AAA_Top2

 

This will be a brief look at Authorization and Accounting, with minimal labbing

I won’t have a huge post for this one (except CLI output to review), but I did want to show some CLI output and explain concepts, for a taste for Authorization and Accounting.

AAA Authorization fundamentals and CLI output from the lab

Where Authentication is being able to access the device, Authorization is what you can do once you make it past Authentication, and limits the commands that user can use.

You must configure “aaa new-model” to begin an “aaa authorization …” config.

Lets take a look at some AAA Authorization commands:

SW1(config)#aaa new-model
SW1(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
cache For AAA cache configuration
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
console For enabling console authorization
credential-download For downloading EAP credential from Local/RADIUS/LDAP
exec For starting an exec (shell).
multicast For downloading Multicast configurations from an AAA
server
network For network services. (PPP, SLIP, ARAP)
onep For ONEP authorization service
policy-if For diameter policy interface application.
prepaid For diameter prepaid services.
radius-proxy For proxying radius packets
reverse-access For reverse access connections
subscriber-service For iEdge subscriber services (VPDN etc)
template Enable template authorization

The two options I’ve highlighted in blue is to point out that config-commands option will Authorize the user to configure things (Global Config access), whereas exec will keep the user in UserExec mode, where they can mainly just run show commands / read only.

I wanted to highlight the Network option in pink as well, as that deals in PPP which is a Layer 2 protocol, which will rear its ugly head on exam day so its good to know its there!

I’ll keep going with the “exec” option here:

SW1(config)#aaa authorization exec ?
WORD Named authorization list (max 31 characters, longer will be
rejected).
default The default authorization list.

SW1(config)#aaa authorization exec default ?
cache Use Cached-group
group Use server-group.
if-authenticated Succeed if user has authenticated.
krb5-instance Use Kerberos instance privilege maps.
local Use local database.
none No authorization (always succeeds).

SW1(config)#aaa authorization exec default if-authenticated ?
<cr>

This one is special, as it means if the user has already been Authenticated by AAA, then they are considered Authorized as well, and no other entries can be configured for this type of Authorization – Good note for Exam Day!!!

SW1(config)#aaa authorization exec default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

SW1(config)#aaa authorization exec default group tacacs+ local
SW1(config)#

Just throw TACACS+ and local on there, now lets apply this to our VTY lines:

SW1(config)#line vty 0 15
SW1(config-line)#authorization ?
arap For Appletalk Remote Access Protocol
commands For exec (shell) commands
exec For starting an exec (shell)
reverse-access For reverse telnet connections

SW1(config-line)#authorization commands ?
<0-15> Enable level

I wanted to show this, because we’ve already configured the AAA Authorization group for Exec level privs, so we don’t need to touch this field!

SW1(config-line)#authorization exec ?
WORD Use an authorization list with this name
default Use the default authorization list

SW1(config-line)#authorization exec default ?
<cr>

SW1(config-line)#authorization exec default
SW1(config-line)#

That is it, users can either be Authorized via the TACACS+ server or the Local Database for Exec level privileges on my device, and THAT IS IT!

AAA Accounting Fundamentals and some CLI output for demonstration

Accounting has the sole purpose of tracking what users do on the network, for Security purposes it could be to track malicious activity, or tracking network utilization to see if they are abusing the precious bandwidth!

AAA must be enabled to configure Accounting, of course!

A look at the CLI for AAA Accounting:

SW1(config)#aaa accounting ?
auth-proxy For authentication proxy events.
commands For exec (shell) commands.
connection For outbound connections. (telnet, rlogin)
delay-start Delay PPP Network start record until peer IP address is
known.
dot1x For dot1x sessions.
exec For starting an exec (shell).
gigawords 64 bit interface counters to support Radius attributes 52 &
53.
identity For identity sessions.
include Include attributes in accounting records unconditionally
jitter Set jitter parameters for periodic interval
multicast For multicast accounting.
nested When starting PPP from EXEC, generate NETWORK records
before EXEC-STOP record.
network For network services. (PPP, SLIP, ARAP)
redundancy AAA platform redundancy accounting behavior
send Send records to accounting server.
session-duration Set the preference for calculating session durations
suppress Do not generate accounting records for a specific type of
user.
system For system events.
update Enable accounting update records.
vrrs For VRRS accounting.

Tons of options here, but I’ll go with “commands” for Exec users:

SW1(config)#aaa accounting commands ?
<0-15> Enable level
visible-keys Send complete command to aaa server without masking off
sensitive parameters

SW1(config)#aaa accounting commands 1 ?
WORD Named Accounting list (max 31 characters, longer will be rejected).
default The default accounting list.

SW1(config)#aaa accounting commands 1 default ?
none No accounting.
start-stop Record start and stop without waiting
stop-only Record stop when service terminates.
<cr>

SW1(config)#aaa accounting commands 1 default start-stop ?
broadcast Use Broadcast for Accounting
group Use Server-group

SW1(config)#aaa accounting commands 1 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.

SW1(config)#aaa accounting commands 1 default start-stop group tacacs+ ?
group Use Server-group
<cr>

SW1(config)#aaa accounting commands 1 default start-stop group tacacs+
SW1(config)#

Going through some of the wtf’s of this command output, the enable level is similar to the “privilege” level you assign to users in the local database, either 1 or 15 are common.

The start-stop command will Account for everything done from the time a user Successfully Authenticates / Authorizes (start) or fails those (stop)

So ultimately this command is saying anyone on the TACACS+ Server is being Accounted by AAA somewhere (I’m not sure where the Accounting info goes at the moment).

The six different formats that you can Account in with AAA Accounting

  • Commands – Tracks exec level commands issued by user
  • Exec – Info about Exec terminal sessions to device
  • Connection – Info regarding all outbound connections made from a network Server
  • Network – Info regarding PPP, ARAP, SLIP sessions and much more!
  • Resource – Info regarding start and stop records, basically when a user passes Authentication / Authorization (starts) and when they fail (stops)
  • System – System level events

That is it for getting through all the SWITCH material once over, now to review!

That was my once over all the Material for switch, I will be updating posts to verify their information is correct, and then labbing like a bat out of hell on topics I expect to see in Simulator format on exam day.