Professional Documents
Culture Documents
Study
Internetworking Solutions Guide
May 2000
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo,
Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo,
Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco
Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet
Quotient, IP/VC, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click
Internetworking, Policy Builder, Precept, RateMUX, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell,
TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Voice Line, VlanDirector, Voice LAN, Wavelength Router, Workgroup
Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet
Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems,
the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch,
GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and
VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this
document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its
resellers. (0004R)
Preface xi
Purpose xi
Audience xi
Scope xi
Acknowledgements xv
6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server
Authentication) 6-29
6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 6-30
6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) 6-33
6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 6-34
6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 6-35
6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 6-36
INDEX
Figure 6-2 Dial Access Authentication and Authorization Flow Diagram 6-3
Figure 6-3 RADIUS Dial Access Authentication and Authorization Process 6-4
Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) 6-5
Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) 6-6
Table 6-1 Single User Failure; Individual Dial-in User Connection Fails 6-9
Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS 6-9
Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) 6-10
Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) 6-12
Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+) 6-16
Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) 6-17
Table 6-12 Multilink Fails (TACACS+) 6-18
Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+) 6-18
Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS) 6-18
Table 6-20 Single User Failure; Individual Dial-in User Connection Fails 6-20
Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router 6-20
Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both 6-21
Table 6-23 Single User Failure; Individual User Unable to Make a Connection 6-22
Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router 6-23
Table 6-25 Users Pass Authentication on Console or VTY, but Not Both 6-24
Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-26
Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-28
Table 6-34 Router User Unable to Initiate Shell Session with Router 6-28
Table A-1 Cisco IOS Commands Required to Set AAA for a Router A-13
Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) A-14
This case study describes various Cisco-based security and accounting capabilities for monitoring and
managing access within a large-scale dial environment.
Purpose
This Internetworking Solutions Guide (ISG) case study provides examples intended to be models for
building an effective, Cisco AAA-based security environment for dial-based and router environments.
In following the procedures and recommendations provided in this document, readers should be able to:
• Understand the working relationship among various Cisco AAA components, including NASs,
AAA servers, and the AAA database.
• Configure and verify operation for these AAA components.
• Troubleshoot typical problems found in AAA environments.
Audience
The audience for this document consists of network engineers supporting large-scale dial networks. The
audience is expected to have a basic understanding of Cisco IOS software, and a working knowledge of
both the UNIX operating system and CiscoSecure for UNIX user interface.
Scope
This case study provides:
• Complete network device configurations and specific fragments to support implementation task
descriptions.
• Example diagnostic output showing verification of correct configuration.
• Troubleshooting output supporting problem scenarios show problem configurations and other AAA
environment failures.
• A foundation from which effective AAA-based security solutions can be tailored to specific
network requirements.
The information provided here does not include advanced tuning tips—nor does it provide a primer for
the uninitiated novice. In addition, site planning and preparation are beyond the scope of this case study.
Document Conventions
Convention Description
italic File names, paths to files, user names, and groups names used in
descriptions. Example: /var/log/csuslog
< > Angle brackets show nonprinting characters, such as passwords.
! An exclamation point at the beginning of a line indicates a comment
line. (Exclamation points are also displayed by the Cisco IOS software
for certain processes.)
[ ] Square brackets show default responses to system prompts.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services
to customers and business partners of Cisco Systems. CCO services include product information,
product documentation, software updates, release notes, technical tips, the Bug Navigator,
configuration notes, brochures, descriptions of service offerings, and download access to public and
authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced
simultaneously: a character-based version and a multimedia version that resides on the World Wide
Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet
e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version
of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as
hyperlinks to related information.
You can access CCO in the following ways:
• http://www.cisco.com
• http://www-europe.cisco.com
• http://www-china.cisco.com
• Telnet: cco.cisco.com
• Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following
terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up
to 28.8 kbps.
For a copy of the CCO Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional
information, contact cco-team@cisco.com.
Note If you are a network administrator and need personal technical assistance with a Cisco
product that is under warranty or covered by a maintenance contract, contact the Cisco
Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To
obtain general information about Cisco Systems, Cisco products, or upgrades, contact
800 553-6387, 408 526-7208, or cs-rep@cisco.com.
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with
your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated
monthly; therefore, it might be more current than printed documentation. To order additional copies of
the Documentation CD-ROM, contact your local sales representative or call customer service. The
CD-ROM package is available as a single package or as an annual subscription. You can also access
Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com,
or http://www-europe.cisco.com.
• Mail in the Cisco Reader Comment Card located at the front of this book
• Send an e-mail to bug-doc@cisco.com
• Send a fax to 408 527-8089
We appreciate your comments.
Acknowledgements
This ISG case study was created as a collaborative effort. The following team members participated in
the creation of this document: Joellen Amato, Dave Anderson, Robert “Bob” Brown, Alan Dowling,
Dianne Dunlap, Paul Hafeman, Anthony Hall, Kim Lew, Robert Lewis, Dave Leyland, Brian Murphy,
Dang Nguyen, Nilesh Panicker, Anjali Puri, Robert Sargent, David Sims, Tim Stevenson, Kris
Thompson, Craig Tobias, and Syed Atif Ullah.
This chapter summarizes the technology behind AAA security solutions, outlines typical network
definitions and network assumptions adopted for this case study, and lists tasks associated with
implementing, verifying, and troubleshooting the AAA environment presented. Specific sections
provided here are:
• 1.1 AAA Technology Summary
• 1.2 TACACS+ Overview
• 1.3 RADIUS Overview
• 1.4 Comparison of TACACS+ and RADIUS
• 1.5 Differences in Implementing Local and Server AAA
• 1.6 Scenario Description
• 1.7 Planning Your Network
• 1.8 Network Service Definitions
• 1.9 Security Implementation Policy Considerations
• 1.10 Network Equipment Selection
• 1.11 Task Check List
Oracle dB server
Internet
35089
In the context of the Cisco-based AAA environment addressed here, the key operational elements are
network access servers (NASs), routers, and CiscoSecure Access Control Server for UNIX servers
(referred to in this document as AAA servers). Depending on the conventions and requirements of your
particular design, you can select a security environment which utilizes Terminal Access Controller
Access Control System Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS).
This case study addresses implementation of both environments.
• TACACS+ permits the control of services, such as Point-to-Point Protocol (PPP), shell, standard
log in, enable, AppleTalk Remote Access (ARA) protocol, Novell Asynchronous Services Interface
(NASI), remote command (RCMD), and firewall proxy.
• TACACS+ permits the blocking of services to a specific port, such as a TTY or VTY interface on
a router.
The most common services supported by TACACS+ are PPP for IP and router EXEC shell access using
console or VTY ports. EXEC shell allows users to connect to router shells and select services, such as
PPP, Telnet, TN3270, or manage the router itself.
Many TACACS+ servers are available on the market today; however, the AAA server is designed
specifically to be scalable and compatible with Cisco's broad line of routers, access servers, and
switches. Hence, this case utilizes the Cisco AAA server as the TACACS+ server of choice.
When configured correctly, the AAA server validates AAA and responds to requests from routers and
access servers with a pass or fail signal. The AAA server contains an internal database sized to 5000
users; therefore, an external Oracle database is used in our case study for user account attributes and
billing information.
The AAA server acts as a proxy server by using TACACS+ to authenticate, authorize, and account for
access to Cisco routers and network access servers.
RADIUS TACACS+
RADIUS uses UDP. TACACS+ uses TCP.
RADIUS encrypts only the password in the TACACS+ encrypts the entire body of the packet;
access-request packet; less secure. more secure.
RADIUS combines authentication and TACACS+ uses the AAA architecture, which
authorization. separates authentication, authorization, and
accounting.
Industry standard (created by Livingston). Cisco Proprietary.
RADIUS does not support ARA access, Net BIOS TACACS+ offers multiprotocol support.
Frame Protocol Control protocol, NASI, and X.25
PAD connections.
RADIUS does not allow users to control which TACACS+ provides two ways to control the
commands can be executed on a router. authorization of router commands: on a per-user
or per-group basis.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the
header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful
to have the body of the packets in the clear. However, normal operation fully encrypts the body of the
packet for more secure communications.
1.4.6 Interoperability
The RADIUS standard does not guarantee interoperability. Although several vendors implement
RADIUS clients, this does not ensure they are interoperable. There are approximately 45 standard
RADIUS ATTRIBUTES. Using standard ATTRIBUTES improves the likelihood of interoperability.
Using proprietary extensions reduces interoperability.
