|
|
Table Of Contents
Authentication, Authorization, and Accounting
Authentication and Authorization Policies
Authentication, Authorization, and Accounting
Cisco IOS Authentication, Authorization, and Accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing authentication, authorization, and accounting services.
Cisco IOS AAA provides the following benefits:
•
Increased flexibility and control
•
•
AAA Main Window
This window provides a summary view of the AAA configuration on the router. To view more detailed information or to edit the AAA configuration, click the appropriate node on the AAA tree.
Enable/Disable AAA
AAA is enabled by default. If you click Disable, SDM displays a message telling you that it will make configuration changes to ensure that the router can be accessed. Disabling AAA will prevent you from configuring your router as an Easy VPN server, and will prevent you from associating user accounts with command line interface (CLI) views.
AAA Servers and Groups
This read-only field displays a count of the AAA servers and server groups. The router relays authentication, authorization, and accounting requests to AAA servers. AAA servers are organized into groups to provide the router with alternate servers to contact if the first server contacted is not available.
Authentication Policies
This read-only field lists configured authentication policies. Authentication policies define how users are identified. To edit authentication policies, click the Login sub-node under Authentication Policies in the AAA tree.
Authorization Policies
This read-only field lists configured authorization policies. Authorization policies define the methods that are used to permit or deny a user login. To edit authorization policies, click Authorization Policies in the AAA tree.
To edit authorization policies (Exec Authorization and Network Authorization), click the Exec and Network sub-nodes respectively under the Authorization Policies node in the AAA tree.
AAA Servers and Groups
This window provides a description of AAA servers and AAA server groups.
AAA Servers Window
This window lets you view a snapshot of the information about the AAA servers that the router is configured to use. The IP address, server type, and other parameters are displayed for each server.
Global Settings
Click this button to make global settings for TACACS+ and RADIUS servers. In the Edit Global Settings window, you can specify how long to attempt contact with an AAA server before going on to the next server, the key to use when contacting TACACS+ or RADIUS servers, and the interface on which TACACS+ or RADIUS packets will be received. These settings will apply to all servers for which server-specific settings have not been made.
Add...
Click this button to add a TACACS+ or a RADIUS server to the list.
Edit...
Click this button to edit the information for the selected AAA server.
Delete...
Click this button to delete the information for theselected AAA server.
Server IP
The IP address of the AAA server.
Type
The type of server, TACACS+ or RADIUS.
Parameters
This column lists the timeout, key, and other parameters for each server.
Add or Edit a TACACS+ Server
Add or edit information for a TACACS+ server in this window.
Server IP or Host
Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address.
Single Connection to Server
Check this box if you want the router to maintain a single open connection to the TACACS+ server, rather thanopening and closing a TCP connection each time it communicates with the server. A single open connection is more efficient because it allows the TACACS+ server to handle a higher number of TACACS+ operations.
Note
Server-specific setup
Check this box if you want to override AAA server global settings, and specify a server-specific timeout value and encryption key.
Timout (seconds)
Enter the number of seconds that the router should attempt to contact this server before going on to the next server in the group list. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.
Configure Key
Optional. Enter the key to use to encrypt traffic between the router and this server. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.
New Key/Confirm Key
Enter the key and reenter it for confirmation.
Add or Edit a RADIUS Server
Add or edit information for a RADIUS server in this window.
Server IP or Host
Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address.
Authorization Port
Specify the server port to use for authorization requests. The default is 1645.
Accounting Port
Specify the server port to use for accounting requests. The default is 1646.
Timout in seconds
Optional. Enter the number of seconds that the router should attempt to contact this server before going on to the next server in the group list. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.
Configure Key
Optional. Enter the key to use to encrypt traffic between the router and this server. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.
New Key/Confirm Key
Enter the key and reenter it for confirmation.
Edit Global Settings
You can specify communication settings that will apply to all communications between the router and AAA servers in this window. Any communications settings made for a specific router will override settings made in this window.
