUTHOR/TAC+: (1642620731): send AV cmd=debugFeb 22 15:26:53.378 CST: AAA/AUTHOR/TAC+: (1642620731): send AV cmd-arg=ipFeb 22 15:26:53.378 CST: AAA/AUTHOR/TAC+: (1642620731): send AV cmd-arg=packetFeb 22 15:26:53.378 CST: AAA/AUTHOR/TAC+: (1642620731): send AV cmd-arg=<cr>Feb 22 15:26:53.578 CST: AAA/AUTHOR (1642620731): Post authorization status = PASS_ADD


Feb 22 15:26:53 coachella CiscoSecure: DEBUG - AUTHORIZATION request (61e8673b)Feb 22 15:26:53 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug cmd-arg=ip cmd-arg=packet cmd-arg=<cr> output: ]

5. User rtr_geek is permitted reload command.

Note Be sure to save your running configuration by using the appropriate write or copy running-config command before using the reload command.


Feb 22 15:27:16.667 CST: tty3 AAA/AUTHOR/CMD (3461622395): Port='tty3' list=''service=CMDFeb 22 15:27:16.667 CST: AAA/AUTHOR/CMD: tty3 (3461622395) user='rtr_geek'Feb 22 15:27:16.667 CST: tty3 AAA/AUTHOR/CMD (3461622395): send AV service=shellFeb 22 15:27:16.667 CST: tty3 AAA/AUTHOR/CMD (3461622395): send AV cmd=reloadFeb 22 15:27:16.667 CST: tty3 AAA/AUTHOR/CMD (3461622395): send AV cmd-arg=<cr>Feb 22 15:27:16.667 CST: tty3 AAA/AUTHOR/CMD (3461622395): found list "default"Feb 22 15:27:16.667 CST: tty3 AAA/AUTHOR/CMD (3461622395): Method=tacacs+ (tacacs+)Feb 22 15:27:16.667 CST: AAA/AUTHOR/TAC+: (3461622395): user=rtr_geekFeb 22 15:27:16.667 CST: AAA/AUTHOR/TAC+: (3461622395): send AV service=shellFeb 22 15:27:16.667 CST: AAA/AUTHOR/TAC+: (3461622395): send AV cmd=reloadFeb 22 15:27:16.667 CST: AAA/AUTHOR/TAC+: (3461622395): send AV cmd-arg=<cr>Feb 22 15:27:16.867 CST: AAA/AUTHOR (3461622395): Post authorization status = PASS_ADD




Feb 22 15:27:16 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ce542a7b)Feb 22 15:27:16 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=reload cmd-arg=<cr> output: ]

6. User rtr_geek is permitted show running-config command.


Feb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): Port='tty3' list='' service=CMDFeb 22 15:27:34.455 CST: AAA/AUTHOR/CMD: tty3 (150984379) user='rtr_geek'Feb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): send AV service=shellFeb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): send AV cmd=showFeb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): send AV cmd-arg=running-configFeb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): send AV cmd-arg=<cr>Feb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): found list "default"Feb 22 15:27:34.455 CST: tty3 AAA/AUTHOR/CMD (150984379): Method=tacacs+ (tacacs+)Feb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): user=rtr_geekFeb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): send AV service=shellFeb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): send AV cmd=showFeb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): send AV cmd-arg=running-configFeb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): send AV cmd-arg=<cr>Feb 22 15:27:34.655 CST: AAA/AUTHOR (150984379): Post authorization status = PASS_ADD


Feb 22 15:27:34 coachella CiscoSecure: DEBUG - AUTHORIZATION request (8ffd6bb)Feb 22 15:27:34 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=show cmd-arg=running-config cmd-arg=<cr> output: ]

7. User rtr_geek is permitted write terminal command.


Feb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): Port='tty3' list='' service=CMDFeb 22 15:27:39.871 CST: AAA/AUTHOR/CMD: tty3 (3013136481) user='rtr_geek'Feb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): send AV service=shellFeb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): send AV cmd=writeFeb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): send AV cmd-arg=terminalFeb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): send AV cmd-arg=<cr>Feb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): found list "default"Feb 22 15:27:39.871 CST: tty3 AAA/AUTHOR/CMD (3013136481): Method=tacacs+ (tacacs+)Feb 22 15:27:39.871 CST: AAA/AUTHOR/TAC+: (3013136481): user=rtr_geekFeb 22 15:27:39.871 CST: AAA/AUTHOR/TAC+: (3013136481): send AV service=shellFeb 22 15:27:39.871 CST: AAA/AUTHOR/TAC+: (3013136481): send AV cmd=writeFeb 22 15:27:39.871 CST: AAA/AUTHOR/TAC+: (3013136481): send AV cmd-arg=terminalFeb 22 15:27:39.871 CST: AAA/AUTHOR/TAC+: (3013136481): send AV cmd-arg=<cr>Feb 22 15:27:40.075 CST: AAA/AUTHOR (3013136481): Post authorization status = PASS_ADD