Local-based
console access
IP
Local-based
VTY access (Telnet)
IP
PSTN
Modem
IP
Local-based
31348
dial access
In server-based AAA access, users and groups are permitted or denied access based on AAA
negotiations between s router or NAS and the AAA server. See the following attributes of server-based
AAA access features:
• User or group profiles and accounting records stored in an internal or external database
• AVPs supported on both standard and EXEC shell-initiated PPP sessions
• Wide array of AVPs supported, including vendor-specific (non-Cisco) AVPs
Figure 1-3 illustrates the three server-based connectivity situations:
• Server-based console access
• Server-based VTY connections
• Server-based dial access
Server-based
console access
IP
AAA server
Server-based
VTY access (Telnet)
IP
AAA server
Server-based
dial access
PSTN
Modem
IP
AAA server
31347
Each connectivity scenario illustrated in Figure 1-2 and Figure 1-3 involves situation-specific
requirements. As a result, each scenario also contains situation-specific implementation and
troubleshooting considerations. The diagnostic chapters that follow present a series of implementation
steps (configuring, verifying, and testing) symptoms, problems, and suggested diagnostic processes that
reflect both these differences and similarities.
Task Topic
Chapter 2, “Implementing the Local AAA 2.1 Implementing Local Dialup
Subsystem” Authentication
2.2 Implementing Local Dialup
Authorization
2.3 Implementing Local Router
Authentication
2.4 Implementing Local Router
Authorization
2.5 Implementing Local Router Accounting
Chapter 3, “Implementing Cisco AAA 3.1 Installing CiscoSecure for UNIX with
Servers” Oracle
Chapter 4, “Implementing the Server-Based 4.1 Implementing Server-Based TACACS+
AAA Subsystem” Dialup Authentication
4.2 Implementing Server-Based TACACS+
Dialup Authorization
4.3 Implementing Server-Based RADIUS
Dialup Authentication
4.4 Implementing Server-Based RADIUS
Dialup Authorization
4.5 Implementing Server-Based TACACS+
Router Authentication
4.6 Implementing Server-Based TACACS+
Router Authorization
Task Topic
Chapter 5, “Implementing Server-Based AAA 5.1 Implementing Server-Based RADIUS
Accounting” Dial Accounting
5.2 Implementing Server-Based TACACS+
Router Accounting
Chapter 6, “Diagnosing and Troubleshooting 6.1 Overview of Authentication and
AAA Operations” Authorization Processes
6.2 Troubleshooting AAA Implementation
• 6.2.1 Troubleshooting Methodology
Overview
• 6.2.2 Cisco IOS Debug Command
Summary
6.3 AAA Troubleshooting Basics
6.4 Troubleshooting Scenarios
This chapter focuses on local AAA implementation and describes the following topics:
• 2.1 Implementing Local Dialup Authentication
• 2.2 Implementing Local Dialup Authorization
• 2.3 Implementing Local Router Authentication
• 2.4 Implementing Local Router Authorization
Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication,
authorization, and accounting as they relate to AAA security implementation.
Server-based authentication, authorization, and accounting issues are described in the following
chapters:
• Chapter 3, “Implementing Cisco AAA Servers”
• Chapter 4, “Implementing the Server-Based AAA Subsystem”
• Chapter 5, “Implementing Server-Based AAA Accounting”
• Chapter 6, “Diagnosing and Troubleshooting AAA Operations”
Caution The example configuration fragments used throughout this chapter include IP addresses,
passwords, authentication keys, and other variables that are specific to this case study. If
you use these fragments as foundations for you own configurations, be sure that your
specifications apply to your environment.
PSTN
Modem
IP
Local-based
35054
dial access
interface Group-Async1
ip unnumbered Loopback0
no ip directed-broadcast
encapsulation ppp
ip tcp header-compression passive
no logging event link-status
dialer in-band
dialer idle-timeout 900
async mode interactive
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp max-bad-auth 3
ppp authentication pap chap
group-range 1 48
line 1 48
exec-timeout 48 0
autoselect during-login
autoselect ppp
absolute-timeout 240
script dialer cisco_default
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input all
transport output pad telnet rlogin udptn
Username:diallocal
Password: <password>
b. To determine that local dial access authentication is operating correctly, enter the debug aaa
authentication and debug ppp authentication commands.
The following debug output contains only pertinent information:
maui-nas-01#
The following shell-initiated PPP session example shows the AAA debug output that confirms
correct configuration for local authentication:
The following example of a non-shell-initiated PPP session shows AAA debug output that confirms
correct configuration for local authentication:
Note Attribute-value pairs (AVPs) only are supported with EXEC shell initiated PPP
sessions for local accounts. Configure dial access clients to “Bring Up a Terminal
Window After Dial”.
Step 1 Configure dial access configuration for local authorization on the NAS.
Include the following Cisco IOS configuration commands in your configuration to construct dial access
local authorization:
aaa new-model
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa authorization exec default local if-authenticated
aaa authorization network default local if-authenticated
The following example of a shell-initiated session shows the AAA debug output that confirms correct
configuration for local authorization. Some points to note about this debug output:
• Method used is LOCAL.
• Autocommand used is PPP negotiate.
• Access list used is 110.
• Authorization is successful.
The following tests illustrate operations described in “2.4 Implementing Local Router Authorization”
and include relevant router output:
1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled).
2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed.
3. User diallocal is authorized PPP Network Service.
4. User diallocal is authorized LCP.
5. User diallocal is authorized IPCP.
The following diagnostic results are presented in the order in which they are generated during the
authorization process. Specific output fragments are differentiated with brief explanatory notes to help
you identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled).
NAS debug output:
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Port='tty10' list='' service=EXEC
07:10:52: AAA/AUTHOR/EXEC: As10 (693880654) user='diallocal'
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV service=shell
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV cmd*
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): found list "default"
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Method=LOCAL
07:10:52: As10 AAA/AUTHOR (693880654): Post authorization status = PASS_ADD
Note Access lists can be defined as either input or output access lists. As configured and applied
in this environment, access list 110 is an output access list assigned with the acl=110 AVP.
In the show line listing, AccO refers to output access list 110. In this case, AccI is not set
(indicated by a dash).
IP
35053
Note The NO_AUTHENT list disables authentication on the console port. See “A.2
Router AAA Command Implementation Descriptions” in Appendix A, “AAA
Device Configuration Listings” for notes regarding Cisco IOS AAA commands.
Username: rtr_super
Password: <password>
maui-rtr-03#
b. To determine that local dial access authentication is operating correctly, enter the debug aaa
authentication command as follows:
maui-rtr-03#debug aaa authentication
AAA Authentication debugging is on
maui-rtr-03#show debug
General OS:
AAA Authentication debugging is on
maui-rtr-03#terminal monitor
Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to
disable AAA authentication and authorization before changing to boot ROM
mode. For configuration notes regarding disabling AAA to access boot ROM
mode, see Appendix B, “AAA Impact on Maintenance Tasks.”
These processes are intended to help you to accomplish the following tasks:
1. Configure local router authorization at privilege level 15.
2. Verify local router authorization is set to privilege level 15.
Note You must first log out, and then log back into the router following the inclusion of
the aaa authorization commands 15 local if-authenticated command
(illustrated in the preceding configuration fragment). Doing this ensures that you
log in as the user rtr_super (in this case study example). The NO_AUTHENT list
disables authentication on the console port. The NO_AUTHOR list disables
EXEC and command authorization on the console port. See “A.2 Router AAA
Command Implementation Descriptions” in Appendix A, “AAA Device
Configuration Listings” for notes regarding key Cisco IOS AAA commands.
maui-rtr-03#login
Username: rtr_super
Password:
The following tests illustrate operations described in “2.4 Implementing Local Router Authorization”
and include relevant router output.
1. User rtr_super is authorized EXEC shell access.
2. User rtr_super logs is assigned priv-lvl 15 AVP.
3. User rtr_super successfully performs privilege level 15 command.
The following diagnostic results are presented in the order in which they are generated during the
authorization process. Specific output fragments are differentiated with brief explanatory notes to help
you identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
aaa new-model
aaa authentication login default local enable
aaa authentication login NO_AUTHENT none
aaa authorization exec default local if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default local if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default start-stop group tacacs+
aaa accounting exec NO_ACCOUNT none
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting commands 15 NO_ACCOUNT none
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
accounting commands 1 NO_ACCOUNT
accounting commands 15 NO_ACCOUNT
accounting exec NO_ACCOUNT
login authentication NO_AUTHENT
Note In the preceding configuration fragment, the start-stop option is entered for
EXEC shell sessions and the stop-only option is entered for privilege-level 15
commands. The router sends a start packet in the beginning of a shell service and
a stop packet when the session terminates. A stop packet is only sent upon
completion of a privilege level 15 command in the router. Additionally, note the
use of the NO_ACCOUNT list to disable AAA accounting on the console port.
Step 2 Verify and troubleshoot local accounting from VTY (Telnet) based access to the router.
Enter the debug aaa accounting command to verify local router accounting is operating as expected.
