AAA_Top1

LET ME START BY SAYING THIS TOPIC IN ITS ENTIRETY IS IMPORTANT FOR EXAM DAY, SO COVER THESE CONCEPTS / CONFIGS UNTIL YOU MEMORIZE THEM!

That goes for the entire series of Blog Posts regarding AAA Authentication!

That being said, ahem.

The illustration above shows the “logical” Topology as I do not have two spare servers waiting around to be configured, and as you will find in your SWITCH exam, a majority of AAA commands will be configured on the switch!

Fundamentals of AAA Protocols, Terminology, and the generally not fun stuff

AAA stands for Authentication, Authorization, and Accounting.

I was using whats called “Self-Contained” Authentication when I setup a username / password Database on SW1 for SSH sessions, however more commonly used deployments are either TACACS+ and RADIUS.

TACACS+ is TCP Based over port 49, and is Cisco Proprietary

RADIUS is UDP Based over ports 1812 and 1813, and is Open Standard

A real life / job interview note here, TACACS+ is used in heavy duty Cisco shops (like their entire Infrastructure is Cisco), so unless you work for Cisco they probably use RADIUS.

RADIUS is run as a Windows Server role Network Policy Server (NPS), which Windows Servers are in 99% of networks because they do LDAP / DHCP / DNS, so be more prepared in real life to work with or be asked about RADIUS servers on their LAN.

Unless you work at Cisco, or are taking a Cisco exam, you will probably never see TACACS+ configured on a network in your life.

Keep that in mind when brushing up for job interviews as telling a hiring manager how familiar you are with TACACS+ probably isn’t going to score you any hire points unless your applying at Cisco!

For the exam TACACS+ all the way, and in a good secure network sure, but RADIUS is what I see run 99%+ of the time on networks because they work off Windows Servers.

TACACS+ vs RADIUS – The slight differences you will want to know for exam day

  • TACACS+ encrypts entire packets between servers (overhead?), while RADIUS only encrypts the Password of the initial Client-Server Packet sent
  • TACACS+ runs a separate instance of Authentication, allowing for other separate processes to run for Authorization / Accounting, whereas RADIUS combines Authentication / Authorization processes – The only down side is you can’t run one A without running the other A in the AAA model
  • TACACS+ can control “Authorization” level of users, while RADIUS cannot, because remember that RADIUS combines Authentication and Authorization

A real world note, Windows Server LDAP Group Policies take care of Authorization, so this material is NOT representative of the real world – Only Cisco land for exam day!

Configuring a Radius-Server and TACACS+ Server Host on SW1 (and review options)

You can configure a Router / MLS to point to various RADIUS and TACACS+ Hosts, so I will go through the “old” way of configuring them (being depreciated), and the new way.

Starting with “radius-server …” as our beginning command, lets look at options:

SW1(config)# radius-server ?
accounting Accounting information configuration
attribute Customize selected radius attributes
authorization Authorization processing information
backoff Retry backoff pattern(Default is retransmits with
constant delay)
cache AAA auth cache default server group
challenge-noecho Data echoing to screen is disabled during
Access-Challenge
configure-nas Attempt to upload static routes and IP pools at startup
dead-criteria Set the criteria used to decide when a radius server is
marked dead
deadtime Time to stop using a server that doesn’t respond
directed-request Allow user to specify radius server to use with `@server’
domain-stripping Strip the domain from the username
host Specify a RADIUS server
key encryption key shared with the radius servers
load-balance Radius load-balancing options.
optional-passwords The first RADIUS request can be made without requesting a
password
retransmit Specify the number of retries to active server
retry Specify how the next packet is sent after timeout.
source-ports source ports used for sending out RADIUS requests
throttle Throttle requests to radius server
timeout Time to wait for a RADIUS server to reply
transaction Specify per-transaction parameters
unique-ident Higher order bits of Acct-Session-Id
vsa Vendor specific attribute configuration

Notice there is a “key” you can set for all RADIUS servers to use, but it more secure to assign them per host, while I continue to configure a RADIUS Host:

