Configuring AAAConfiguring AAA

Kamyar Miremadi Kamyar Miremadi Laila Sherif Laila Sherif

Summer 2005Summer 2005

AAAAAA

AuthenticationAuthenticationAuthorization Authorization AccountingAccounting

AAA ComponentsAAA Components AAA serverAAA server

Authenticates users accessing a device or networkAuthenticates users accessing a device or network Authorizes user to perform specific activitiesAuthorizes user to perform specific activities Performs accounting of device or user activitiesPerforms accounting of device or user activities We used clearbox tacacs+ server running on windows XP. We used clearbox tacacs+ server running on windows XP.

Network Access Server (NAS) or Access DeviceNetwork Access Server (NAS) or Access Device A router, switch, or other network device that can perform AAA functions A router, switch, or other network device that can perform AAA functions

on users or devices connecting to it.on users or devices connecting to it. We used both router Cisco 2500 and switch 2900 Catalyst as Network We used both router Cisco 2500 and switch 2900 Catalyst as Network

Access Server.Access Server. RADIUS( Remote Authentication Dial-In User Service) RADIUS( Remote Authentication Dial-In User Service) TACACS+ (TACACS+ ( Terminal Access Controller Access Control Terminal Access Controller Access Control

System Plus)System Plus) Protocols that can be used by an access device to communicate with Protocols that can be used by an access device to communicate with

the AAAthe AAA We used TACACS+We used TACACS+

TACACS+TACACS+

TACACS+ is a security application that TACACS+ is a security application that provides centralized validation of users provides centralized validation of users attempting to gain access to a router or attempting to gain access to a router or network access server.network access server.

How it worksHow it works

Configuration stepsConfiguration steps

Configuring Clearbox Tacacs+ serverConfiguring Clearbox Tacacs+ server

Authentication Setting in ClearBoxAuthentication Setting in ClearBox

Authorization Setting in ClearBoxAuthorization Setting in ClearBox

Accounting Setting in ClearBoxAccounting Setting in ClearBox

Configuring the Router/SwitchConfiguring the Router/Switch

Configuring the Tacacs-server hostConfiguring the Tacacs-server host tacacs-server hosttacacs-server host 130.182.159.102 130.182.159.102 tacacs-server keytacacs-server key keykey tacacs-server retransmit tacacs-server retransmit retriesretries tacacs-server timeout tacacs-server timeout secondsseconds tacacs-server attemptstacacs-server attempts count countexitexitShow tacacsShow tacacs

Configuring the router/switchConfiguring the router/switch

AuthenticationAuthenticationaaa new-modelaaa new-modelaaa authentication loginaaa authentication login default tacacs+ default tacacs+

enableenable line con 0line con 0 login authentication default login authentication default exitexit

Configuring the switch/routerConfiguring the switch/router

AuthorizationAuthorization

aaa authorization commands 0 tacacs+aaa authorization commands 0 tacacs+exitexit

Configuring the switch/routerConfiguring the switch/router

AccountingAccountingaaa accounting exec start-stop tacacsaaa accounting exec start-stop tacacs++aaa accounting network start-stop tacacsaaa accounting network start-stop tacacs++exitexit

Running configuration of switchRunning configuration of switch

Running configuration of switch Running configuration of switch (Cont.)(Cont.)

Authentication Authentication

AuthenticationAuthentication

Accounting Accounting

AuthorizationAuthorization

Ethereal Ethereal