TACACS+ Server/ RADIUS Server
Click the appropriate button to specify the server type for which you are setting global parameters. If you select TACACS+ Server, the parameters will apply to all communication with TACACS+ servers that do not have server specific parameters set. If you select RADIUS Server, the parameters will apply to all communication with RADIUS servers that do not have server specific parameters set.
Timeout (seconds)
Enter the number of seconds to wait for a response from the RADIUS or TACACS+ server
Key
Enter the encryption key for all communication between the router and the TACACS+ or RADIUS servers.
Select the source interface
Check this box if you want to specify a single interface on which the router is to recieve TACACS+ or RADIUS packets.
Interface
Select the router interface on which the router is to recieve TACACS+ or RADIUS packets.If the Select the source interface box is not checked, this field will be disabled.
AAA Server Groups Window
This window displays the AAA server groups configured on this router. If no AAA servers have been configured, this window is empty.
Group Name
The name of the server group. Server group names allow you to use a single name to reference multiple servers.
Type
The type of servers in the selected group, either TACACS+, or RADIUS.
Group Members
The IP addresses or host names of the AAA servers in this group.
Authentication and Authorization Policies
The Authentication Policies and the Authorization Policies windows summarize the authentication policy information on the router.
Authentication Type
The type of authentication policy.
Number of Policies
The number of policies of this type.
Usage
The usage description for these policies.
Authentication and Authorization Windows
The Login and the Exec and Network authorization windows display the method lists used to authenticate logins, NAC requests and authorize Exec command level and network requests. You can review and manage these method lists from these windows.
Add, Edit, and Delete Buttons
Use these buttons to create, edit, and remove method lists.
List Name
The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user.
Method 1
The method that the router will attempt first. If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails. If no servers in the first method respond, then the router uses the next method in the list. Methods can be ordered when you create or edit a method list.
Method 2, 3, and 4
The methods that the router will use if the servers referenced in method 1 do not respond. If there are fewer than four methods, the positions for which no list has been configured are kept empty.
Authentication NAC
The Authentication NAC window displays the EAPoUDP method lists configured on the router. If the NAC wizard has been used to create a NAC configuration on the router, this window contains the following entry:
default group SDM_NAC_GroupYou can specify additional method lists in this window if you want the router to attempt the methods that you enter before resorting to the default method list.
Add, Edit, and Delete Buttons
Use these buttons to create, edit, and remove method lists.
List Name Column
The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user.
Method 1 Column
The method that the router will attempt first. If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails. If no servers in the first method respond, then the router uses the next method in the list. Methods can be ordered when you create or edit a method list.
Method 2, 3, and 4 Columns
The methods that the router will use if the servers referenced in method 1 do not respond. If there are fewer than four methods, the positions for which no list has been configured are kept empty.
Add or Edit a Method List for Authentication or Authorization
A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.
Cisco IOS software uses the first listed method to authenticate users. If that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.
It is important to note that the Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted.
Name/Specify
Select the name Default in the Name list, or select User Defined, and enter a method list name in the Specify field.
Methods
A method is a configured server group. Up to four methods can be specified and placed in the list in the order you want the router to use them. The router will attempt the first method in the list. If the authentication request receives a PASS or a FAIL response, the router does not query further. If the router does not receive a response by using the first method, it uses the next method in the list, and continues to the end of the list until it receives a PASS or a FAIL response.
Add
Click this button to add a method to the list. If there are no configured server groups to add, you can configure a server group in the window displayed.
Delete
Click this button to delete a method from the list.
Move Up/Down
The router attempts the methods in the order they are listed in this window. Click Move Up to move a method up the list. Click Move Down to move a method further down the list.
The method "none" will always be last in the list. No other method in the list can be moved below it. This is an IOS restriction. IOS will not accept any method name after the method name "none" has been added to a Method List.
Posted: Fri Oct 7 13:22:48 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