SW1(config)# radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server

SW1(config)# radius-server host 10.0.0.100 ?
acct-port UDP port for RADIUS accounting server (default is 1646)
alias 1-8 aliases for this server (max. 8)
auth-port UDP port for RADIUS authentication server (default is 1645)
backoff Retry backoff pattern (Default is retransmits with constant
delay)
key per-server encryption key (overrides default)
key-wrap per-server keywrap configuration
non-standard Parse attributes that violate the RADIUS standard
pac Generate per-server Protected Access Credential key
retransmit Specify the number of retries to active server (overrides
default)
test Configure server automated testing.
timeout Time to wait for this RADIUS server to reply (overrides
default)
<cr>

SW1(config)# radius-server host 10.0.0.100 key ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies HIDDEN key will follow
WORD The UNENCRYPTED (cleartext) server key

SW1(config)# radius-server host 10.0.0.100 key CCNP1 ?
<cr>

SW1(config)# radius-server host 10.0.0.100 key CCNP1
Warning: The CLI will be deprecated soon
‘radius-server host 10.0.0.100’
Please move to ‘radius server <name>’ CLI.

SW1(config)#

The first time I saw that, I kind of blinked a few times, and asked myself what is going TO BE ON THE FREEGIN EXAM THEN?

I am using this as me official answer: Cisco saying it is “radius-server …” in their documentation!

I’ll run through the giant output of TACACS+ as well to review all options for it:

SW1(config)#tacacs-server ?
administration Start tacacs+ deamon handling administrative messages
attribute Customize selected tacacs attributes
cache AAA auth cache default server group
directed-request Allow user to specify tacacs server to use with `@server’
dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS
servers
domain-stripping Strip the domain from the username
host Specify a TACACS server
key Set TACACS+ encryption key.
packet Modify TACACS+ packet options
timeout Time to wait for a TACACS server to reply

Also has a global key configurable for all TACACS+ Servers but we’ll go by Host:

SW1(config)#tacacs-server host ?
Hostname or A.B.C.D IP address of TACACS server

SW1(config)#tacacs-server host 10.0.0.200 ?
key per-server encryption key (overrides default)
nat To send client’s post NAT address to tacacs+ server
port TCP port for TACACS+ server (default is 49)
single-connection Multiplex all packets over a single tcp connection to
server (for CiscoSecure)
timeout Time to wait for this TACACS server to reply (overrides
default)
<cr>

SW1(config)#tacacs-server host 10.0.0.200 key ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNENCRYPTED (cleartext) shared key

SW1(config)#tacacs-server host 10.0.0.200 key CCNP2 ?
LINE <cr>

SW1(config)#tacacs-server host 10.0.0.200 key CCNP2
Warning: The cli will be deprecated soon
‘tacacs-server host 10.0.0.200 key CCNP2 ‘
Please move to ‘tacacs server <name>’ CLI
SW1(config)#

Same deal with the Hyphen, its an upcoming thing, but for exam day “tacacs-server …”
is just fine to use.

The output was quite noticeably less for TACACS+ which is nice, but kind of a sign of how Cisco centralized it is, or how much more Robust RADIUS is with all the Protocols on a LAN segment. Either way just a real world note, on exam day, TACACS+ all the way!

I did an “aaa new-model” to walk through how to use the non-depreciated config!

For Radius:

SW1(config)#aaa new-model
SW1(config)#radius server ?
WORD Name for the radius server configuration

SW1(config)#radius server RADIUS ?
<cr>

SW1(config)#radius server RADIUS

This puts your into the config mode for the Radius Server named “RADIUS”:

SW1(config-radius-server)#?
RADIUS server sub-mode commands:
address Specify the radius server address
automate-tester Configure server automated testing.
backoff Retry backoff pattern(Default is retransmits with constant
delay)
exit Exit from RADIUS server configuration mode
key Per-server encryption key
no Negate a command or set its defaults
non-standard Attributes to be parsed that violate RADIUS standard
pac Protected Access Credential key
retransmit Number of retries to active server (overrides default)
timeout Time to wait (in seconds) for this radius server to reply
(overrides default)

SW1(config-radius-server)#address ?
ipv4 IPv4 Address
ipv6 IPv6 Address

SW1(config-radius-server)#address ipv4 ?
Hostname or A.B.C.D IPv4 Address of radius server

SW1(config-radius-server)#address ipv4 10.0.0.100 ?
acct-port UDP port for RADIUS accounting server (default is 1646)
alias 1-8 aliases for this server (max. 8)
auth-port UDP port for RADIUS authentication server (default is 1645)
<cr>

SW1(config-radius-server)#address ipv4 10.0.0.100
SW1(config-radius-server)#key ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNCRYPTED (cleartext) shared key

SW1(config-radius-server)#key CCNP1 ?
LINE <cr>

SW1(config-radius-server)#key CCNP1

Keep those defaults in mind!

