Configuring Security for the Cisco AccessPath System

The access service security paradigm presented in this chapter uses the authentication, authorization, and accounting (AAA) facility. Authentication requires dialin users to prove they are who they say they are. When you require authentication before users can access your network, you are preventing users from either accessing lines on the Access Server Shelves or connecting through the lines directly to network resources. You need to secure every access point.

Authorization prevents each user from gaining access to services and devices on the network that they do not need to or are not permitted to access. Accounting provides records of who is connected and how long they have been connected for billing and other recording purposes. This chapter does not describe how to configure accounting. For more information about configuring accounting, refer to the Security Configuration Guide in the Cisco IOS configuration guides and command references documentation.

This chapter describes how to configure security using a remote security database for TACACS+ and RADIUS.

This chapter does not provide an exhaustive security overview. For example, it does not describe how to configure TACACS, Extended TACACS, Kerberos, or access lists. It presents the most commonly used security mechanisms to prevent unauthenticated and unauthorized access to network resources through the Access Server Shelves. For a comprehensive overview of Cisco security mechanisms, refer to the Security Configuration Guide.

This chapter includes the following sections:

Security Database

In a traditional ISP environment, you need a centralized security database that provides username and password information to the AccessPath system or to the home gateway router. This centralized security database resides in a security server. (See the TACACS+ Server and RADIUS Server in Figure 7-1.)

An example of a remote security database server is the CiscoSecure product from Cisco Systems, Inc. CiscoSecure is a UNIX security daemon solution, with which the administrator creates a database that defines the network users and their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.

The Access Server Shelf exchanges user authentication information with a TACACS+ or RADIUS database on the security server by transmitting encrypted TACACS+ or RADIUS packets across the network.

For specific information about the interaction between the security server and the Access Server Shelf, refer to the Security Configuration Guide.

Figure 7-1 Security Database

A centralized security database also helps establish consistent remote access policies throughout a corporation.

Configuring Authentication

Using the AAA facility, you can authenticate users with the security database. The basic process of configuring the Cisco IOS software for authentication requires the following tasks:

Securing Access to Privileged EXEC and Configuration Mode

The first thing you secure is access to privileged EXEC (enable) mode. Enable mode provides access to configuration mode, which enables any type of configuration change to the Access Server Shelf. To secure Privileged EXEC mode, use one of the commands listed in Table 7-1:

Table 7-1 Securing Access to the Privileged EXEC Mode

Command	Purpose
enable password password	Requires that network administrators enter a password to access privileged EXEC mode. Do not provide access to nonadministrators.
enable secret password	Specifies a secret password, which is encrypted so that it cannot be read when crossing a network. After you issue this command, the encryption cannot be reversed. The encrypted version of the password appears in output of the show running-config and show startup-config commands. The enable secret password has precedence over the enable password. Do not enter the same password as the enable password. If the two passwords are the same, the enable secret password is not a secret, because the enable password appears in output of show running-config and show startup-config commands.

Command

Purpose

enable password password

Requires that network administrators enter a password to access privileged EXEC mode. Do not provide access to nonadministrators.

enable secret password

Specifies a secret password, which is encrypted so that it cannot be read when crossing a network. After you issue this command, the encryption cannot be reversed. The encrypted version of the password appears in output of the show running-config and show startup-config commands. The enable secret password has precedence over the enable password. Do not enter the same password as the enable password. If the two passwords are the same, the enable secret password is not a secret, because the enable password appears in output of show running-config and show startup-config commands.

For more information about the enable password and enable secret commands and their complete syntax, refer to the Security Command Reference.

If you use the enable secret command and specify an encryption type, you must enter the encrypted version of a specific password. Do not enter the cleartext version of the password after specifying an encryption type. You must comply with the following procedure when you specify an encryption type or you will be locked irretrievably out of privileged EXEC (enable) mode. The only way to regain access to privileged EXEC mode will be to erase the contents of NVRAM, erase your entire configuration, and reconfigure the router again.

