AAA

• Authentication, Authorization, and Accounting
  • Old-Model
    • Local Authentication
    • Local authorization based on line/username settings.
  • New-Model
    • Supports AAA lists that define sequence of methods.
    • List can be bound to access technologies.
      • ie. Login or PPP
    • Default lists vs. explicitly assigned lists.
• TACACS+ & Radius
  • Terminal Access Controller Access-Control System (TACACS)
    • Primarily for device authentication management.
      • ie. IOS admins
    • Supports per-command authorization and accounting
  • Remote Authentication Dial In User Service (RADIUS)
    • Primarily for end user authentication management
      • RAVPN
    • Does not support per-command auth and accounting.
  • Regardless which method used, local fallback should be configured.

• Local Authentication
  • Default authentication method
  • Passwords are in clear-text by default.
    • service-password encryption
      • Encrypt in running config
    • username secret

The image above are two default routers except for the subnet between them. R1 will have local basic user authentication setup with below commands:

Above specifies a local username/password and tells the box to accept the local login for SSH and telnet. From R3 if we telnet we’ll see the privilege level we get from this is privilege 1.

We would need an enable password to get into privilege 15.

Another way of getting in would be using ‘no login’ under the line vty settings. That will get us directly in.

• Local Command Authorization
  • Privilege levels used to control access to exec commands
  • Default privilege levels
    • 0 – none
    • 1 – user mode
    • 15 – root
  • User Defined Privilege levels
    • Levels 2-14

• Move command privilege down:
  • Allow privilege 1 to do specific tasks
    • examples
      • run extended pings
      • show running config
        • only see what you can configure.
• Moving command privilege up
  • Revoke privilege 1 from
    • running show commands
    • using the enable command

• Local command authorization change:
  • Modified with privilege command
    • exec | configure | interface | router | etc.
  • Configuration mode determines what option of privilege command to do:
    • ex.
      • Exec command
        • router#
      • Configure command
        • router(config)#
      • Interface command
        • router(config-if)#
  • Overhead is a lot for these commands. Better way is RBAC.

• RBAC
  • Role-based access control
  • Replacement for privilege-levels
    • More flexible in terms of command allocation.
  • Role is a group of commands.
    • Known as parser view
  • Roles could be manualy switched to ‘enable view’
  • Roles could be assigned to users.
  • Roles should be configured from root view ‘enable view’
  • RBAC requires AAA enabled in router.

• RBAC Configuration:
  • ‘aaa new-model’ must be entered first for this to work.
    • including ‘aaa authentication login default local’
  • Config for a parser view below:

I did not have to enter include commands. They automatically were put in after entering the exclude commands.

Now to enable the view the command ‘enable view first’ must be entered, followed by the password we entered in the original configuration.

Now the commands that show excluded in the output above will not work when logging into the router.

• Config Change notification and logging
  • Local command accounting
    • tracks users and commands issued through CLI and HTTP
  • Configured as ‘archive’ and ‘log config’.

Now when we do a ‘show archive log config all’, we’ll see my changes:

I logged into the router with the user account cisco, created loopback interface 1 and assigned it the IP address 10.30.1.1/24.

• Login Enhancements
  • Used to protect against brute force login attacks.
    • After X number of failed attempts, delay login.
  • ‘login block-for’

This will block logins for 10 seconds if there are 3 attempts failed within 60 seconds. It’s a way to slow down brute force login attempts and dictionary attacks.