The following EXEC sequence illustrates that the appropriate commands are enabled:
maui-rtr-03#show debug
General OS:
AAA Accounting debugging is on
The following tests illustrate operations described in “2.5 Implementing Local Router Accounting” and
include relevant router output.
1. User rtr_super is authorized EXEC shell access.
2. User rtr_super successfully performs configure terminal, a privilege level 15 command.
The following diagnostic results are presented in the order in which they are generated during a typical
authorization and command request process. Specific output fragments are separated out with brief
explanatory notes to help you identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1,
“Cisco AAA Case Study Overview” for information regarding this case study’s network requirements
and environment details for this case study. Figure 3-1 illustrates the general networking environment
in which this CSU is implemented.
These sections focus on the following topics:
• 3.1 Installing CiscoSecure for UNIX with Oracle
• 3.1.4 Creating and Verifying Basic User Profile
Oracle dB server
Internet
35089
Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the
database.
SVRMGR>connect internal
Connected.
SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m;
Statement processed.
SVRMGR>create user csecure identified by csecure default tablespace cstb;
Statement processed.
SVRMGR>grant dba to csecure identified by csecure;
Statement processed.
SVRMGR>exit
Server Manager complete.
Step 1 To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed,
enter the following command. Log in to the $ORACLE_HOME as follows:
<CSUserver>$env | grep ORACLE_HOME
ORACLE_HOME=/opt/oracle/product/7.3.4
Note This environment variable should have been configured during Oracle installation
by the DBA.
Step 2 On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by
entering the following command:
<CSUserver>$ps -ef |grep smon
oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj
The command returns the ora_smon_<SID> process if the server is running. Notice the database
instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this
case, with username of csecure and password of csecure) and start the database by using Server
Manager (svrmgrl) and Oracle listener (lsnrctl) as follows:
<CSUserver>$$ORACLE_HOME/bin/svrmgrl
SVRMGR>connect internal
SVRMGR>startup
ORACLE instance started.
Total System Global Area 4576056 bytes
Fixed Size 39816 bytes
Variable Size 4118448 bytes
Database Buffers 409600 bytes
Redo Buffers 8192 bytes
Database mounted.
Database opened.
<CSUserver>$$ORACLE_HOME/bin/lsnrctl start
LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46
Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Solaris:Version 2.3.4.0.0 - Production
Start Date 12-APR-00 09:40:50
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security OFF
SNMP OFF
Listener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.ora
Listener Log File /opt/oracle/product/7.3.4/network/log/listener.log
Services Summary...
ciscoaus has 1 service handler(s)
The command completed successfully
Step 3 To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter
Security Manager using the sqlplus process:
<CSUserver>$sqlplus csecure/csecure@ciscosj
Note Ensure that the assigned resource role/privilege for the username and password is
as shown.
The command returns a table with a column listing the privileges granted to the Oracle database
account. The default tablespace assigned to the Oracle database account must be at least 200MB. The
size is verified by the installation script.
Step 4 To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows:
<CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj
TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28
Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the
PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number
of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is
set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study,
at least four of the connections are reserved for mandatory background server processes. In addition,
the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during
the installation.
Step 1 Start the CSU installation process by invoking the pkgadd program.
The process that follows illustrates the general installation sequence. Extraneous output was omitted
where noted for brevity.
<CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris
Notice:
By using this product, you agree to be bound by the terms of
the license supplied with this product. If you do not agree
to these terms, promptly return the unused product, manuals,
related equipment, and hardware (with proof of purchase) to
the place of purchase for a full refund.
checking patches...
************************************************************************
* Notice: *
* This installation program saves your Database files from a previous *
* CiscoSecure install. If you have not installed CiscoSecure before, *
* you should answer YES to the next question. If you have performed *
* a 'package remove' and are installing a new version of CiscoSecure *
* and want to retain your previous Database files, you should answer *
* NO to the next question. *
************************************************************************
If the hostname of this server is not the same as its fully qualified domain
name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter
to use the default (default: CSUserver) [?,q]
Choose Database
1 SQLAnywhere Sybase SQL Anywhere
2 ORACLE Oracle Enterprise
3 SYBASE Sybase Enterprise
Enter the TNS service name for the Oracle Server [?,q]ciscosj
Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50
Enter the directory Path to use for the AAA server profile caching
(default: /, q to quit)?
DB Server Connections 50
Note Process output is omitted at this point because it is not relevant to the installation
task presented in this chapter.
Connected to jdbc:weblogic:oracle:ciscosj
Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)
Version 2.5.4
Note Process output is omitted at this point because it is not relevant to the installation
task presented in this chapter.
Successfully done.
Connected to jdbc:weblogic:oracle:ciscosj
Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)
Version 2.5.4
Successfully done.
Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:
Enter the following command:
#added by rbrown@cisco.com on 02/28/00
local0.debug /var/log/csuslog
Note Do not use whitespace to separate the above statements in /etc/syslog.conf. Use
only tabs.
<CSUserver>$/etc/rc2.d/S80CiscoSecure
Note This CSU log fragment illustrates user csu_test being authenticated and permitted
privilege level 15 access.
<CSUserver>$tail -f /var/log/csuslog
Feb 29 16:52:28 CSUserver last message repeated 20 times1
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8)
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user:
csu_test
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user:
csu_test
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e)
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG -
Feb 29 16:52:30 CSUserver User Access Verification
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username:
Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated
Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)
Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password:
Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)
Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS =
coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15]
Caution The example configuration fragments used throughout this chapter include IP addresses,
passwords, authentication keys, and other variables that are specific to this case study. If
you use these fragments as foundations for you own configurations, be sure that your
specifications apply to your environment.
Note See Chapter 2, “Implementing the Local AAA Subsystem,” for specifics of local AAA
implementation. See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions
of authentication, authorization, and accounting as they relate to AAA security
implementation.
Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based
AAA components, including a AAA server and its associated AAA database.
Oracle dB server
Internet
35089
4.1 Implementing Server-Based TACACS+ Dialup
Authentication
The following section focuses on server-based dialup authentication configuration. In this context,
server-based refers to actions dependent upon an external AAA server. These actions are described in
a series of general steps along with related commands, server configurations, and diagnostic steps as
appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.
PSTN
Modem
IP
AAA server
35051
Caution When entering AddProfile to create users or groups, it is possible to successfully create
users or groups that have invalid database parameters that result in profile errors viewable
in /var/log/csuslog.
user = tac_dial{
profile_id = 23
profile_cycle = 1
password = pap "********"
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}
Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.
Enter the following UNIX server command to confirm that the authorization is operating correctly:
<CSUServer>$tail -f /var/log/csuslog
Server-based
dial access
PSTN
Modem
IP
AAA server
35051
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default if-needed group radius
!
interface Group-Async1
ip unnumbered Loopback0
no ip directed-broadcast
encapsulation ppp
ip tcp header-compression passive
no logging event link-status
dialer in-band
dialer idle-timeout 900
async mode interactive
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp max-bad-auth 3
ppp authentication pap chap
group-range 1 48
!
line 1 48
exec-timeout 48 0
autoselect during-login
autoselect ppp
absolute-timeout 240
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input all
transport output lat pad telnet rlogin udptn v120 lapb-ta
b. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules
-a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'
Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm
authentication from NAS perspective.
Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command.
Server-based
VTY access (Telnet)
IP
35050
AAA server
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login NO_AUTHENT none
!
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
tacacs-server host 172.22.53.201 key ciscorules
!
line con 0
login authentication NO_AUTHENT
}
Step 3 Create the member rtr_test and assign this user to group rtr_basic.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr
rtr_basic
Profile Successfully Added
Group
Cisco IOS Command rtr_super rtr_tech rtr_low
debug all Denied Denied Denied
debug * Permitted Permitted Denied
clear * Permitted Permitted Denied
reload Permitted Denied Denied
show running-config Permitted Denied Denied
write terminal
copy running-config startup-config Permitted Permitted Denied
write memory
configure terminal Permitted Denied Denied
Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization
between a router and an AAA server. Troubleshooting and verifying is divided into three stages:
authentication, EXEC authorization and command authorization. Each stage is accompanied by
information particular to that stage:
• Cisco IOS Configuration Fragments (on left)
• Troubleshooting and verification methods for the router and AAA server (on right)
EXEC Authorization
AAA authorization
begins (EXEC)
Command Authorization
AAA authorization
command begins
(command)
begins
Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to
disable AAA authentication and authorization before changing to boot ROM
mode. For configuration notes regarding disabling AAA to access boot ROM
mode, see Appendix B, “AAA Impact on Maintenance Tasks.”
Step 1 Configure TACACS+ server-based authorization from the console port on the router.
Include the following Cisco IOS configuration commands in your configuration to enforce router-based
security with TACACS+:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login NO_AUTHENT none
aaa authorization commands 15 NO_AUTHOR none
aaa authorization exec default group tacacs+
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group tacacs+
!