To enter an encryption type with the enable secret command, follow this procedure:

Step 1 From within global configuration mode, enter the enable secret command, followed by the cleartext password that you will use to gain access to privileged EXEC mode. Do not specify an encryption type.

Step 2 Exit from global configuration mode and enter the command show running-config to view the encrypted version of the password. The following example illustrates these first two steps:

 
nas01(config)# enable secret mypassword 

 
nas01(config)# exit

 
nas01# show running-config

 
Building configuration...

 
Current configuration:

!

 
version 11.1

 
! some of the configuration skipped 

 
enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570

 
! the rest of the configuration skipped 

Step 3 At this point, select and copy the encrypted password following enable secret 5 in the configuration output ($1$h7dd$VTNs4.BAfQMUU0Lrvw6570).

Step 4 Enter global configuration mode and enter the enable secret command, followed by the encryption type (5 is the only valid encryption type for enable secret), then paste in the encrypted version of the password, as shown in the following example:

 
nas01(config)# enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570

Step 5 Exit from global configuration mode and copy the running configuration to NVRAM.

 
nas01(config)# exit

 
nas01# copy running-config startup-config 

You can also specify additional protection for privileged EXEC mode, including the following:

Privilege levels for Cisco IOS commands
Privileged EXEC passwords for different privilege levels
Privilege levels for specific lines on the Access Server Shelf
Encrypt passwords using service password-encryption

For more information about these security tools, refer to the Security Configuration Guide in the Cisco IOS configuration guides and command references documentation.

Enabling Communication Between the AccessPath System and the Security Server

This section describes the Cisco IOS software commands that enable the AccessPath system to communicate with a security server. This process is similar for communicating with TACACS+ and RADIUS servers, and the following sections describe the process.

You must configure the security server before performing the tasks described in this chapter. The section "Security Examples" at the end of this chapter shows some typical TACACS+ and RADIUS server entries corresponding to the Access Server Shelf security configurations.

Communicating with a TACACS+ Server

To enable communication between the TACACS+ security (database) server and the Access Server Shelf, issue the commands listed in Table 7-2 in global configuration mode.

Table 7-2 TACACS+ Server Commands

Command	Purpose
tacacs-server host {hostname \| ip-address}	Specifies the IP address or the host name of the remote TACACS+ server host. This host is typically a UNIX system running TACACS+ software.
tacacs-server key shared-secret-text-string	Specifies a shared secret text string used between the Access Server Shelf and the TACACS+ server. The Access Server Shelf and TACACS+ server use this text string to encrypt their exchanges.

For example, to enable the remote TACACS+ server to communicate with the Access Server Shelf, enter the commands as follows:

 
nas01# configure terminal

 
nas01(config)# tacacs-server host test

 
nas01(config)# tacacs-server key abra2cad

The host name of the TACACS+ server in the previous example is test. The key (abra2cad) in the previous example is the encryption key shared between the TACACS+ server and the Access Server Shelf.

For more information about TACACS+ commands, refer to the Security Command Reference, which is part of the Cisco IOS configuration guides and command references documentation.

Communicating with a RADIUS Server

To enable communication between the RADIUS security (database) server and the Access Server Shelf, issue the commands listed in Table 7-3 in global configuration mode.

Table 7-3 RADIUS Server Commands

Command	Purpose
radius-server host {hostname \| ip-address}	Specifies the IP address or the host name of the remote RADIUS server host. This host is normally a UNIX system running RADIUS software.
radius-server key shared-secret-text-string	Specifies a shared secret text string used between the router and the RADIUS server. The router and RADIUS server use this text string to encrypt passwords and exchange responses.

For example, to enable the remote RADIUS server to communicate with the Access Server Shelf, enter the commands as follows:

 
nas01# configure terminal

 
nas01(config)# radius-server host test 

 
nas01(config)# radius-server key abra2cad

The host name of the RADIUS server in the previous example is test. The key (abra2cad) in the previous example is the encryption key shared between the RADIUS server and the Access Server Shelf.

