cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Configuring the NAS for TACACS+

Global Configuration

Adding a CiscoSecure ACS

NAS Password Requirements for TACACS+

Authentication on the NAS

Excluding Ports

Authorization on the NAS

Accounting on the NAS

Modifying the NAS TACACS+ Timeout Setting for Token Card Support

Adding NASes for TACACS+

Sample NAS Configuration

protocol = multilink Attribute Value

Other Commands


Configuring the NAS for TACACS+

Configuring the CiscoSecure Access Control Server (ACS) is the first part of a two-part process to develop an operational system. The second part is configuring the network access server (NAS) so that it functions properly with the CiscoSecure ACS.

This chapter describes:

Global Configuration

Authentication on the NAS

Authorization on the NAS

Accounting on the NAS

Modifying the NAS TACACS+ Timeout Setting for Token Card Support

Adding NASes for TACACS+

Sample NAS Configuration

Other Commands

For complete information about a specific Cisco IOS release or more detailed configurations, see the publication Router Products Configuration Guide or the Configuration Fundamentals Configuration Guide publication. (See "References and Recommended Reading" for details.)

Note For a sample configuration, refer to the "Sample NAS Configuration" section. For more ready-to-use configurations, see the CiscoSecure ACS 2.3 for UNIX Reference Guide for sample configurations that you can apply directly to your own NAS or modify according to your needs.

Global Configuration

The first steps in configuring the NAS are:

1. Enable TACACS+.

2. Specify the list of CiscoSecure ACSes that will provide AAA services for the NAS.

3. Configure the encryption key that is used to encrypt the data transfer between the NAS and the CiscoSecure ACS.

To begin global configuration, enter the following commands, using the correct IP address of the CiscoSecure ACSes and your own encryption key:

Router(config)# aaa new-model
Router(config)# tacacs-server host 144.1.12.100
Router(config)# tacacs-server host 144.1.200.250
Router(config)# tacacs-server key arachnid

The word "arachnid" is the encryption key shared between the NAS and the CiscoSecure ACS. The encryption key should be kept secret to protect the privacy of passwords sent between the CiscoSecure ACS and the NAS during the authentication process.

For a TACACS+-enabled NAS to use a CiscoSecure ACS, it must be added to the list of available TACACS+-enabled NASes in the AAA NAS page of that ACS's CiscoSecure ACS Administrator web site.

Adding a CiscoSecure ACS

To specify multiple CiscoSecure ACSes for backup purposes, repeat the tacacs-server host command for each additional server.

NAS Password Requirements for TACACS+

With TACACS+, NAS login passwords must contain:

Between 6 and 13 characters

At least 1 alphabetic character

At least 1 number

Note The NAS password requirements stated in this section do not apply to a CiscoSecure system or group administrator. For administrators one digit passwords are allowable. DES passwords are only checked to 8 characters.

Authentication on the NAS

The authentication configuration builds a set of authentication lists, each of which can be used for different purposes within the NAS. The syntax of the command is as follows:

aaa authentication login list_name method1 [method2] [method3] [method4]
aaa authentication PPP list_name method1 [method2] [method3] [method4]

As you can see, the AAA server requires an authentication for PPP in addition to an authentication for login before it will work properly.

Each of these command lines supports several arguments. A list name and one authentication method are required. Additional authentication methods are optional.

Each of the possible authentication methods is listed in Table 10-1.

Table 10-1 Network Access Server Authentication Methods 

Method
Meaning

enable

Use the enable password.

line

Use the line password.

local

Use the NAS internal username database.

none

Use no authentication.

tacacs+

Use TACACS+ authentication.


In the following example, system administrators must use TACACS+ authentication; if a CiscoSecure ACS is not available, use the NAS's local user database password. However, all other users can only use TACACS+:

aaa authentication login default tacacs+
aaa authentication login admin tacacs+ local

When using the local method, the system administrator will utilize the local user database for TACACS+ authentication.

To configure TACACS+ authentication at login on all lines on a 16-port NAS, enter the following commands:

line console 0
login authentication admin
line aux 0
login authentication admin
line vty 0 4
login authentication default
line 1 16
login authentication default
Caution If you do not include the local method for system administrator logins, you will no longer be able to log in to your NAS unless you have a functioning CiscoSecure ACS appropriately configured with usernames and passwords. The addition of the local method ensures that you will still be able to log in to the router if the router cannot contact a CiscoSecure ACS. The NAS will test the local method only if it cannot contact a CiscoSecure ACS.

Excluding Ports

NAS ports can be excluded from using the CiscoSecure ACS by creating a separate authentication method list that does not include TACACS+ as an authentication method. Depending on your needs, you create a separate authentication method list to fixed ports that do not need AAA services, or for all the vty ports.

In the following example, only the first two vty ports and the console are enabled for AAA services in the NAS configuration:

aaa new-model
aaa authentication login admin tacacs+ local
aaa authentication login no_tacacs line
tacacs-server host 144.251.1.1
tacacs-server key arachnid
! The console and VTY lines 0 & 1 use TACACS+
line console 0
login authentication admin
line vty 0 1
login authentication admin
! VTY Lines 2 - 4 do not use TACACS+
line vty 2 4
login authentication no_tacacs

Authorization on the NAS

The NAS can use a CiscoSecure ACS to authorize specific commands by individual users. To authorize specific commands, you must use the following command syntax to specify which commands and actions will require authorization checks:

aaa authorization {network | connection | exec | commands level} methods

The four items that can be checked for authorization are listed in Table 10-2.