Feb 22 15:27:39 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b398d061)Feb 22 15:27:39 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write cmd-arg=terminal cmd-arg=<cr> output: ]



8. User rtr_geek is permitted copy running-config startup-config command.


Feb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): Port='tty3' list=''service=CMDFeb 22 15:27:44.755 CST: AAA/AUTHOR/CMD: tty3 (2463024765) user='rtr_geek'Feb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): send AV service=shellFeb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): send AV cmd=copyFeb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): send AV cmd-arg=running-configFeb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): send AV cmd-arg=startup-configFeb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): send AV cmd-arg=<cr>Feb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): found list "default"Feb 22 15:27:44.755 CST: tty3 AAA/AUTHOR/CMD (2463024765): Method=tacacs+ (tacacs+)Feb 22 15:27:44.755 CST: AAA/AUTHOR/TAC+: (2463024765): user=rtr_geekFeb 22 15:27:44.755 CST: AAA/AUTHOR/TAC+: (2463024765): send AV service=shellFeb 22 15:27:44.755 CST: AAA/AUTHOR/TAC+: (2463024765): send AV cmd=copyFeb 22 15:27:44.755 CST: AAA/AUTHOR/TAC+: (2463024765): send AV cmd-arg=running-configFeb 22 15:27:44.755 CST: AAA/AUTHOR/TAC+: (2463024765): send AV cmd-arg=startup-configFeb 22 15:27:44.755 CST: AAA/AUTHOR/TAC+: (2463024765): send AV cmd-arg=<cr>Feb 22 15:27:44.959 CST: AAA/AUTHOR (2463024765): Post authorization status = PASS_ADD


Feb 22 15:27:44 coachella CiscoSecure: DEBUG - AUTHORIZATION request (92cec67d)Feb 22 15:27:44 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=copy cmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ]

9. User rtr_geek is permitted write memory command.


Feb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): Port='tty3' list='' service=CMDFeb 22 15:27:52.351 CST: AAA/AUTHOR/CMD: tty3 (3171189379) user='rtr_geek'Feb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): send AV service=shellFeb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): send AV cmd=writeFeb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): send AV cmd-arg=memoryFeb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): send AV cmd-arg=<cr>Feb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): found list "default"Feb 22 15:27:52.351 CST: tty3 AAA/AUTHOR/CMD (3171189379): Method=tacacs+ (tacacs+)Feb 22 15:27:52.351 CST: AAA/AUTHOR/TAC+: (3171189379): user=rtr_geekFeb 22 15:27:52.351 CST: AAA/AUTHOR/TAC+: (3171189379): send AV service=shellFeb 22 15:27:52.351 CST: AAA/AUTHOR/TAC+: (3171189379): send AV cmd=writeFeb 22 15:27:52.351 CST: AAA/AUTHOR/TAC+: (3171189379): send AV cmd-arg=memoryFeb 22 15:27:52.351 CST: AAA/AUTHOR/TAC+: (3171189379): send AV cmd-arg=<cr>Feb 22 15:27:52.555 CST: AAA/AUTHOR (3171189379): Post authorization status = PASS_ADD


Feb 22 15:27:52 coachella CiscoSecure: DEBUG - AUTHORIZATION request (bd048283)Feb 22 15:27:52 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write cmd-arg=memory cmd-arg=<cr> output: ]