You can use any of the following optional commands to interact with the RADIUS server host:

radius-server retransmit number

This command specifies the number of times that the router transmits each RADIUS request to the server before the router gives up.

radius-server timeout seconds

This command specifies the number of seconds that an Access Server Shelf waits for a reply to a RADIUS request before the Access Server Shelf retransmits the request. The default is 5 seconds. If the RADIUS server's response is slow (because of support for a large number of users or large network latency), increase the timeout value.

For more information about these commands, refer to the Security Command Reference, which is part of the Cisco IOS configuration guides and command references documentation.

Configuring Authentication on a TACACS+ Server

On most TACACS+ security servers, there are three ways to authenticate a user for login:

Include a cleartext (DES) password for a user or for a group the user is a member of (each user can belong to only one group). Note that CHAP and global user authentication must be specified in cleartext.

The following is the configuration for global authentication:

 
user = myname {

 
               global = cleartext "myname global password"

}

To assign different passwords for CHAP, and a normal login, you must enter a string for each user that specifies the security protocols, whether the password is cleartext, and if it authentication is performed via a DES card. The following example shows a user carol, who has authentication configured for ARAP, CHAP, and login. Her ARAP and CHAP passwords, "arap password" and "chap password," are shown in clear text. Her login password has been encrypted.

 
user = carol {

 
       arap  = cleartext "arap password"

 
       chap  = cleartext "chap password"

 
       login = des XQj4892fjk

}

Use the /etc/passwd files instead of entering the password into the configuration file directly.

The default authentication is to deny authentication. You can change this at the top level of the configuration file to have the default use the /etc/passwd file, by issuing the following command:

 
default authentication = /etc/passwd

Authenticate using an s/key. If you have built and linked in an s/key library and compiled TACACS+ to use the s/key, you can specify that a user be authenticated via the s/key, as shown in the following example:

 
     user= fred {

 
     login = key 

}

On the Access Server Shelf, you configure authentication on all lines including the VTY and Console lines by entering the following commands, beginning in privileged EXEC mode:

 
nas01# configure terminal 

 
nas01(config)# aaa new-model 

 
nas01(config)# aaa authentication login default tacacs+ enable 

When you issue the aaa authentication login default tacacs+ enable command, you are specifying that if your TACACS+ server fails to respond (because it is set up incorrectly), you can log in to the Access Server Shelf by using your enable password. If you do not have an enable password set on the router, you will not be able to log in to it until you have a functioning TACACS+ daemon configured with usernames and passwords. The enable password in this case is a last-resort authentication method. You also can specify none as the last-resort method, which means that no authentication is required if all other methods failed.

Enabling AAA Globally on the AccessPath System

To use the AAA security facility in the Cisco IOS software, you must issue the aaa new-model command from global configuration mode.

When you issue the aaa new-model command, all lines on the Access Server Shelf receive the implicit login authentication default method list, and all interfaces with PPP enabled have an implicit ppp authentication pap default method list applied. In addition, the aaa new-model command applies implicit aaa authentication ppp default local and aaa authentication login default local commands.

If you intend to authenticate users via a security server, make sure you do not inadvertently lock yourself out of the Access Server Shelf ports after you issue the aaa new-model command. Enter line configuration mode and issue the aaa authentication login default tacacs+ enable global configuration command. This command specifies that if your TACACS+ (or RADIUS) server is not functioning properly, you can enter your enable password to log in to the Access Server Shelf. In general, make sure you have a last-resort access method before you are certain that your security server is set up and functioning properly. For more information about the aaa authentication command, refer to the "Defining Authentication Method Lists" section.

You should test login security from the enabled prompt (#) using the login command. This way, if security should fail, and you cannot log in, you will be at the enabled prompt where you can correct the problem.

Note Cisco recommends that you use CHAP authentication with PPP, rather than PAP. CHAP passwords are encrypted when they cross the network, whereas PAP passwords are cleartext when they cross the network. The Cisco IOS software selects PAP as the default, so you must manually select CHAP. The process for specifying CHAP is described in the "Applying Authentication Method Lists" section.