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
tacacs-server host 172.22.53.201 key ciscorules
!
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHENT
Step 2 Configure, verify, and test operation of the AAA server group rtr_low.
The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the
requirements specified in Table 4-1:
a. Create the group rtr_low.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a
'service=shell{\ndefault cmd=deny\n}\n'
Profile Successfully Added
c. Create the member rtr_dweeb and assign this user to group rtr_low.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw
des,ciscorules
Profile Successfully Added
e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:
– Simultaneously monitor the output of debug aaa authorization from a console shell session
and the AAA server csuslog file.
– Log in to the router by using a new terminal window with the rtr_dweeb account and enter the
commands shown in Table 4-1.
– From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog
Step 3 Configure, verify, and test operation of the AAA server group rtr_tech.
The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the
requirements specified in Table 4-1:
a. Create the group rtr_tech.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell
{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny
all\n}\ncmd=configure{\ndeny .*}\n}\n'
c. Create the member rtr_techie and assign this user to group rtr_tech.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw
des,ciscorules
Profile Successfully Added
e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:
– Simultaneously monitor the output of debug aaa authorization from a console shell session
and the AAA server csuslog file.
– Log in to the router by using a new terminal window with the rtr_techie account and enter the
commands shown in Table 4-1.
– From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog
Step 4 Configure, verify, and test operation of AAA server Group rtr_super.
The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with
the requirements specified in Table 4-1:
a. Create the group rtr_super.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell
{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n'
Profile Successfully Added
c. Create the member rtr_geek and assign this user to group rtr_super.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek -pr rtr_super -pw
des,ciscorules
Profile Successfully
e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:
– Simultaneously monitor the output of debug aaa authorization from a console shell session
and the AAA server csuslog file.
– Log in to the router by using a new terminal window with the rtr_geek account and enter the
commands shown in Table 4-1.
– From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog
Caution The example configuration fragments used throughout this chapter include IP addresses,
passwords, authentication keys, and other variables that are specific to this case study. If
you use these fragments as foundations for you own configurations, be sure that your
specifications apply to your environment.
Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication,
authorization, and accounting as they relate to AAA security implementation.
Step 1 Configure the server-based RADIUS dial accounting on the AAA server.
Include the following configuration line in /opt/ciscosecure/CLI/config/CSU.cfg to enable group
membership accounting:
config_acct_fn_enable = 1
Step 3 Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle
dB instance.
The following examples illustrate the use of SQL query commands to monitor user rad_dial being
disconnected due to idletime configured with the line configuration session-timeout command in the
NAS:
<CSUServer>$/export/home/oracle> sqlplus
Enter user-name:csecure/csecure@ciscoaus
Connected to:
Oracle7 Server Release 7.3.4.0.1 - Production
PL/SQL Release 2.3.4.0.0 - Production
Note The disc-cause and disc-cause-ext output both reflect idle timeouts from
Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this
chapter.
Note User rad_dial dials into maui-nas-03. Note the session-timeout was applied.
User rad_dial is disconnected after 15 minutes of inactivity and an accounting packet is sent to the AAA
Server:
maui-nas-03#show debug
General OS:
AAA Accounting debugging is on
Note The disc-cause and disc-cause-ext both reflect idle timeouts from Table 5-1
listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter.
Step 1 Configure the server-based TACACS+ router accounting on the AAA server.
config_acct_fn_enable = 1
For detailed accounting performance, go to:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto
cid84517
Step 2 Configure server-based TACACS+ EXEC and command level accounting on the router.
Include the following Cisco IOS commands in your configuration file to enable router EXEC and
command AAA authentication, authorization, and accounting:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
Note Authentication and authorization is disabled on the console port with the use of
the NO_AUTHEN and NO_AUTHOR named lists.
Step 3 Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB
instance.
The following example illustrates the use of the SQL query select command to monitor user rtr_geek
entering the configure terminal privilege level 15 command:
SQL>select * from cs_accounting_log where blob_data like '%rtr_geek%';
Step 4 Verify and troubleshoot server-based accounting operation from the router.
Enter the configure terminal command to test AAA accounting behavior as follows (be sure the
debug aaa accounting command is enabled):
maui-nas-03#show debug
General OS:
AAA Accounting debugging is on
maui-nas-03#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
maui-nas-03(config)#^Z
This debug command output results from entering the configure terminal command:
*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: User rtr_geek, Port tty0, Priv 15:
"configure terminal <cr>"
*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: Found list "default"
*Apr 17 18:14:45.726 CST: AAA/ACCT: user rtr_geek, acct type 3 (1057208544):
Method=tacacs+ (tacacs+)
*Apr 17 18:14:45.930 CST: TAC+: (1057208544): received acct response status = SUCCESS
This chapter focuses on diagnosing and troubleshooting negotiations between AAA devices. This
section reviews the case study environment and outlines the protocol flows associated with AAA
negotiations in the context of this network environment. The subsequent sections focus on specific
troubleshooting techniques as follows:
• 6.1 Overview of Authentication and Authorization Processes
• 6.2 Troubleshooting AAA Implementation
• 6.3 AAA Troubleshooting Basics
• 6.4 Troubleshooting Scenarios
Oracle dB server
Internet
35089
The negotiation suggested in Figure 6-1 is expanded in Figure 6-2 which presents the logical flow of
the authentication and authorization processes and illustrates the relationship between the elements
within the TACACS+ based AAA negotiation. While the network access server (NAS) communicates
directly with the AAA server, the AAA server in turn exchanges information with the Oracle database
server.
Network
access server
Result TACACS+
query
CiscoSecure
ACS
Fail
Valid user
Pass
Pass Oracle
Pass
database
Pass
Fail
Authorization
Pass
27815
The RADIUS dial-access authentication and authorization illustrated in Figure 6-3 describes RADIUS
negotiation between the NAS and the AAA server. User rad_dial is permitted PPP access through
EXEC shell (character mode) or autoselect PPP (packet mode).
AAA Server
Access request User Configuration
Send username
password user=rad_dial{
Authentication and
password=PAP "****"
Authorization
35048
Note Unlike TACACS+, the authentication and authorization processes are not handled as
separate stages in RADIUS-based AAA access control.
Figure 6-4 and Figure 6-5 expand on the basic negotiation flow depicted in Figure 6-2 by illustrating
the specific TACACS+ negotiation process associated with particular users, as defined in their
respective CSU profiles.
Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled)
Send start
Oracle
Authentication
Get user DB
Send user
Get pass
Send password
Pass
CSU User Configuration
user x =
Authorization
User = x
password = PAP
Send AV service = shell
AV cmd* service = shell {
default_cmd = permit
}
27812
Pass
The difference in authorization behavior stems from the use of two commands in the AAA server user
configurations. The default_cmd=permit command included in the example in Figure 6-4 enables
default privilege level 15 commands for user x.
As configured in Figure 6-4, the session for user x depicts a process that involves either a shell initiated
or a standard PPP session. The same negotiations are used in initiating shell access to a router.
Both figures depict the stages of dial access authentication and authorization sessions between an access
server and an AAA server. The key difference is defined in the CSU user configuration (profiles)
included in each illustration. In Figure 6-4, EXEC shell access authorization is permitted while it is not
permitted in the illustration depicted in Figure 6-5.
Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled)
Send start
Oracle
Get user database
Send Abort
Authentication
Autoselect PPP
user = x
CSU User Configuration
Authenticate
peer user = y
password = PAP
Send password
service = shell {
Pass set autocmd = ppp negotiate
}
LCP service = ppp {
request protocol = ip{
set addr pool = default
Pass }
Authorization
Network
protocol = lcp {
user = y }
service = ppp
protocol = lcp
Pass
CONFREQ
for options
27813
Pass
The example session illustrated in Figure 6-5 omits the default_cmd=permit AVP and instead includes
the autocmd=ppp negotiate AVP disabling EXEC shell access to IOS devices. User y fails any attempt
to access the router and receives the message PPP not allowed on this interface as a result of the
PPP configuration statement. This distinction provides an element of security, blocking access to
routers.
Enabling this debug command displays RADIUS interaction between the IOS client and the AAA
server.
In addition to debug command output gathered directly from devices running Cisco IOS, a Cisco AAA
server can be configured to collect important operational diagnostics.
Go to the following link for information regarding configuring and using CSU ACS logs:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/troubles.htm
Note Some of the symptoms described in the following tables can be caused by a variety of
problems other than AAA issues. Because this case study focuses on AAA-based security
topics, the problems and diagnostics provided here focus on AAA issues.