10. User rtr_geek is permitted configure terminal command.


Feb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): Port='tty3' list='' service=CMDFeb 22 15:27:56.039 CST: AAA/AUTHOR/CMD: tty3 (4076778320) user='rtr_geek'Feb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): send AV service=shellFeb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): send AV cmd=configureFeb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): send AV cmd-arg=terminalFeb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): send AV cmd-arg=<cr>Feb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): found list "default"Feb 22 15:27:56.039 CST: tty3 AAA/AUTHOR/CMD (4076778320): Method=tacacs+ (tacacs+)Feb 22 15:27:56.039 CST: AAA/AUTHOR/TAC+: (4076778320): user=rtr_geekFeb 22 15:27:56.039 CST: AAA/AUTHOR/TAC+: (4076778320): send AV service=shellFeb 22 15:27:56.039 CST: AAA/AUTHOR/TAC+: (4076778320): send AV cmd=configureFeb 22 15:27:56.039 CST: AAA/AUTHOR/TAC+: (4076778320): send AV cmd-arg=terminalFeb 22 15:27:56.039 CST: AAA/AUTHOR/TAC+: (4076778320): send AV cmd-arg=<cr>Feb 22 15:27:56.239 CST: AAA/AUTHOR (4076778320): Post authorization status = PASS_ADD


Feb 22 15:27:56 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f2feb350)Feb 22 15:27:56 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ]