For example, enter the following commands to enable AAA in the Cisco IOS software:

 
nas01# configure terminal 

 
nas01(config)# aaa new-model 

Defining Authentication Method Lists

After you enable AAA globally on the Access Server Shelf, you need to define authentication method lists, which you then apply to lines and interfaces. These authentication method lists are security profiles that indicate the protocol (ARAP or PPP) or login and authentication method (TACACS+, RADIUS, or local authentication).

To define an authentication method list, perform the following steps, which are described in this section:

1. Issue the aaa authentication command.

2. Specify protocol (ARAP or PPP) or login authentication.

3. Identify a list name or default. A list name is any alphanumeric string you choose. You assign different authentication methods to different named lists.

4. Specify the authentication method. You can specify multiple methods, such as tacacs+, followed by local in case a TACACS+ server is not available on the network.

5. Populate the local username database if you specified local as the authentication method (or one of the authentication methods). To use a local username database, you must issue the username global configuration command. Refer to the section "Populate the Local Username Database if Necessary."

After you define these authentication method lists, you apply them to one of the following:

Lines—VTY lines or the console port for login and asynchronous lines (in most cases) for ARA
Interfaces—Asynchronous or ISDN interfaces configured for PPP

The section "Applying Authentication Method Lists" describes how to apply these lists.

Start AAA Authentication Configuration

To define an authentication method list, start by issuing the aaa authentication global configuration command, as shown in the following example:

 
nas01# configure terminal 

 
nas01(config)# aaa authentication 

Specify Protocol or Login Authentication

After you issue aaa authentication, you must specify one of the following dialin protocols as applicable for your network:

If you are enabling dialin PPP access, specify ppp
If you are enabling users to connect to the EXEC facility, specify login

You can specify only one dialin protocol per authentication method list. However, you can create multiple authentication method lists with each of these options. You must give each list a different name, as described in the next section "Identify a List Name."

If you specify the ppp option, the default authentication protocol for PPP is PAP. For greater security, specify CHAP. The full interface command is ppp authentication chap.

Identify a List Name

A list name identifies each authentication list. You can choose either to use the keyword default, or choose any other name that describes the authentication list. For example, you might call it isdn-radius if you intend to apply it to interfaces configured for ISDN and RADIUS authentication. The list name can be any alphanumeric string. We recommend that you use default as the list name for all lines and interfaces internal to the AccessPath system, and different names for all lines and interfaces where dialin users will be authenticated.

You can create different authentication method lists and apply them to lines and interfaces selectively. You can even create a named authentication method list that you do not apply to a line or interface, but which you intend to apply at some later point, such as when you deploy a new login method for users.

After you define a list name, you must identify additional security attributes (such as local authentication versus TACACS+ or RADIUS).

In the following example, the default authentication method list for PPP dialin clients uses the local security database.

 
nas01# configure terminal 

 
nas01(config)# aaa authentication ppp default 

In the following example, the PPP authentication method list name is radius.

 
nas01# configure terminal 

 
nas01(config)# aaa authentication ppp radius

In the following example, the login authentication method list name is local.

 
nas01# configure terminal 

 
nas01(config)# aaa authentication login local

Specify the Authentication Method

After you identify a list name, you must specify an authentication method. An authentication method identifies how users are authenticated. For example, will users be authenticated by a local security database resident on the Access Server Shelf (local method)? Will they be authenticated by a remote security database, such as by a TACACS+ or RADIUS daemon? Will guest access to an AppleTalk network be permitted?

Authentication methods are defined with optional keywords in the aaa authentication command. The available authentication methods for PPP are described in Table 7-4.

Table 7-4 PPP Authentication Methods

Authentication Methods for PPP	Purpose
if-needed	Authenticates only if not already authenticated. No duplicate authentication.
krb5	Specifies Kerberos 5 authentication.
local	Uses the local username database in the Access Server Shelf. This is defined with the username global configuration command.
none	No authentication is required. Do not prompt for a username or password.
radius	Use RADIUS authentication as defined on a RADIUS security server.
tacacs+	Use TACACS+ authentication as defined on a TACACS+ security server.