Table 6-1 Single User Failure; Individual Dial-in User Connection Fails
Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS
or
Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)
Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)
max-sessions
Maximum-Channels
Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and
TACACS+)
<CSUserver>$tail -f /var/log/csuslog
Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and
TACACS+)
or
Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+)
or
service=ppp
protocol=lcp
protocol=ip
Service-Type=Framed
Framed-Protocol=ppp
Group lacks shell service assigned (EXEC 1. To view group profile, enter:
shell-initiated PPP session only). <CSUserver>$/opt/ciscosecure/CLI/ViewPr
ofile –p 9900 –g groupname
service=shell
User-Service-Type (Shell-User)
or
Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS
and TACACS+)
User or group profile restricted. To verify group account not restricted with
max-links AVP, enter:
<CSUserver>$/opt/ciscosecure/CLI/ViewPr
ofile –p 9900 –g groupname
Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+)
Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS)
<CSUserver>$/opt/ciscosecure/CLI/ViewPr
ofile –p 9900 –u username
<CSUserver>$/opt/ciscosecure/CLI/ViewPr
ofile –p 9900 –u username
Maximum-Channels
Table 6-20 Single User Failure; Individual Dial-in User Connection Fails
Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router
Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both
line con 0
line vty 0 4
Table 6-23 Single User Failure; Individual User Unable to Make a Connection
Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router
Table 6-25 Users Pass Authentication on Console or VTY, but Not Both
line con 0
line vty 0 4
Example:
If aaa authorization commands is used, ensure
method specified is local.
User profile lacks appropriate privilege level to To review privilege configuration in router, enter:
perform command. <router>#show running-config
Example:
Cisco IOS command aaa authorization
commands 15 default local is used, but user does
not have a corresponding privilege level assigned.
User profile lacks appropriate enable level to To review enable privilege level configuration in
perform command. router, enter.
<router>#show running-config
enable 15 secret
enable 10 secret2
Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is
Disconnected”
Example:
If aaa authorization commands is used, ensure
method specified is tacacs+.
User profile lacks appropriate privilege level to To view user profile for appropriate priv-lvl=x
perform command. AVP, enter:
<CSUserver>$/opt/ciscosecure/utils/bin/
ViewProfile -p 9900 -u username
User profile lacks appropriate enable privilege To view user profile for appropriate enable
level to perform command. privilege level, enter:
<CSUserver>$/opt/ciscosecure/utils/bin/
ViewProfile -p 9900 -u username
For example:
privilege = des "********" 15
Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is
Disconnected”
Table 6-34 Router User Unable to Initiate Shell Session with Router
Symptom Multiple user failure; all dial-in users unable to connect to NAS. See Table 6-4.
Possible Cause TACACS+ key incorrect in NAS or AAA server. See Table 6-4.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. The last line of this debug output shows the failure
expressed for user dial_tac.
088189: Jan 27 18:37:22.972 CST: AAA/MEMORY: create_user (0x61D7A2E0) user=’’ ruser=’’
port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
088190: Jan 27 18:37:22.976 CST: AAA/AUTHEN/START (953379418): port=’tty51’ list= =30356
25154
088203: Jan 27 18:37:26.216 CST: TAC+: ver=192 id=3035625154 received AUTHEN status =
GETPASS
088204: Jan 27 18:37:26.216 CST: AAA/AUTHEN (3035625154): status = GETPASS
088205: Jan 27 18:37:30.337 CST: AAA/AUTHEN/CONT (3035625154): continue_login
(user=’dial_tac’)
088206: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): status = GETPASS
088207: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): Method=ADMIN (tacacs+)
088208: Jan 27 18:37:30.337 CST: TAC+: send AUTHEN/CONT packet id=3035625154
088209: Jan 27 18:37:30.637 CST: TAC+: ver=192 id=3035625154 received AUTHEN status =
FAIL
Step 2 Enter the following command to assess warnings and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
The AAA server log file reports the following warning when no key is specified (indicating that there
is no encryption key):
Jan 27 18:35:17 coachella CiscoSecure: WARNING - Insecure configuration: No encryption
key for NAS <default>
Step 3 Review NAS configurations for shared secret configuration. To obtain the NAS configuration, enter:
<NAS>#show running-config
The following configuration fragment specifies the TACACS+ server and key. In this case, the key is
bobbit.
tacacs-server host 172.22.53.201 key bobbit
Review the AAA server configuration for the corresponding server shared secret configuration. View
the CSU.cfg file with vi (or a similar tool):
<CSUserver>$vi /opt/ciscosecure/config/CSU.cfg
Find the key configuration in the CSU.cfg AAA server configuration file and review it for the NAS
specification. In this example, this configuration is missing.
NAS config_nas_config =
{
{
"172.22.53.201",
"",
If the key is properly configured, it appears between the quotation marks following the IP address
specification. In this case, the key is missing. Because it is not specified in the AAA server
configuration file, users’ access is blocked.
Step 4 Update key specifications and restart the AAA server. Verify successful dialup operation.
Symptom Single user failure; individual dial-in user unable to connect to NAS. See Table 6-3.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. This command results in a stream of diagnostic output.
The last line in the following output shows the AAA authentication request sent to AAA server for user
dial_tac:
092852: Jan 27 22:19:06.713 CST: AAA/AUTHEN (543609479): status = GETPASS
092853: Jan 27 22:19:07.985 CST: AAA/AUTHEN/CONT (543609479): continue_login
(user=’dial_tac’)
Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
In this case, the AAA server log reports an incorrect password for user dial_tac:
Jan 27 22:19:08 coachella CiscoSecure: NOTICE - Authentication - Incorrect password; [NAS
= 172.22.63.1, Port = tty51, User = dial_tac, Service = 1, Priv = 1]
Jan 27 22:19:08 coachella CiscoSecure: INFO - Profile: user = dial_tac {
Jan 27 22:19:08 coachella set server current-failed-logins = 1
Note Following the failure, the current-failed-login counter increments. This counter
is described in Table 6-3.
Step 3 If the user does not exist in the database (but should), create a new user, or provide feedback if password
or login were entered incorrectly by the user.
Symptom Single user failure; individual dial-in user unable to connect to NAS. See Table 6-3.
Possible Cause User does not exist in the database. See Table 6-3.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS.
The following output fragment shows the AAA process starting on NAS.
092794: Jan 27 22:15:39.132 CST: AAA/MEMORY: create_user (0x61D87A70) user=’’ ruser=’’
port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
092795: Jan 27 22:15:39.132 CST: AAA/AUTHEN/START (3576082779): port=’tty51’
list=’INSIDE’ action=LOGIN service=LOGIN
The NAS then receives the authentication FAIL message from the AAA server:
092813: Jan 27 22:15:43.340 CST: TAC+: send AUTHEN/CONT packet id=3285027777
092814: Jan 27 22:15:43.540 CST: TAC+: ver=192 id=3285027777 received AUTHEN status =
FAIL
092815: Jan 27 22:15:43.540 CST: AAA/AUTHEN (3285027777): status = FAIL
Step 2 Enter the following command to assess warning and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
AAA server log file shows that the AAA server did not find user dial_test in cache (profile caching is
enabled):
Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Profile USER = dial_test not found in
cache.
The AAA server log file also shows that AAA server did not find user in the database; next, the AAA
server conducts a search for the unknown_user account:
Jan 27 22:15:41 coachella CiscoSecure: WARNING - User dial_test not found, using
unknown_user
AAA server finally again reports user not found after exhausting its search:
Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Password:
Jan 27 22:15:43 coachella CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (c3cd8bc1)
Jan 27 22:15:43 coachella CiscoSecure: DEBUG - Authentication - User not found;
[NAS = 172.22.63.1, Port = tty51, User = dial_test, Service = 1]
Step 3 Enter the following command to view a user profile in the database:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_test
Error: Unable to find profile
RC = 3
Step 4 If the user does not exist in the database (but should), create a new user, or provide feedback if password
or login were entered incorrectly by the user.
Possible Cause Group does not have service=ppp AVP assigned. See Table 6-9.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. The following output fragment shows the PPP service
authorization request being initiated for user dial_tac; then, being denied by the AAA server:
111802: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV service=ppp
111803: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV protocol=lcp
111804: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): found list "default"
111805: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): Method=tacacs+(tacacs+)
111806: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): user=dial_tac
111807: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV service=ppp
111808: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV protocol=lcp
111809: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR (153050196): Post authorization status =
FAIL
111810: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR/LCP: Denied
Step 2 Enter the following command to assess warning and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
AAA server log file shows that the AAA server successfully authenticated the user, but that the PPP
service request was denied due to an authorization failure:
Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS =
172.22.63.1, Port = Async2, User = dial_tac, Priv = 1]
Feb 3 20:48:58 coachella CiscoSecure: DEBUG - AUTHORIZATION request (468d69de)
Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authorization - Failed service; [
NAS = 172.22.63.1, user = dial_tac, port = Async2, input: service=ppp protocol=lcp
output: ]
6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server
Authorization)
This scenario focuses on a server-authorization failure for a dial-based connection and provides a
statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics
include output from relevant debug commands and other troubleshooting tools. See Table 6-10 for
additional related problems.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Review the group profile. In this case, the group profile shows inacl=110 is assigned to the
aaa_test_group profile:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g aaa_test_group
Group Profile Information
group = aaa_test_group{
profile_id = 64
profile_cycle = 7
service=ppp {
protocol=ip {
inacl=110
}
protocol=lcp {
}
}
}
Step 2 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. The following output fragment shows that no AAA
authorization for service=net taking place.