Cis

I N D E X

A

AAA

BootFlash considerations B-1

case study overview (figure) 1-2

Cisco IOS 12.0(7)T command descriptions A-13

defined 1-1

disabling B-1

example configuration (NAS) A-5, A-9

example configuration (router) A-2

overview 1-1

security checklist (table) 1-12

task checklist (table) 1-14

aaa accounting command A-13, A-14

aaa authentication command A-13, A-14

aaa authorization command A-13, A-14

aaa new-model key command A-13, A-14

AAA server

creating a user profile (RADIUS authentication) 4-7

creating a user profile (RADIUS authorization) 4-9

creating a user profile (TACACS+ authentication) 4-3

creating a user profile (TACACS+ authorization) 4-5

negotiation process (flow diagram) 6-3

restarting 3-10

software version used in case study xii

verifying user configuration (RADIUS authentication) 4-8, 4-9

verifying user configuration (TACACS+ authentication) 4-3

verifying user configuration (TACACS+ authorization) 4-5

AAA servers

in network context 1-2

access list

dialup PPP filtering 1-11

troubleshooting problems 6-14, 6-17

verification, show caller user command (server-based) 4-10, C6

verification, show line command (local-based) 2-8

accounting

configuring EXEC and command level (TACACS+) 5-4

configuring NAS (TACACS+) 5-2

configuring router (TACACS+) 5-4

defined 1-1

dial-based accounting (server) 5-4

monitored dialup PPP events 1-11

monitored router administration events 1-11

records policies 1-11

server-based dial implementation 5-1

server-based router implementation 5-4

session timeout output example 5-2

SQL query 5-2, 5-5

TACACS+ dial implementation 5-1

TACACS+ implementation (local-based) 2-12

TACACS+ router implementation 5-4

TACACS+ verification tests (local-based) 2-13

TACACS+ verification tests (server-based) 5-2

verifying from AAA server 5-2, 5-5

acknowledgements xv

AddProfile command

adding basic user profile 3-11

adding group profiles (TACACS+ authentication) 4-11

adding group profiles (TACACS+ authorization) 4-17, 4-18

adding user profiles (RADIUS authentication) 4-7

adding user profiles (RADIUS authorization) 4-9

adding user profiles (TACACS+ authentication) 4-3

1co AAA Implementation Case Study

Index

adding user profiles (TACACS+ authorization) 4-5

administrative control

authorization policy 1-11

creating, router example 4-13

privilege level 15 1-11

attribute-value pair

See AVPs

audience

defined xi

authentication

configuring NAS (RADIUS) 4-7


general process (flow diagram) 6-3

RADIUS implementation 4-6

RADIUS verification tests (server-based) C4

RADIUS vs. TACACS+ 1-5

server-based implementation 4-2, 4-6, 4-10

TACACS+ dialup, verifying by using csuslog 4-4

TACACS+ implementation (local-based) 2-2, 2-8

TACACS+ implementation (server-based) 4-2, 4-10

TACACS+ verification tests (local-based) 2-3, 2-9

TACACS+ verification tests (server-based) C1, C7

verifying PPP user authentication 4-4

authentication, authorization, and accounting

See AAA

authorization

configuring NAS (RADIUS) 4-9


configuring routers 4-13

defined 1-1

general process (flow diagram) 6-3

RADIUS implementation 4-8

RADIUS verification tests (server-based) C5

RADIUS vs. TACACS+ 1-5

server-based implementation 4-4, 4-8, 4-13

TACACS+ dialup, verifying by using csuslog 4-5

TACACS+ implementation (local-based) 2-5, 2-10

TACACS+ implementation (server-based) 4-4, 4-13

TACACS+ router, verifying by using csuslog 4-16, 4-18, 4-19

TACACS+ verification tests (local-based) 2-6, 2-11

TACACS+ verification tests (server-based) C2, C9

verifying access list 4-10

verifying PPP user authorization 4-5

verifying RADIUS authorization 4-9

autocommand ppp negotiate command 1-11

AVPs

adding group profiles (TACACS+ authentication) 4-11

adding group profiles (TACACS+ authorization) 4-16, 4-17, 4-18

defined 1-6

dial access devices 1-11

EXEC disabled implementation 6-6

EXEC shell enabled (TACACS+) 6-5

privilege level 15 enabled (TACACS+) 6-5

RADIUS, user profile 4-7, 4-9

RADIUS examples (table) 1-6

TACACS+, user profile 4-3, 4-5

TACACS+ authentication, group profile 4-11

TACACS+ authorization, group profile 4-16, 4-17, 4-18

TACACS+ examples (table) 1-6

B

BootFlash images

AAA considerations B-1

C

case study

hardware xii

objectives xi

overview 1-1

purpose xi

software xii

CCO

accessing xiii

2Cisco AAA Implementation Case Study

Index

definition xiii

CD-ROM

documentation xiv

Challenge Handshake Authentication Protocol

See CHAP

CHAP

ISDN authentication 1-10

checklists

AAA implementation tasks (table) 1-14

AAA security (table) 1-12

AAA service definition (table) 1-10

general service definition (table) 1-9

network services 1-9

Cisco 7206 VXR xii

Cisco AS5300 xii

Cisco AS5800 xii

Cisco Connection Online

See CCO

Cisco IOS 12.0(7)T xii

aaa accounting command A-13, A-14

aaa authentication command A-13, A-14

aaa authorization command A-13, A-14

AAA command descriptions (NAS) A-13

AAA command descriptions (router) A-13