Note If you are not sure whether you should use TACACS+ or RADIUS, here are some comparisons: TACACS+ encrypts the entire payload of packets passed across the network, whereas RADIUS only encrypts the password when it crosses the network. TACACS+ can query the security server multiple times, whereas a RADIUS server gives one response only and is therefore not as flexible regarding per-user authentication and authorization attempts.

You can specify multiple authentication methods for each authentication list. The following example authentication method list for PPP first queries a TACACS+ server, then a RADIUS server, then the local security database. Multiple authentication methods can be useful if a single security server type does not respond:

 
nas01(config)# aaa authentication ppp testbed tacacs+ radius local

If you specify more than one authentication method and the first method (TACACS+ in the previous example) is not available, the Cisco IOS software attempts to authenticate using the next method (such as RADIUS). If in the previous example the RADIUS server has no information about the user, or if no RADIUS server can be found, the user is authenticated using the local username database that was populated with the username command.

However, if authentication fails using the first method listed, the Cisco IOS software does not permit access. It does not attempt to authenticate using the subsequent security methods if the user entered the incorrect password.

Populate the Local Username Database if Necessary

If you specify local as the security method, you must specify username profiles for each user who might log in. An example of specifying local authentication is as follows:

 
nas01(config)# aaa authentication login your_name local

This command specifies that any time a user attempts to log in to a line on an Access Server Shelf, the Cisco IOS software checks the username database. To create a local username database, define username profiles using the username global configuration command.

The following example shows how to use the username command for a user myname with password mypassword:

 
nas01(config)# username myname password mypassword 

The show running-config command shows the encrypted version of the password, as follows:

 
nas01# show running-config

 
Building configuration...

 
Current configuration:

!

 
version 11.1

 
! most of config omitted

 
username myname password 7 0215055500070C294D

Note The Cisco IOS software adds the encryption type of 7 automatically for passwords. If you were to manually enter the number 7 to represent an encryption type, you must follow the 7 with the encrypted version of the password. If you specify the number 7, then enter a cleartext password, the user will not have access to the line, interface, or the network they are trying to access, and you must reconfigure the user's authentication profile.

Authentication Method List Examples

This section shows some examples of authentication lists.

Authentication Method List Examples for Users Logging in to the Access Server Shelf

The following example creates a local authentication list for users logging in to any line on the Access Server Shelf. It is identical to the implicit method list when the command aaa new-model is used.

 
nas01(config)# aaa authentication login default local 

The following example specifies login authentication using RADIUS (the RADIUS daemon is polled for authentication profiles):

 
nas01(config)# aaa authentication login default radius

The following example specifies login authentication using TACACS+ (the TACACS+ daemon is polled for authentication profiles):

 
nas01(config)# aaa authentication login default tacacs+

Authentication Method List Examples for Users Dialing In Using PPP

The following example creates a TACACS+ authentication list for users connecting to interfaces (such as ISDN BRI or asynchronous interfaces) configured for dialin using PPP. The name of the list is marketing. This example specifies that a remote TACACS+ daemon be used as the security database. If this security database is not available, the Cisco IOS software then polls the RADIUS daemon. Users are not authenticated if they are already authenticated on a TTY line.

 
nas01(config)# aaa authentication ppp marketing if-needed tacacs+ radius

In this example, default can be substituted for marketing if the administrator wants this list to be the default list.

Applying Authentication Method Lists

As described in the "Defining Authentication Method Lists" section, the aaa authentication global configuration command creates authentication method lists or profiles. You apply these authentication method lists to lines or interfaces by issuing the login authentication, or ppp authentication command, as described in Table 7-5.

Table 7-5 Line and Interface Authentication Method Lists

Interface and Line Command	Action	Port to which List is Applied	Corresponding Global Configuration Command
login authentication	Logs directly in to the Access Server Shelf.	Console Port or VTY lines	aaa authentication login
ppp authentication ¹	Uses PPP to access IP or IPX network resources	Interface (asynchronous, ISDN, or other WAN)	aaa authentication ppp

1If you issued the ppp authentication command, you must specify either CHAP or PAP authentication. PAP is enabled by default, but Cisco recommends that you use CHAP because CHAP is more secure. For more information, refer to the Security Configuration Guide.