I actually really like the newer way of configuration, no global / shared keys for all RADIUS Servers, it forced them to be named so we (hopefully) intuitively name them!

I actually like that new config style a lot, so I checked it out for TACACS+ :

SW1(config)#tacacs server ?
WORD Name for the tacacs server configuration

SW1(config)#tacacs server TACACS

BOOM! Once again dropped into config mode for that Named Server:

SW1(config-server-tacacs)#?
TACACS server sub-mode commands:
address Specify ip address for tacacs server
exit Exit from TACACS server configuration mode
key per-server encryption key (overrides default)
no Negate a command or set its defaults
port TCP port for TACACS+ server (default is 49)
send-nat-address To send client’s post NAT address to tacacs+ server
single-connection Multiplex all packets over a single tcp connection to
server (for CiscoSecure)
timeout Time to wait for this TACACS server to reply (overrides
default)

SW1(config-server-tacacs)#address ?
ipv4 Configure ipv4 address for tacacs server
ipv6 Configure ipv6 address for tacacs server

SW1(config-server-tacacs)#address ipv4 ?
Hostname or A.B.C.D IP address of tacacs server

SW1(config-server-tacacs)#address ipv4 10.0.0.200 ?
<cr>

SW1(config-server-tacacs)#address ipv4 10.0.0.200
SW1(config-server-tacacs)#key ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNENCRYPTED (cleartext) shared key

SW1(config-server-tacacs)#key CCNP2 ?
LINE <cr>

SW1(config-server-tacacs)#key CCNP2

NEVER MIND, I NOW LOVE THESE NEW COMMANDS WITHOUT THE HYPHENS, LOOK AT HOW UNIFORM THEY ARE WITH EACH OTHER!

Oddly enough both for real life and exam day, RADIUS and TACACS+ configuration do not show up under aaa new-model in show run as I thought it would, in fact nothing does:

SW1#sh run | b aaa new-model
aaa new-model
!
!
!
!

Nothing does! To see either the “radius-server” or “radius server” configuration, I had to look at the bottom of the show run, and to demonstrate how far down take a look!

Bottom of “show run” with hyphen in command:

!
!
!
tacacs-server host 10.0.0.200 key CCNP2
radius-server host 10.0.0.100 key CCNP1
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 1 4
exec-timeout 0 0
password CCNP
!
ntp master
end

SW1#

ALL THE WAY AT THE BOTTOM BY THE LINE CONFIGURATIONS !!!!

Also just to demonstrate without the hyphens:

!
!
!
tacacs server TACACS
address ipv4 10.0.0.200
key CCNP2
!
radius server RADIUS
address ipv4 10.0.0.100 auth-port 1645 acct-port 1646
key CCNP1
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 1 4
exec-timeout 0 0
password CCNP
line vty 5 15
exec-timeout 0 0
password CCNP
!
ntp master
end

SW1#

THE TAKE AWAY FROM THIS, WHEN LOOKING FOR TACACS+ / RADIUS SERVER INFORMATION ON EXAM DAY, IT IS FURTHER DOWN THE SHOW RUN AND DO NOT PANIC WHEN YOU SEE NOTHING UNDERNEATH “AAA NEW-MODEL”!!!!!!!!!!!

Cannot stress that odd positioning enough, that seems like some sort of trickery Cisco would use to send a candidate into panic mode, BUT YOU WON’T BE ANYMORE! 😀

I will end the topic here for now, and pick up on Authentication in the next post!

Being that its Sunday night and all, figure I should probably relax for at least a few hours before the week is over, can’t GRIND all the time (or can you?) 🙂