aaa new-model command A-13, A-14

autocommand ppp negotiate command 1-11

disabling AAA B-1

example configurations A-1

ip http command A-13

ip tacacs command A-13

local-based router example A-2

radius-server host command A-15

server-based NAS example A-5, A-9

tacacs-server host command A-13, A-15

tacacs-server key command A-13

version used in case study xii

CiscoSecure for UNIX

See CSU

commands

Cisco IOS 12.0(7)T (AAA) A-13

configurations

Cisco IOS 12.0(7)T, NAS example A-5, A-9

Cisco IOS 12.0(7)T, router example A-2

CSU example A-15

example CSConfig.ini listing A-19

example CSU.cfg listing A-16

examples, Cisco IOS 12.0(7)T A-1

local router A-2

RADIUS A-9

TACACS+ A-5

conventions

command syntax xiii

document xiii

CSConfig.ini

example file listing A-19

CSU

configuring CSU logging 3-9

configuring debugging level 3-10

creating csuslog file 3-9

example configuration listings A-15

example CSConfig.ini listing A-19

example CSU.cfg listing A-16

installation process 3-2

installing 3-5

log files listed A-25

minimum system specifications xii

pkgadd command 3-6

restarting AAA server 3-10

restarting syslog daemon 3-10


verifying Oracle account information 3-4

version 2.3(3) xii

CSU.cfg

example file listing A-16

csuslog

configuring logging 3-9

creating file 3-9

TACACS+ dialup authentication 4-4


Index

TACACS+ dialup authorization 4-5

TACACS+ router authorization 4-16, 4-18, 4-19

using tail command (TACACS+ dialup authentication) 4-4

using tail command (TACACS+ PPP authorization) 4-5

using tail command (TACACS+ router authorization) 4-16, 4-18, 4-19

using the tail command C1

D

database

verifying instance 3-3

Data Encryption Standard

See DES

debug command

summary of relevant commands 6-7

using to troubleshoot AAA problems 6-7

debug output

accounting (server-based) 5-3, 5-5

accounting, TACACS+ (local-based) 2-13

authentication, RADIUS (server-based) C4

authentication, TACACS+ (local-based) 2-3, 2-10

authentication, TACACS+ (server-based) C1, C7

authorization, RADIUS (server-based) C5

authorization, TACACS+ (local-based) 2-6, 2-11

authorization, TACACS+ (server-based) C3, C9

DES

password support policy 1-13

router policy 1-10

diagnostics

using debug command output C1

directory environment variable

verifying 3-3

disconnect cause codes

idle timeouts 5-2, 5-3

listed (table) 5-6

E

encryption

RADIUS 1-4

TACACS+ 1-5

F

flow diagram

general authentication and authorization 6-3

TACACS+, authentication and authorization 4-14

G

groups

defining administrative control 4-13

H

hardware

case study xii

Cisco 7206 VXR xii

Cisco AS5300 xii

Cisco AS5800 xii

Sun UltraSPARC xii

I

implementation

AAA task checklist (table) 1-14

interoperability

RADIUS attribute support 1-6

IP addresses

static address policy 1-13

ip http command A-13

ip tacacs command A-13

ISDN

CHAP authentication 1-10


Index

L

listener.ora

configuration listing A-24

local-based access

compared with server-based access 1-6

defined 1-6

local-based configuration

implementation overview 2-1

TACACS+, accounting 2-12

TACACS+, authentication 2-2, 2-8

TACACS+, authorization 2-5, 2-10

verification test results (TACACS+ accounting) 2-13

verification test results (TACACS+ authentication) 2-3, 2-9

verification test results (TACACS+ authorization) 2-6, 2-11

M

management policy

TACACS+ vs. RADIUS comparison 1-5

MD5

RFC link 1-2

multiprotocol support

TACACS+ vs. RADIUS comparison 1-5

N

NAS

versions used in case study xii

NAS profile

RADIUS 4-7

network environment

equipment summary 1-13

network services

AAA checklist (table) 1-10

accounting policy 1-11

authentication policy 1-10

authorization policy 1-11

checklist 1-9

definitions and policies 1-10

dialup/shell AAA policy 1-10

general checklist (table) 1-9

O

objectives

case study xi

online documentation

See CCO

Oracle

accounting records policy 1-11

confirming tnsnames service 3-4

creating tablespace 3-2

DB Client 7.3(4) xii

DB Server 7.3(4) xii

installation reference 3-2

listener (lsnrctl) 3-3

listener.ora listing A-24

Server Manager (svrmgrl) 3-3


user environment variable A-23

verifying account information 3-4

verifying database instance 3-3

verifying SMON operation 3-3

verifying software directory environment variable 3-3

OS Solaris 2.5(1) xii

overview

AAA case study 1-1

P

PAP

PPP authentication 1-10

Password Authentication Protocol

See PAP


Index

passwords

authentication policies 1-13

authentication policy 1-10

authorization policies 1-13

local access policy 1-10

planning

pre-deployment summary 1-9

site preparation xi

Point-to-Point Protocol

See PPP

policies

accounting 1-11

accounting, PPP 1-11

accounting, router administration 1-11

authentication 1-10

authorization 1-11

dialup/shell AAA 1-10

privilege level 15 authorization 1-13

router, administrative control 1-11

router management 1-5

security considerations 1-12

PPP

PAP authentication 1-10

verifying TACACS+ authorization 4-5