You can create more than one authentication list or profile for login and protocol authentication and apply them to different lines or interfaces. The following examples show the line or interface authentication commands that correspond to the aaa authentication global configuration command.

Login Authentication Examples

The following example shows the default login authentication list applied to the console port and the default virtual terminal (VTY) lines on the Access Server Shelf:

 
nas01(config)# aaa authentication login default local 

 
nas01(config)# line console 0

 
nas01(config-line)# login authentication default 

 
nas01(config-line)# line vty 0 4

 
nas01(config-line)# login authentication default 

In the following example, the login authentication list named other-office, which uses RADIUS authentication, is created. It is applied to all 55 lines on an Access Server Shelf, including the console (CTY) port, the 48 physical asynchronous (TTY) lines, the auxiliary (AUX) port, and 5 virtual terminal (VTY) lines:

 
nas02(config)# aaa authentication login other-office radius 

 
nas02(config)# line 0 54

 
nas02(config-line)# login authentication other-office

The following sample output shows lines and their status on the Access Server Shelf:

 
nas02#sho line

 
 Tty Typ     Tx/Rx     A Modem  Roty AccO AccI  Uses    Noise   Overruns

 
*  0 CTY               -    -      -    -    -     0        0        0/0

 
*  1 TTY  57600/57600  - inout     -    -    -     0        0        0/0

...

 
I  8 TTY 115200/115200 - inout     -    -    -     0        0        0/0

 
   9 AUX  38400/38400  -    -      -    -    -     0        0        0/0

 
  10 VTY               -    -      -    -    -     0        0        0/0

...

 
  39 VTY               -    -      -    -    -     0        0        0/0

PPP Authentication Examples

The following example creates the PPP authentication list marketing, which uses TACACS+, then RADIUS authentication. The list marketing requires authentication only if the user has not already been authenticated on another line. It is then applied to asynchronous lines 1 through 48 on a Access Server Shelf and uses CHAP authentication, instead of the default of PAP:

 
AS5200(config)# aaa authentication ppp marketing if-needed tacacs+ radius 

 
AS5200(config)# line 1 48

 
AS5200(config-line)# ppp authentication chap marketing 

Configuring Authorization

You can configure the Access Server Shelves to restrict user access to the network so that users can only perform certain functions after successful authentication. As with authentication, authorization can be used with either a local or remote security database. This guide describes only remote security server authorization.

A typical configuration most likely uses the EXEC facility and network authorization. EXEC authorization restricts access to the EXEC, and network authorization restricts access to network services, including PPP and ARA.

Authorization must be configured on both the Access Server Shelves and the security daemon. The default authorization is different on the Access Server Shelves and the security server:

By default, the Access Server Shelves permits access for every user until you configure the Access Server Shelves to make authorization requests to the daemon.
By default, the daemon denies authorization of anything that is not explicitly permitted. Therefore, you have to explicitly allow all per-user attributes on the security server.

Note If authentication has not been set up for a user, per-user authorization attributes are not enabled for that user. That is, if you want a user to authorize himself before he has access to network resources, you must first require that the user authenticate himself. For example, if you want to specify the aaa authorization network tacacs+ (or radius) command, you must first specify the aaa authentication {ppp} default if-needed tacacs+ (or radius) command.

Configuring Authorization on the Security Server

You typically have three methods for configuring default authorization on the security server:

To override the default denial of authorization from a non-existent user, specify authorization at the top level of the configuration file:

 
default authorization = permit

At the user level, inside the braces of the user declaration, the default for a user who does not have a service or command explicitly authorized is to deny that service or command. To permit it:

 
default service = permit

At the service authorization level, arguments are processed according to the following algorithm: For each AV pair sent from the Access Server Shelf, the following process occurs:

(a). If the AV pair from the Access Server Shelf is mandatory, look for an exact match in the daemon's mandatory list. If found, add the AV pair to the output.