Table 10-2 Checkable Authorization Items on the NAS 

Keyword
Authorization Check

network

Check authorization for all network activities including SLIP, PPP, PPP network control protocols, and ARAP.

connection

Check authorization for outbound Telnet and rlogin.

exec

Determine if the user is allowed to run an EXEC shell when logging into the NAS. This keyword might cause the CiscoSecure ACS to return user profile information such as autocommand information.

commands level

Check authorization for all commands at the specified privilege level. Valid levels are 1 through 15. Level 1 is normal user EXEC commands. Level 15 is normal privileged level.


The methods you can specify are listed in Table 10-3.

Table 10-3 Authorization Methods on the NAS 

Method
Meaning

tacacs+

Requests authorization information from the CiscoSecure ACS.

if-authenticated

Allows the user to access the requested function if the user is authenticated. Note that you are either authenticated or not, so this should be the last method in the list.

none

No authorization is performed.

local

Uses the local database for authorization.


Using the command syntax specified above, you can configure the NAS to restrict the set of commands that an individual user can execute. To require that all commands entered by users at privilege level 1 be checked for ACS authorization, enter the following command:

aaa authorization commands 1 tacacs+
Caution When you enter this command in your NAS, you will be permitted to execute only NAS commands that are allowed by your CiscoSecure ACS. Therefore, make sure you have configured an authenticated user who is authorized to run commands on the CiscoSecure ACS.

To require that the system administrator be authorized at level 15, enter the following command:

aaa authorization commands 15 tacacs+ if-authenticated

This command uses TACACS+ authorization level 15, but if problems arise you can switch off the CiscoSecure ACS and the authorization will then be granted to anyone who is authenticated.

Note The NAS will test the if-authenticated method only if it cannot contact a CiscoSecure ACS.

Accounting on the NAS

The NAS must be specifically configured to send accounting records to the CiscoSecure ACS. Several types of accounting records are available. Use the following command syntax to configure accounting on the NAS:

aaa accounting {system | network | connection | exec | command level} {start-stop | wait-start | stop-only} tacacs+

The first set of keywords allows you to specify accounting of the events listed in Table 10-4.

Table 10-4 Accounting Events on the NAS 

Event Type
Meaning

system

Enables accounting for all system-level events not associated with users, such as reloads

network

Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP

connection

Enables accounting for outbound Telnet and rlogin

exec

Enables accounting for EXEC processes (user shells)

command level

Enables accounting for all commands at the specified privilege level


You can specify when accounting records are to be sent by using the second set of keywords, which are listed in Table 10-5.

Table 10-5 Accounting Record Keywords on the NAS 

Keyword
Meaning

stop-only

The NAS sends a stop record accounting notice at the end of the specified activity or event (command, EXEC shell, and so on).

start-stop

The NAS sends a start record accounting notice at the beginning of a process and a stop record at the end of the process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was acknowledged by the accounting server.

wait-start

This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.


Use the following commands to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at level 1 and level 15:

aaa accounting system start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting connection start-stop tacacs+
aaa accounting exec stop-only tacacs+
aaa accounting command 1 stop-only tacacs+
aaa accounting command 15 wait-start tacacs+

Note Stop records contain elapsed time for connections and EXEC sessions.

Note The aaa accounting command 0 start-stop command is not implemented in Cisco IOS Release 11.0. Check the release notes for your Cisco IOS release to determine whether it has been implemented.

Modifying the NAS TACACS+ Timeout Setting for Token Card Support

CiscoSecure ACS support for token card-generated one-time password (OTP) logins requires the host NAS be configured with a minimum 10-second TACACS+ timeout setting:

tacacs+ timeout 10

The default setting of one second will cause OTP logins to fail a large percentage of the time.

Adding NASes for TACACS+

To add NASes to the network, use the CiscoSecure ACS AAA NAS web page. The appropriate AAA commands will be automatically issued to the client NASes. (See "Managing Profiles for TACACS+-Enabled NASes" in " "ACS and NAS Management.")

Sample NAS Configuration

You can use the following sample configuration to quickly set up or modify the NAS to meet special needs:

version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname akron
!
aaa new-model
aaa authentication login default tacacs+ local
aaa authentication ppp default tacacs+
enable password cisco
!
chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNE
CT \c
!
interface Ethernet0
ip address 200.200.200.102 255.255.255.0
no mop enabled
!
interface Async1
ip unnumbered Ethernet0
encapsulation ppp
async dynamic address
async dynamic routing
async mode interactive
peer default ip address pool tokencard
PPP authentication chap pap
no cdp enable
!
router rip
network 200.200.200.0
network 100.0.0.0
!
ip local pool tokencard 200.200.200.125 200.200.200.129
no ip classless
!
tacacs-server host 200.200.200.100
tacacs-server key fortknox123
!
line con 0
autoselect ppp
line 1
exec-timeout 0 30
autoselect during-login
autoselect ppp
script dialer usr*
modem InOut
modem autoconfigure type usr_sportster
transport input all
telnet transparent
stopbits 1
rxspeed 115200
txspeed 115200
flowcontrol hardware
line 2 16
autoselect arap
arap enable
script dialer cisco-default
modem InOut
rxspeed 28800
txspeed 28800
flowcontrol hardware
line aux 0
line vty 0 4
!
end

akron#

protocol = multilink Attribute Value

If your Terminal Access Controller Access Control System Plus (TACACS+) NASes are running Cisco IOS Release 11.3 or later, and you want to support CiscoSecure authorization of users who are dialing in over multiple Integrated Services Digital Network (ISDN) channels, use the Java-based CiscoSecure Administrator advanced configuration program to add the protocol = multilink attribute value to the profiles of the affected groups or users.

Other Commands

You can use other commands to tailor the operation of the NAS with the TACACS+ protocol. See the publications Router Products Command Reference or Configuration Fundamentals Command Reference publications for a detailed list of commands. (See "References and Recommended Reading" for more information.)

hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:10:11 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.