verifying TACACS+ user authentication 4-4

privilege level

TACACS+ support 1-2

privilege level 15

accounting 1-11, 1-12

command authorization policy 1-13

local administration 1-12

router authorization policy 1-11

router command authorization A-13

privilege level 15 commands 4-13

configuring accounting 5-4

problems

authentication

AAA behavior configured incorrectly in NAS 6-9

AAA behavior configured incorrectly in router 6-20

connection between NAS and AAA server down 6-12

connection between router and AAA server down 6-23

group profile password type does not match type in NAS 6-13

incorrect AAA configuration in router 6-21, 6-24

maximum number of users exceeded 6-12, 6-23

shell initiated PPP session fails 6-9, 6-13

TACACS+ key incorrect in router or AAA server 6-23

TACACS+ or RADIUS key incorrect in NAS or AAA server 6-12

user account disabled due to too many failed logins 6-10, 6-22

user account password or profile expired 6-11, 6-22

user enters invalid username or password 6-9, 6-20

user enters password incorrectly 6-10, 6-22

user exceeds the maximum number of concurrent sessions 6-11, 6-22

user name not in server database 6-10, 6-22

user profile configured incorrectly 6-10, 6-22

user workstation configured incorrectly 6-11

authorization

AAA authorization configured incorrectly in NAS 6-16

AAA behavior incorrectly configured 6-26, 6-28

AAA configuration error 6-25, 6-27

access list assigned to user 6-14, 6-17

authorization failed service 6-25, 6-27

autocommand ppp negotiate assigned to user 6-26, 6-28

AVPs not assigned 6-14, 6-17

does not have PPP service assigned 6-16

feature is not supported on console ports 6-28

group lacks shell service assigned 6-16

Idle-Timeout RADIUS AVP not configured on group profile 6-18

idletime TACACS+ AVP not configured on group profile 6-18

Lack of service=shell AVP 6-28

user client configuration error 6-13


Index

user exceeds the maximum number of concurrent sessions 6-19

user or group does not have User-Service-Type AVP assigned 6-19

user or group profile lacks proper AVP 6-18

user or group profile restricted 6-18

user or lacks service=shell AVP assigned 6-19

user profile configured incorrectly 6-28

user profile lacks appropriate enable level to perform command 6-25

user profile lacks appropriate enable privilege level to perform command 6-27

user profile lacks appropriate privilege level to perform command 6-25, 6-27

user profile restricted 6-14

profiles

assigning user to group profile (TACACS+ authentication) 4-11

assigning user to group profile (TACACS+ authorization) 4-16, 4-17, 4-18

creating basic user 3-11

group, configuring router access 4-13

group, verifying (TACACS+ authentication) 4-11

group, verifying (TACACS+ authorization) 4-16, 4-17, 4-18

group configuration, TACACS+ 4-14

group permissions (table) 4-13

user, defining access privileges 6-5

user, RADIUS 4-7, 4-9

user, TACACS+ 4-3, 4-5

user, verifying (TACACS+ authentication) 4-12

user, verifying (TACACS+ authorization) 4-16, 4-17, 4-18

user, verifying basic 3-11

user configuration (RADIUS authentication) 4-7

user configuration (RADIUS authorization) 4-9

user configuration (TACACS+ authentication) 4-3

user configuration (TACACS+ authorization) 4-5

purpose

case study xi

R

RADIUS

authentication tests (server-based) C4

authorization tests (server-based) C5

AVP examples (table) 1-6

compared with TACACS+ 1-4

compared with TACACS+ (table) 1-4

configuring authentication (server-based) 4-6

configuring authorization (server-based) 4-8

creating user profiles (authentication) 4-7

debug output, server-based authentication C4

debug output, server-based authorization C5

encryption 1-4

example configuration (NAS) A-9

interoperability 1-6

NAS profile, creating 4-7

negotiation process (flow diagram) 6-4

RFC link 1-2

See also AVPs

See also troubleshooting

technology overview 1-3

troubleshooting scenario, authorization 6-36

troubleshooting symptom list, authentication 6-10

troubleshooting symptom list, authorization 6-15

verifying access list assignment 4-10

radius-server host command A-15

Remote Authentication Dial-in User Service

See RADIUS

Requests for Comments

See RFCs

RFCs

reference links 1-2

router

administration, command and control policy 1-11

administrative control, creating 4-13

authorization, controlling 4-13

management, RADIUS vs. TACACS+ 1-5


Index

S

scenario

case study description 1-8

case study overview (figure) 1-2

scenarios

troubleshooting examples 6-29

security

policy considerations 1-12

server-based access

compared with local-based access 1-7

defined 1-7

server-based configuration

implementation overview (authentication and authorization) 4-1

verification test results (RADIUS authentication) C4

verification test results (RADIUS authorization) C5

verification test results (TACACS+ authentication) C1, C7

verification test results (TACACS+ authorization) C2, C9

verifying user (RADIUS authentication) 4-8, 4-9