(b). If an exact match does not exist. look in the daemon's optional list for the first attribute match. If found, add the Access Server Shelf AV pair to the output.

(c). If no attribute match exists, deny the command if the default is to deny, or if the default is permit, add the Access Server Shelf AV pair to the output.

(d). If the AV pair from the Access Server Shelf is optional, look for an exact attribute, value match in the mandatory list. If found, add the daemon's AV pair to output.

(e). If not found, look for the first attribute match in the mandatory list. If found, add daemon's AV pair to output.

(f). If no mandatory match exists, look for an exact attribute, value pair match among the daemon's optional AV pairs. If found, add the daemon's matching AV pair to the output.

(g). If no exact match exists, locate the first attribute match among the daemon's optional AV pairs. If found add the daemon's matching AV pair to the output.

(h). If no match is found, delete the AV pair if default is deny, or if the default is permit, add the Access Server Shelf AV pair to the output.

(i). If there is no attribute match already in the output list after all AV pairs have been processed for each mandatory daemon AV pair, add the AV pair (add only one AV pair for each mandatory attribute).

Configuring Authorization (Network or EXEC)

To specify network authorization, which means that you are preventing unauthorized users from accessing network resources, issue the aaa authorization network command.

To restrict users from logging into the EXEC facility, issue the aaa authorization exec command. See the following example:

 
nas01(config)# aaa authorization network 

 
nas01(config)# aaa authorization exec

Note You can also require authorization before a user can issue specific commands by using the aaa authorization command. For more information, refer to the Security Configuration Guide, which is part of the Cisco IOS configuration guides and command references documentation.

Specifying the Authorization Method

Authorization methods are defined as optional keywords in the aaa authorization command. You can specify any of the authorization methods listed in Table 7-6 for both network and EXEC authorization.

Table 7-6 Authorization Methods

Authorization Methods	Purpose
if-authenticated	User is authorized if already authenticated.
local	Uses the local database for authorization. The local database is created using the username privilege command to assign users to a privilege level from 0 to 15 and the privilege level command to assign commands to these different levels.
none	Authorization always succeeds.
radius	Uses RADIUS authorization as defined on a RADIUS server.
tacacs+	Uses TACACS+ authorization as defined on a TACACS+ server.

Specifying Authorization Parameters on a TACACS+ Server

When you configure authorization, you must ensure that the parameters established on the Access Server Shelf correspond with those set on the TACACS+ server.

Authorization Examples

The following example uses a TACACS+ server to authorize the use of network services, including PPP and ARA. If the TACACS+ server is not available or has no information about a user, no authorization is performed, and the user can use all network services:

 
nas01(config)# aaa authorization network tacacs+ none

The following example permits the user to run the EXEC process if the user is already authenticated. If the user is not already authenticated, the Cisco IOS software defers to a RADIUS server for authorization information.

 
nas01(config)# aaa authorization exec if-authenticated radius 

The following example configures network authorization. If the TACACS+ server does not respond or has no information about the username being authorized, the RADIUS server is polled for authorization information for the user. If the RADIUS server does not respond, the user still can access all network resources without authorization requirements.

 
nas01(config)# aaa authorization network tacacs+ radius none 

RADIUS Accounting

You use the aaa accounting command with the radius keyword to turn on RADIUS accounting for each Cisco IOS privilege level, and network services.

To use RADIUS accounting to send a start record accounting notice at the beginning of an EXEC process and a stop record at the end, perform the following task in global configuration mode:

 
 Task 

 
                                             Command 

 
 Turn on RADIUS accounting for the EXEC session. 

 
                                             aaa accounting exec start-stop radius 

 
The RADIUS accounting records contain information about EXEC usage time per user. 

 
To use RADIUS to account for all network-related service requests, including SLIP, PPP, and PPP NCPs, perform the following task in

 
global configuration mode: 

 
 Task 

 
                                                    Command 

 
 Use RADIUS accounting for network-related service requests. 

