AAA – Configuring login Auth for TACACS+ / RADIUS, local fallback explained, and tons of important labbing notes for exam day!

Posted on by Loopy

AAA_TAC_Auth2

A quick note before hitting the lab to configure Authentication

I did revert my TACACS+ and RADIUS configs back to the “depreciated” commands that have the hyphen in them, as I believe that is how this will be tested on exam day:

!
!
tacacs-server host 10.0.0.200 key CCNP2
radius-server host 10.0.0.100 key CCNP1
!

With that being said, lets get to it!

That being said, lets take a look at AAA Authentication Configuration!

Configuration of AAA Authentication on SW1:

SW1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
onep Set authentication lists for ONEP
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
suppress Do not send access request for a specific type of user.
username-prompt Text to use when prompting for a username

SW1(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.

SW1(config)#aaa authentication login default ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support

SW1(config)#aaa authentication login default

I wanted to pause here to highlight in green some of the more basic AAA Authentication methods we see like “Line” which means telnet line password, “Enable” meaning the enable password, “Local” which means configuring the username / PW Database.

AND THEN THERE WAS NONE (as an option), which is an oddity explained by the thinking of not depending solely on External Servers for Authentication.

So “none” is just a choice to require no Auth at all to log into the Switch, though there are better options available like ANY other than “none” (line password, enable password, local un/pw database) – But that is why none is shown as an option.

Just to point those out along the way, but we need to use “group” to proceed:

SW1(config)#aaa authentication login default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

SW1(config)#aaa authentication login default group tacacs+ ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>

Again this is where I need to pause to demonstrate a behavior for TACACS+ Authentication, as it will actually let you enter up to 4 of the values listed here, and try them in order as they are entered – But only 4 can be used:

SW1(config)#$ication login default group tacacs+ enable local line ?
<cr>

Be advised that “tacacs+” does count among the 4 methods of Authentication, then it will fall back to Authentication in the order left to right, to Authenticate login to the switch!

One behavior to know about when configuring “none” first as your option:

SW1(config)#aaa authentication login default none ?
<cr>

So if you use “login default none” that is the end of your Authentication configuration! 🙂

I am going to enable all 4 of those methods and keep rolling:

SW1(config)#aaa authentication login default group tacacs+ enable local line
SW1(config)#username loopy password loopedback
SW1(config)#

I added that username / PW in there to have a Local Database as a fallback!

A visual representation of how TACACS+ Authentication / Fallback works!

First the PC user “Bob” sends an Authentication request to the Switch, which uses its first Auth method in line, the TACACS+ Server:

AAA_TAC_Auth1

If TACACS+ doesn’t respond or doesn’t know Bob, it will continue left to right with the Auth methods, until Bob can Authenticate or not – TACACS+ doesn’t stop Auth HERE.

However, in this example TACACS+ WILL stop Authentication from falling back:

AAA_TAC_Auth2

I’ll spare the illustration, but this works the same if it were trying to Authenticate to a RADIUS Server, it will either not know / respond and fall back or deny the Auth!

Real world advice / Advice for choosing your Authentication and Fallback

When changing Authentication configs, ALWAYS stay logged in and test from a separate PC to ensure they are working, and ALWAYS leave yourself a backdoor to log in!

Also when choosing your fall back methods, you really want to use the most secure options first, like I should have probably used a Local Database that requires a UN/PW combo to log in for security purposes.

That Security tip is really more for Exam Day (as they will be pounding security), so I would configure my fall backs to be the most secure options in order!

Configuring RADIUS for AAA Authentication for both TACACS+ and RADIUS!

SW1(config)#aaa authentication login default ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support

SW1(config)#aaa authentication login default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

SW1(config)#aaa authentication login default group tacacs+ ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>

SW1(config)#aaa authentication login default group tacacs+ group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

SW1(config)#aaa authentication login default group tacacs+ group radius ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>

SW1(config)#$ication login default group tacacs+ group radius local ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
line Use line password for authentication.
none NO authentication.
<cr>

SW1(config)#aaa authentication login default group tacacs+ group radius local

You will need to use “group” to get LDAP / TACACS+ / RADIUS to appear as options, however they can all be used as fall backs, and play nice together!

How to Apply these login options, and configuring a login “list”

First to make the list of methods of Authentication:

SW1(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.

SW1(config)#aaa authentication login AUTH ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support

SW1(config)#aaa authentication login AUTH enable line local

Now to apply it to the VTY lines, note that “login” is no longer a stand alone command:

SW1(config)#line vty 0 15
SW1(config-line)#login ?
authentication Authentication parameters.

SW1(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

SW1(config-line)#login authentication AUTH ?
<cr>

SW1(config-line)#login authentication AUTH
SW1(config-line)#

I ran a “sh run” to see what my lines would look like, and their login now is tied to the AUTH list, but still has a password above the login so things could get interesting:

!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0
login authentication AUTH
line vty 1 4
exec-timeout 0 0
password CCNP
login authentication AUTH
line vty 5 15
exec-timeout 0 0
password CCNP
login authentication AUTH
!
ntp master
end

SW1#

Hmmmmmm…

Now to attempt a Telnet login from SW3:

SW3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 1/3/8 ms

SW3#

SW3#telnet 10.0.0.1
Trying 10.0.0.1 … Open
User Access Verification

Username: loopy
Password:

SW1>en
% Error in authentication.

SW1>

Whaaaaaaaat???!?

So I found the issue immediately, but I had no “enable secret” set on SW1, and the Telnet line password didn’t hit because their “login” is configured for Authentication, so it went all the way to the fall back of Local Database (which fortunately I configured).

Unfortunately, I didn’t have an enable password, so lets try that one again:

SW3#telnet 10.0.0.1
Trying 10.0.0.1 … Open

User Access Verification

Password:

SW1>en
Password:
SW1#

Much better, but now its peeked my interest why it skipped telnet as a fall back option and went from Enable to Local, so I’ll write up a quick aaa auth login here:

SW1(config)#aaa authentication login AUTH line local enable
SW1(config)#

Now to test from SW3 again:

SW3#telnet 10.0.0.1
Trying 10.0.0.1 … Open

User Access Verification

Username: loopy
Password:

SW1>en
Password:
SW1#

I am not sure what is causing this behavior, as I would think line also refers to console lines for physical access, but I cannot explain the Telnet behavior beyond the fact that once aaa new-model is applied to a Switch it strips “login” off VTY lines until Authentication is applied.

Good to know for exam day^ I’ll try to dig into that deeper when I have time.

That is it for this AAA Authentication post, I am done for the night, maybe!

My last video training course will be AAA Authorization and Accounting, and then I have a LOT of labbing with AAA and Dot1X, Port-Channel L2 and L3 so stay tuned for some hardcore exam prep labbing in the near future!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s