verifying user (TACACS+ authentication) 4-3

verifying user (TACACS+ authorization) 4-5

show caller user command

access list verification output (server-based) 4-10, C6

session timeout disconnect example 5-3

show line command

verification output (local-based) 2-8

site preparation xi

SMON

verifying operation on Oracle server 3-3

software

case study listing xii

software components

Cisco IOS 12.0(7)T xii

Oracle DB Client 7.3(4) xii

Oracle DB Server 7.3(4) xii

OS Solaris 2.5(1) xii

SQL*Plus Release 3.3.4.0.1 xii

SQL*Plus

Release 3.3.4.0.1 xii

sqlplus

verifying account information 3-4

symptom list, troubleshooting AAA

dial-based local authentication 6-9

dial-based local authorization 6-13

dial-based server authentication 6-10

dial-based server authorization 6-15

router-based local authentication 6-19

router-based local authorization 6-24

router-based server authentication 6-21

router-based server authorization 6-26

syslog daemon

restarting 3-10

T

tablespace

installing (Oracle) 3-2

size requirements 3-2

TAC

contacting xiv

TACACS

RFC link 1-2

TACACS+

accounting tests (local-based) 2-13

assigning user to group profile (authentication) 4-11

assigning user to group profile (authorization) 4-16, 4-17, 4-18

authentication and authorization (figure) 4-14

authentication tests (local-based) 2-3, 2-9

authentication tests (server-based) C1, C7

authorization tests (local-based) 2-6, 2-11

authorization tests (server-based) C2, C9

AVP examples (table) 1-6

compared with RADIUS 1-4

compared with RADIUS (table) 1-4

configuring accounting (local-based) 2-12


Index

configuring authentication (local-based) 2-2, 2-8

configuring authentication (server-based) 4-2, 4-10

configuring authorization (local-based) 2-5, 2-10

configuring authorization (server-based) 4-4, 4-13

configuring dial accounting (server-based) 5-1, 5-2

configuring router accounting (server-based) 5-4

creating user profiles (authentication) 4-3

debug output, server-based authentication C1, C7

debug output, server-based authorization C3, C9

encryption 1-5

example configuration (NAS) A-5

multiprotocol support 1-5

negotiation process, EXEC disabled (flow diagram) 6-6

negotiation process, EXEC enabled (flow diagram) 6-5

privilege level support 1-2

RFC link 1-2

router management 1-5

See also AVPs

See also troubleshooting

service control 1-3

technology overview 1-2

troubleshooting scenario, authentication 6-29, 6-30, 6-31

troubleshooting scenario, authorization 6-33, 6-34, 6-35

troubleshooting symptom list, authentication 6-10, 6-21

troubleshooting symptom list, authorization 6-15, 6-24, 6-26

tacacs-server host command A-13, A-15

tacacs-server key command A-13

tail command

reading the csuslog file C1

verifying dialup authentication with csuslog (TACACS+) 4-4

verifying PPP authorization with csuslog (TACACS+) 4-5

verifying router authorization with csuslog (TACACS+) 4-16, 4-18, 4-19

Technical Assistance Center

See TAC

technology

AAA overview 1-1

Terminal Access Controller Access Control System Plus

See TACACS+

tnsnames service

verifying with tnsping utility 3-4

tnsping

using to verify tnsnames service 3-4

troubleshooting

diagnostic overview 6-1

example scenarios 6-29

methodology overview 6-7

RADIUS authorization scenario 6-36

See also problems

See also RADIUS

See also symptom list, troubleshooting AAA

See also TACACS+

TACACS+ authentication scenario 6-29, 6-30, 6-31

TACACS+ authorization scenario 6-33, 6-34, 6-35

U

UNIX

version used in case study xii

user

creating profiles (RADIUS authentication) 4-7

creating profiles (RADIUS authorization) 4-9

creating profiles (TACACS+ authentication) 4-3

creating profiles (TACACS+ authorization) 4-5

user environment variable

Oracle, listed A-23

V

verification

accounting, TACACS+ (local-based) 2-13

accounting, TACACS+ (server-based) 5-2

authentication, RADIUS (server-based) C4

authentication, TACACS+ (local-based) 2-3, 2-9


Index

authentication, TACACS+ (server-based) C1, C7

authorization, RADIUS (server-based) C5

authorization, TACACS+ (local-based) 2-6, 2-11

authorization, TACACS+ (server-based) C2, C9

verification tests

debug output, RADIUS authentication (server-based) C4

debug output, RADIUS authorization (server-based) C5

debug output, TACACS+ (local-based) 2-6, 2-11, 2-13

debug output, TACACS+ (server-based accounting) 5-3, 5-5

debug output, TACACS+ authentication (server-based) C1, C7

debug output, TACACS+ authorization (server-based) C3, C9

SQL query (accounting) 5-2, 5-5

ViewProfile command

verifying basic user configuration 3-11

verifying user configuration (RADIUS authentication) 4-8, 4-9

verifying user configuration (TACACS+ authentication) 4-3

verifying user configuration (TACACS+ authorization) 4-5


Documents

Cisco AAA Implementation Case Study - · PDF fileCisco AAA Implementation Case Study OL-0397-01 1.8.2 Authorization ... A.3 NAS AAA Command ... Authentication and Authorization Session