 
                                                    aaa accounting network start-stop radius1 

 
1 This command is documented in the "Accounting and Billing Commands" chapter of the Security Command Reference.

 
This command provides packet and byte counts for connections. 

 
Note No RADIUS-specific show commands exist. You can use the show accounting command to display accounting information. 

Security Examples

This series of examples shows complete security configuration components of a configuration file on an Access Server Shelf. Each of these examples shows authentication and authorization.

Simple Local Security Example

This sample configuration uses AAA to configure default authentication using a local security database on the Access Server Shelf. All lines and interfaces have the default authentication lists applied. Users myname1, myname2, and myname3 have been assigned privilege level 7, which prevents them from issuing the ppp and slip commands, because these commands have been assigned to privilege level 8.

 
aaa new-model

 
aaa authentication login default local 

 
aaa authentication ppp default local 

 
aaa authorization exec local

 
aaa authorization network local

 
aaa authorization 

!

 
username myname1 privilege exec level 7 privilege network level 8 password 7 095E470B1110

 
username myname2 privilege network level 7 password 7 0215055500070C294D

 
username myname3 privilege network level 7 password 7 095E4F10140A1916

!

 
privilege exec level 8 ppp

 
privilege exec level 8 arap

 
privilege exec level 8 slip

 
line console 0

 
 login authentication default

!

 
line 1 16

!

 
interface Group-Async1

 
 ppp authentication chap default

 
 group-range 1 16

With this configuration, the sign-on dialog from a remote PC appears as follows:

 
atdt5551234        

 
CONNECT 14400/ARQ/V32/LAPM/V42BIS 

 
User Access Verification

 
Username: myname1

 
Password:

 
Router> enable

 
Password: 

 
Router# 

TACACS+ Security Example for Login, PPP, and ARA

The following example shows how to create and apply the following authentication lists:

A TACACS+ server named host1 is polled for authentication information (so you do not need to define a local username database). The shared key between the Access Server Shelf and the TACACS+ security server is key1.
A login authentication list named other-office is created, then applied to the console port.
The PPP authentication list USERS&TUNNELS is applied to Group-Async1, which includes asynchronous interfaces 1 to 48.
An ARA list named remote-office is created and applied to lines 1 to 48.

 
hostname nas01

!

 
tacacs-server host host1

 
tacacs-server key key1 

!

 
aaa new-model

 
aaa authentication login CONSOLE tacacs+

 
aaa authentication ppp USERS&TUNNELS if-needed tacacs+ 

 
aaa authentication arap default tacacs+

!

 
line console0

 
 login authentication CONSOLE 

!

 
interface Group-Async1 

 
 ppp authentication chap callin USERS&TUNNELS

 
 ppp chap hostname NameCustomerSees

 
 group-range 1 48

!!

RADIUS Example for Login and PPP

The following example shows how to create the following authentication lists:

A RADIUS server named host1 is polled for authentication information (so you do not need to define a local username database). The shared key between the Access Server Shelf and the RADIUS security server is BaBe218.
The PPP authentication list USERS&TUNNELS is applied to Group-Async1, which includes asynchronous interfaces 1 to 48. CHAP authentication is used, because it is more secure than PAP.
A login authentication list named USERS is created, then applied to all lines where users can log in, except the console port. In this example, the console port is physically secure and does not need password protection.

 
radius-server host host1 

 
radius-server key BaBe218 

!

 
privilege exec level 14 configure 

 
privilege exec level 14 reload

 
privilege exec level 8 ppp

!

 
aaa new-model 

 
aaa authentication login CONSOLE none 

 
aaa authentication login ADMIN radius local

 
aaa authentication login USERS radius local

 
aaa authentication ppp USERS&TUNNELS if-needed radius 

 
aaa authorization network radius if-authenticated

!

 
interface Group-Async1 

 
 description "Async Incoming Call"

 
 ppp authentication chap callin USERS&TUNNELS

 
 group-range 1 48

!

 
line 1 48

 
 login authentication USERS 

!

Table of Contents

Configuring Security for the Cisco AccessPath Integrated Access System