112037: Feb 3 21:18:04.994 CST: AAA/MEMORY: create_user (0x61DF0AE8) user=’dial_tac’
ruser=’’ port=’Async5’ rem_addr=’async/81560’ authen_type=PAP service=PPP priv=1
Step 3 Enter the following command to assess warning and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
The following log file fragment confirms that access is permitted with no AAA authentication.
Feb 3 21:18:05 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS =
172.22.63.1, Port = Async5, User = dial_tac, Priv = 1]
Feb 3 21:18:05 coachella CiscoSecure: INFO - Profile: user = dial_tac {
Feb 3 21:18:05 coachella set server current-failed-logins = 0
Feb 3 21:18:05 coachella profile_cycle = 12
Feb 3 21:18:05 coachella }
Step 4 Add aaa authorization network default group tacacs+ global command to the NAS configuration.
Symptom No EXEC shell (terminal window after dial). See Table 6-16.
Possible Cause User or group does not have service=shell AVP assigned. See Table 6-16.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. The following output fragment shows the request sent to
AAA server to start service=shell:
092730: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Port=’tty52’
list=’INSIDE’ service=EXEC
092738: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Method=ADMIN
(tacacs+)
092739: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): user=dial_tac
092740: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV service=shell
The following output fragments illustrate notification of the failure from AAA server for service=shell:
092741: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV cmd*
092742: Jan 27 21:57:41.559 CST: AAA/AUTHOR (3818889333): Post authorization status =
FAIL
The following fragment illustrates the Authorization FAILED message being detected by the debug aaa
authorization process:
092743: Jan 27 21:57:41.559 CST: AAA/AUTHOR/EXEC: Authorization FAILED
092744: Jan 27 21:57:43.559 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’
ruser=’’ port=’tty52’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
Step 2 Enter the following command to assess warning and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
In this case, the authentication succeeds for user dial_tac, as illustrated in the following csuslog file
fragment:
Jan 27 21:57:40 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS =
172.22.63.1, Port = tty52, User = dial_tac, Priv = 1]
However, the csuslog file also shows that the authorization failed service for user dial_tac because the
service=shell AVP is not assigned:
Jan 27 21:57:40 coachella CiscoSecure: DEBUG -
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075)
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS =
172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ]
Step 3 Enter the following command to review the user profile. This profile shows that the AVP service=shell
is not assigned to user dial_tac:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_tac
User Profile Information
user = dial_tac{
profile_id = 63
profile_cycle = 4
member = aaa_test_group
password = des "********"
password = pap "********"
}
Step 4 Assign service=shell AVP.
Possible Cause User or group does not have correct PPP reply attributes. See Table 6-9.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. The following fragment illustrates the Authorization
FAILED message being detected by the debug aaa authorization process:
*Apr 5 23:12:28.228: AAA/AUTHOR/EXEC: Authorization FAILED
*Apr 5 23:12:30.228: AAA/MEMORY: free_user (0x612311BC) user='rad_dial' ruser=''
port='tty4' rem_addr='408/3241933' authen_type=ASCII service=LOGIN priv=1
*Apr 5 23:12:30.936: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown
, call lasted 61 seconds
*Apr 5 23:12:30.980: %LINK-3-UPDOWN: Interface Serial0:0, changed state to down
Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file:
<CSUserver>$tail -f /var/log/csuslog
In this case, the authorization fails for user rad_dial, as illustrated in the following csuslog file
fragment:
Apr 6 15:14:03 sleddog CiscoSecure: INFO - RADIUS: Servicing requests from NAS
(172.23.84.35), sending host <172.23.84.35>
However, the csuslog file also shows that the authorization failed service for user dial_tac because the
service=shell AVP is not assigned:
Jan 27 21:57:40 coachella CiscoSecure: DEBUG -
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075)
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS =
172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ]
Step 3 Enter the following command to view a user profile in the database:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial
Step 4 Add the following RADIUS AVP: Frame-Protocol=ppp (entered as 6=2 in AddProfile command
input).
Current configuration:
!
! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr
! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-rtr-03
!
no logging console
aaa new-model
aaa authentication login default local enable
aaa authentication login NO_AUTHEN none
aaa authorization exec default local
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default local
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
enable secret 5 xxxxxxxxxxxxxxxxx
!
username admin privilege 15 password 7 xxxxxxxxxxxx
!
!
!
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
ip domain-name maui-onions.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
!
!
!
!
!
interface Loopback0
ip address 172.22.255.3 255.255.255.255
no ip directed-broadcast
!
interface ATM1/0
no ip address
no ip directed-broadcast
shutdown
no atm ilmi-keepalive
!
interface Serial2/0
ip address 10.10.10.1 255.255.255.0
no ip directed-broadcast
!
interface Serial2/1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial2/2
no ip address
no ip directed-broadcast
shutdown
!
interface Serial2/3
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/0
ip address 172.22.241.3 255.255.255.0
no ip directed-broadcast
ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5
!
interface Ethernet3/1
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/2
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/3
no ip address
no ip directed-broadcast
shutdown
!
interface FastEthernet4/0
ip address 172.22.80.1 255.255.255.0
no ip directed-broadcast
ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5
half-duplex
!
router eigrp 69
network 172.22.0.0
!
ip default-gateway 172.22.53.1
ip classless
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
snmp-server engineID local 00000009020000D0BB7F5054
snmp-server community cisco xx
snmp-server community rules xx
snmp-server trap-source Loopback0
snmp-server contact
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps config
snmp-server enable traps envmon
tacacs-server host 172.22.53.201 key biteme
tacacs-server key ciscorules
!
line con 0
authorization commands 15 NO_AUTHOR
Current configuration:
maui-nas-03#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-03
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
!
username admin privilege 15 password 7 xxxxxxxxxxxxx
username diallocal access-class 110 password 7 xxxxxxxxxxx
username diallocal autocommand ppp
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
!
!
!
!
!
clock timezone CST -6
clock summer-time CST recurring
ip subnet-zero
no ip domain-lookup
ip domain-name maui-onions.com
ip name-server 172.22.53.210
!
isdn switch-type primary-ni
isdn voice-call-failure 0
partition flash 2 24 8
!
!
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
clock source line secondary 1
!
controller T1 2
clock source line secondary 2
!
controller T1 3
clock source line secondary 3
!
controller T1 4
clock source line secondary 4
!
controller T1 5
clock source line secondary 5
!
controller T1 6
clock source line secondary 6
!
controller T1 7
clock source line secondary 7
!
!
interface Loopback0
ip address 172.22.87.3 255.255.255.255
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Loopback1
ip address 172.22.83.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Ethernet0
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0
no ip address
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:23
description "PRI D channel"
ip unnumbered Dialer1
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no logging event link-status
timeout absolute 240 0
dialer rotary-group 1
dialer-group 5
no snmp trap link-status
isdn switch-type primary-5ess
isdn incoming-voice modem
no fair-queue
compress stac
no cdp enable
!
interface FastEthernet0
ip address 172.22.80.3 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface Group-Async1
ip unnumbered Loopback0
no ip directed-broadcast
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
no logging event link-status
dialer in-band
dialer idle-timeout 900
async mode interactive
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp max-bad-auth 3
ppp authentication pap chap
group-range 1 192
!
interface Dialer1
no ip address
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
no logging event link-statustimeout absolute 240 0
dialer in-band
dialer idle-timeout 300 either
dialer-group 5
no snmp trap link-status
peer default ip address pool default
no fair-queue
compress stac
no cdp enable
ppp max-bad-auth 3
ppp multilink
!
router eigrp 69
network 172.22.0.0
!
ip local pool default 172.22.83.2 172.22.83.254
ip default-gateway 172.22.80.1
ip classless
ip tacacs source-interface Loopback0
ip http server
!
access-list 110 deny tcp any any eq telnet
access-list 110 permit tcp any any
tacacs-server host 172.22.53.204
tacacs-server key ciscorules
snmp-server engineID local 0000000902000050546B87BC
snmp-server community xxxxxxxxx RO
snmp-server community xxxxxxxxx RW
radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules
banner login ^CC
Welcome to maui-nas-03
Maui-onions Lab
Learning Rack ISG
^C
!
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
transport input none
line 1 192
session-timeout 15
exec-timeout 48 0
autoselect during-login
autoselect ppp
absolute-timeout 240
script dialer cisco_default
refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input all
transport output pad telnet rlogin udptn
line aux 0
line vty 0 4
!
end
Current configuration:
maui-nas-03#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-nas-03
!
aaa new-model
aaa authentication login default group radius local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default stop-only group radius
aaa accounting network default start-stop group radius
!
username admin privilege 15 password 7 xxxxxxxxxxxxx
username diallocal access-class 110 password 7 xxxxxxxxxxx
username diallocal autocommand ppp
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
!
!
!
!
!
clock timezone CST -6
clock summer-time CST recurring
ip subnet-zero
no ip domain-lookup
ip domain-name maui-onions.com
ip name-server 172.22.53.210
!
isdn switch-type primary-ni
isdn voice-call-failure 0
partition flash 2 24 8
!
!
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
clock source line secondary 1
!
controller T1 2
clock source line secondary 2
!
controller T1 3
clock source line secondary 3
!
controller T1 4
clock source line secondary 4
!
controller T1 5
clock source line secondary 5
!
controller T1 6
clock source line secondary 6
!
controller T1 7
clock source line secondary 7
!
!
interface Loopback0
ip address 172.22.87.3 255.255.255.255
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Loopback1
ip address 172.22.83.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Ethernet0
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0
no ip address
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:23
description "PRI D channel"
ip unnumbered Dialer1
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no logging event link-status
timeout absolute 240 0
dialer rotary-group 1
dialer-group 5
no snmp trap link-status
isdn switch-type primary-5ess
isdn incoming-voice modem
no fair-queue
compress stac
no cdp enable
!
interface FastEthernet0
ip address 172.22.80.3 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface Group-Async1
ip unnumbered Loopback0
no ip directed-broadcast
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
no logging event link-status
dialer in-band
dialer idle-timeout 900
async mode interactive
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp max-bad-auth 3
ppp authentication pap chap
group-range 1 192
!
interface Dialer1
no ip address
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
no logging event link-statustimeout absolute 240 0
dialer in-band
dialer idle-timeout 300 either
dialer-group 5
no snmp trap link-status
peer default ip address pool default
no fair-queue
compress stac
no cdp enable
ppp max-bad-auth 3
ppp multilink
!
router eigrp 69
network 172.22.0.0
!
ip local pool default 172.22.83.2 172.22.83.254
ip default-gateway 172.22.80.1
ip classless
ip tacacs source-interface Loopback0
ip http server
!
access-list 110 deny tcp any any eq telnet
access-list 110 permit tcp any any
tacacs-server host 172.22.53.204
tacacs-server key ciscorules
snmp-server engineID local 0000000902000050546B87BC
snmp-server community xxxxxxxxx RO
snmp-server community xxxxxxxxx RW
radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules
banner login ^CC
Welcome to maui-nas-03
Maui-onions Lab
Learning Rack ISG
^C
!
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
transport input none
line 1 192
session-timeout 15
exec-timeout 48 0
autoselect during-login
autoselect ppp
absolute-timeout 240
script dialer cisco_default
refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input all
transport output pad telnet rlogin udptn
line aux 0
line vty 0 4
!
end
Table A-1 Cisco IOS Commands Required to Set AAA for a Router
Note The following table lists Cisco IOS configuration commands required to support both
TACACS+ and RADIUS AAA implementations.
Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)
Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)
/* Callerid as Username */
/* default = 1 (enable) */
NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */
NAS config_nas_config = {
{
"", /* NAS name can go here */
"ciscorules", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
1, /* username retries */
2, /* password retries */
1 /* trusted NAS for SENDPASS */
}
};
AUTHEN config_external_authen_symbols = {
{
"./libskey.so",
"skey"
}
,
{
"./libpap.so",
"pap"
}
,
{
"./libchap.so",
"chap"
}
,
{
"./libarap.so",
"arap"
}
};
AUTHOR config_external_author_symbols = {
{
"./libargs.so",
"process_input_arguments",
"process_input_arguments_ok",
"process_input_arguments_fail",
"process_output_arguments",
"process_output_arguments_ok",
"process_output_arguments_fail"
}
};
/*
* Sample of pre/post process configuration.
*
AUTHOR config_external_author_symbols = {
{
"./libcustomerprovided.so",
"customer_function"
}
};
*
* end sample
*/
ACCT config_external_acct_symbols = {
{
"./libacctmember.so",
"acct_member_fn"
}
};
ADMIN config_external_admin_symbols = {
"./libadmin.so"
};
DB config_external_database_symbols = {
{
"./libdb.so",
"",
""
}
};
PARSER config_external_parser_symbols = {
"./libt+.so"
};
EVENT config_external_event_symbols = {
{
"./libdb.so",
"",
""
}
};
DMS config_external_dms_symbols = {
"./libCiscoDMS.so"
};
#
#
;-------------------------------------------------------------------------------
[System Error]
SysErrorFileDir = /opt/ciscosecure/logfiles
; DBServer gets the default path for System error handler here
; if it was not specified at command line with option
; [-LOGPATH path] when starting the DBServer deamon.
; DBServer must have sufficient access privilege to create this
: path and the log file if it does not already exist.
;-------------------------------------------------------------------------------
[SessionMgr]
; Session Manager configurables, purge interval is in minutes
MaxSessions=1000
PurgeInterval=60
;-------------------------------------------------------------------------------
[AccountingMgr]
;If this parameter=enable then log acct packets into cs_accounting_log database
table
LogRawAccountingPacketToDB = enable
;If we are logging accounting records then this parameter decides whether to buffer the
records
; in memory and then save them to the database using a background process. Enabl
ing this will
; increase burst authentication performance.
;If enabled the DBServer will create enough buffers to match the value of 2 less
than
; the number of database connections available.
; NOTE: There is a risk of losing records that are in memory in the event of the
DBServer going
; down ungracefully.
BufferAccountingPackets = enable
;This parameter decides the size of each accounting packet buffer. Legal values
are from 5 to 1000
AccountingBufferSize = 500
; if parameter=enable then dbserver will process user max session info and save
in memory,
; if disabled then ArchiveMaxSessionInfoToDB will also be disabled.
ProcessInMemoryMaxSessionInfo = enable
; If this parameter=enable then log user max session info into cs_user_accounting
database table
; Note that if the BufferAccountingPackets parameter is enabled AND
ProcessInMemoryMaxSessionInfo
; is enabled then max session info records will be buffered as well.
ArchiveMaxSessionInfoToDB = enable
; This is how often (in minutes) the system checks for accounting sessions to
; purge.
; NOTE: The purge interval is actually dependant upon a system background task
; that is not guaranteed to run more frequently than 60 minutes. This
; value is therefore not accurate to the minute and should not be set to
; less than 60.
AcctPurgeInterval=60
;-------------------------------------------------------------------------------
[DBServer]
DBServerName = CSdbServer
Protocol=TCP
MaxPacketSize = 4096
;-------------------------------------------------------------------------------
[ValidClients]
100 = sleddog
; Add list of trusted clients above ^^^^ in the format:
; ClientID = Client's Host Name
; CGI stub's clientID=100, and it's host name
; For example 100 = localhost or 100 = 192.92.182.2
; 101 = 192.92.190.5
;
;if ValidateClients=true, then we only allow the clients with ids listed
;above to connect to the dbserver
ValidateClients = false
;if FastAdminValidateClients = true, then we only allow the clients with ids
;listed below to connect to the FastAdmin
FastAdminValidateClients = false
;-------------------------------------------------------------------------------
[Protocol TCP]
HostName = sleddog
Port = 9900
; Name of host server
;-------------------------------------------------------------------------------
[Workers Pool]
; Maximum numbers of connection workers in pool, beyond which
; newly added workers will be ignored (or deleted).
MaxInPool=50
;-------------------------------------------------------------------------------
[Database]
DataSource = ORACLE
DriverType = JDBC-Weblogic-Oracle
; Specify the rdbms installed and the driver type
; (ODBC or JDBC) that interfaces with the rdbms.
; Driver=ODBC or Driver=JDBC, then go to the [ODBC]
; or [JDBC] section to fill in the URL info.
;-------------------------------------------------------------------------------
[SQLAnywhere]
;this is the bundle database
ConnectionLicense = 12
Username = DBA
Password = SQL
;-------------------------------------------------------------------------------
[OtherDB]
;number of open connections allowed to the data source(based on db license)
ConnectionLicense = 1
Username = csecure
Password = csecure
;-------------------------------------------------------------------------------
[ORACLE]
;number of open connections allowed to the data source(based on db license)
ConnectionLicense=4
Username = csecure
Password = csecure
;-------------------------------------------------------------------------------
[SYBASE]
;number of open connections allowed to the data source(based on db license)
ConnectionLicense = 8
Username = csecure
Password = csecure
;-------------------------------------------------------------------------------
[ODBC-SQLAnywhere]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=<database_file>;Start="dbeng50 -u
d"
;Property below is required for internal use only: connection usage property
PrepareStatement = 0
;-------------------------------------------------------------------------------
[ODBC-Visigenic-Oracle]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:Oracle
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
;-------------------------------------------------------------------------------
[ODBC-Visigenic-Sybase]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:SybaseDBLib
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
;-------------------------------------------------------------------------------
[JDBC-Weblogic-Oracle]
;JDBC driver information
Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManager
Driver=jdbc:weblogic:oracle:ciscosj
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
;-------------------------------------------------------------------------------
[JDBC-Weblogic-Sybase]
;JDBC driver information
Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManager
Driver=jdbc:weblogic:sybase
;Property below is required for internal use only: connection usage property
PrepareStatement = 1
;-------------------------------------------------------------------------------
[ProfileCaching]
EnableProfileCaching = OFF
;Polling period in minutes for cs_trans_log table
; Interval in seconds can be specified by fraction.
; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds.
; Setting to 0 disbles polling.
DBPollInterval = 30
;-------------------------------------------------------------------------------
Most BootFlash images do not recognize all Cisco IOS aaa commands. As a result, invoking a
BootFlash image can lead to a password recovery situation unless the Cisco IOS fragments listed in this
appendix are used to disable AAA. One example of a situation requiring the inclusion of this
configuration is a software image upgrade for a Cisco AS5200 access server.
Include the following Cisco IOS commands to disable AAA authentication and authorization on the
console and VTY ports of a NAS:
aaa authentication login NO_AUTHENT none
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 NO_AUTHOR none
line con 0
authorization exec NO_AUTHOR
login authentication NO_AUTHENT
authorization commands 15 NO_AUTHOR
line vty 0 4
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHENT
Note Refer to “4.6 Implementing Server-Based TACACS+ Router Authorization” for related
implementation information.
Note Output fragments provided here are excerpted from the applicable debug command output
or AAA server csuslog file—unless otherwise noted. Diagnostic content is gathered from
the AAA server by using the tail -f /var/log/csuslog command. Pertinent portions of
output are included as fragments of complete listings.
The following diagnostic results are presented in the order in which they are generated during the
authentication process. Specific output fragments are differentiated with brief explanatory notes to help
you identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
The following diagnostic results are presented in the order in which they are generated during the
authorization process. Specific output fragments are differentiated with brief explanatory notes to help
you identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs.
AAA server csuslog output:
Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (74e5f744)
Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS
= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip
addr-pool*default output: inacl=110]
Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (78655fcd)
Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS
= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=lcp output:
]
Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (cae30c69)
Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS
= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip output:
addr-pool=default inacl=110]
6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs.
NAS debug output:
*Apr 6 00:33:05.860: As9 AAA/AUTHOR/IPCP: Says use pool default
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Pool returned 172.23.25.37
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV service=ppp
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV protocol=ip
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr-pool=default
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV inacl=110
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr*172.23.25.37
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Authorization succeeded
Note Use these debug commands: debug aaa authentication and debug ppp
authentication.
The following diagnostic results are presented in the order in which they are generated during the
authentication process. Specific output fragments are differentiated with brief explanatory notes to help
identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
Note Use these commands: debug aaa authorization and show caller user rad_dial
detail.
The following diagnostic results are presented in the order in which they are generated during the
authorization process. Specific output fragments are differentiated with brief explanatory notes to you
identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
3. Input access-list is verified as 110 while the output access-list is shown as not set.
The following diagnostic results are presented in the order in which they are generated during the
authentication process. Specific output fragments are differentiated with brief explanatory notes to you
identify relevant information.
Note The debug command output can vary depending on Cisco IOS versions.
1. Get user and password interaction between router and AAA server.
Note The debug command output can vary depending on Cisco IOS versions.
Note The debug command output can vary depending on Cisco IOS versions.
Note The debug command output can vary depending on Cisco IOS versions.
Note Be sure to save your running configuration by using the appropriate write or copy
running-config command before using the reload command.
case study overview (figure) 1-2 verification, show line command (local-based) 2-8
adding user profiles (TACACS+ authorization) 4-5 TACACS+ router, verifying by using csuslog 4-16,
4-18, 4-19
administrative control
authorization policy 1-11
TACACS+ verification tests (local-based) 2-6, 2-11
TACACS+ verification tests (server-based) C2, C9
creating, router example 4-13
privilege level 15 1-11
verifying access list 4-10
verifying PPP user authorization 4-5
attribute-value pair
See AVPs verifying RADIUS authorization 4-9
autocommand ppp negotiate command 1-11
audience
defined xi
AVPs
adding group profiles (TACACS+ authentication) 4-11
authentication
adding group profiles (TACACS+ authorization) 4-16,
configuring NAS (RADIUS) 4-7
4-17, 4-18
configuring NAS (TACACS+) 4-3
defined 1-6
general process (flow diagram) 6-3
dial access devices 1-11
RADIUS implementation 4-6
EXEC disabled implementation 6-6
RADIUS verification tests (server-based) C4
EXEC shell enabled (TACACS+) 6-5
RADIUS vs. TACACS+ 1-5
privilege level 15 enabled (TACACS+) 6-5
server-based implementation 4-2, 4-6, 4-10
RADIUS, user profile 4-7, 4-9
TACACS+ dialup, verifying by using csuslog 4-4
RADIUS examples (table) 1-6
TACACS+ implementation (local-based) 2-2, 2-8
TACACS+, user profile 4-3, 4-5
TACACS+ implementation (server-based) 4-2, 4-10
TACACS+ authentication, group profile 4-11
TACACS+ verification tests (local-based) 2-3, 2-9
TACACS+ authorization, group profile 4-16, 4-17, 4-18
TACACS+ verification tests (server-based) C1, C7
TACACS+ examples (table) 1-6
verifying PPP user authentication 4-4
authentication, authorization, and accounting
See AAA B
authorization
BootFlash images
configuring NAS (RADIUS) 4-9
AAA considerations B-1
configuring NAS (TACACS+) 4-4
configuring routers 4-13
defined 1-1 C
general process (flow diagram) 6-3
case study
RADIUS implementation 4-8
hardware xii
RADIUS verification tests (server-based) C5
objectives xi
RADIUS vs. TACACS+ 1-5
overview 1-1
server-based implementation 4-4, 4-8, 4-13
purpose xi
TACACS+ dialup, verifying by using csuslog 4-5
software xii
TACACS+ implementation (local-based) 2-5, 2-10
CCO
TACACS+ implementation (server-based) 4-4, 4-13
accessing xiii
database
verifying instance 3-3
G
Data Encryption Standard
See DES groups
debug command defining administrative control 4-13
verifying TACACS+ user authentication 4-4 AAA configuration error 6-25, 6-27
user profile lacks appropriate enable privilege level to configuring authorization (server-based) 4-8
perform command 6-27 creating user profiles (authentication) 4-7
user profile lacks appropriate privilege level to debug output, server-based authentication C4
perform command 6-25, 6-27
debug output, server-based authorization C5
user profile restricted 6-14
encryption 1-4
profiles
example configuration (NAS) A-9
assigning user to group profile (TACACS+
authentication) 4-11 interoperability 1-6
SQL*Plus
S
Release 3.3.4.0.1 xii
scenario sqlplus
case study description 1-8 verifying account information 3-4
case study overview (figure) 1-2 symptom list, troubleshooting AAA
scenarios dial-based local authentication 6-9
troubleshooting examples 6-29 dial-based local authorization 6-13
security dial-based server authentication 6-10
policy considerations 1-12 dial-based server authorization 6-15
server-based access router-based local authentication 6-19
compared with local-based access 1-7 router-based local authorization 6-24
defined 1-7 router-based server authentication 6-21
server-based configuration router-based server authorization 6-26
implementation overview (authentication and syslog daemon
authorization) 4-1
restarting 3-10
verification test results (RADIUS authentication) C4
verification test results (RADIUS authorization) C5
verification test results (TACACS+ authentication) C1, T
C7
verification test results (TACACS+ authorization) C2, tablespace
C9 installing (Oracle) 3-2
verifying user (RADIUS authentication) 4-8, 4-9 size requirements 3-2
verifying user (TACACS+ authentication) 4-3 TAC
verifying user (TACACS+ authorization) 4-5 contacting xiv
show caller user command TACACS
access list verification output (server-based) 4-10, C6 RFC link 1-2
session timeout disconnect example 5-3 TACACS+
show line command accounting tests (local-based) 2-13
verification output (local-based) 2-8 assigning user to group profile (authentication) 4-11
site preparation xi assigning user to group profile (authorization) 4-16,
SMON 4-17, 4-18
verifying operation on Oracle server 3-3 authentication and authorization (figure) 4-14