AAA Implementation CStudy

Cisco AAA Implementation Case
Study
Internetworking Solutions Guide
May 2000
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-0397-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo,
Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo,
Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco
Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet
Quotient, IP/VC, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click
Internetworking, Policy Builder, Precept, RateMUX, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell,
TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Voice Line, VlanDirector, Voice LAN, Wavelength Router, Workgroup
Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet
Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems,
the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch,
GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and
VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this
document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its
resellers. (0004R)
Cisco AAA Implementation Case Study

Copyright © 2000, Cisco Systems, Inc.
All rights reserved.
C O N T E N T S
Preface xi
Purpose xi
Audience xi
Scope xi
Related Documentation and Sites xii
Software Used in This Case Study xii
Hardware Used in This Case Study xii
Document Conventions xiii
Command Syntax Conventions xiii
Cisco Connection Online xiii
Documentation CD-ROM xiv
Providing Documentation Feedback xiv
Acknowledgements xv
CHAPTER 1 Cisco AAA Case Study Overview 1-1
1.1 AAA Technology Summary 1-1
1.1.1 AAA RFC References 1-2
1.2 TACACS+ Overview 1-2
1.3 RADIUS Overview 1-3
1.4 Comparison of TACACS+ and RADIUS 1-4
1.4.1 UDP and TCP 1-4

1.4.2 Packet Encryption 1-4
1.4.3 Authentication and Authorization 1-5
1.4.4 Multiprotocol Support 1-5
1.4.5 Router Management 1-5
1.4.6 Interoperability 1-6
1.4.7 Attribute-Value Pairs (AVPs) 1-6
1.5 Differences in Implementing Local and Server AAA 1-6
1.6 Scenario Description 1-8
1.7 Planning Your Network 1-9
1.8 Network Service Definitions 1-10
1.8.1 Authentication Policy 1-10

OL-0397-01 iii
Contents
1.8.2 Authorization Policy 1-11
1.8.3 Accounting Policy 1-11
1.9 Security Implementation Policy Considerations 1-12
1.10 Network Equipment Selection 1-13
1.11 Task Check List 1-14
CHAPTER 2 Implementing the Local AAA Subsystem 2-1
2.1 Implementing Local Dialup Authentication 2-2
2.2 Implementing Local Dialup Authorization 2-5
2.3 Implementing Local Router Authentication 2-8
2.4 Implementing Local Router Authorization 2-10
2.5 Implementing Local Router Accounting 2-12
CHAPTER 3 Implementing Cisco AAA Servers 3-1
3.1 Installing CiscoSecure for UNIX with Oracle 3-2
3.1.1 Creating Oracle Tablespace 3-2
3.1.2 Verifying the Oracle Database Instance 3-3
3.1.3 Installing CiscoSecure for UNIX 3-5
3.1.4 Creating and Verifying Basic User Profile 3-10
CHAPTER 4 Implementing the Server-Based AAA Subsystem 4-1
4.1 Implementing Server-Based TACACS+ Dialup Authentication 4-2
4.2 Implementing Server-Based TACACS+ Dialup Authorization 4-4
4.3 Implementing Server-Based RADIUS Dialup Authentication 4-6
4.4 Implementing Server-Based RADIUS Dialup Authorization 4-8

4.5 Implementing Server-Based TACACS+ Router Authentication 4-10
4.6 Implementing Server-Based TACACS+ Router Authorization 4-13
CHAPTER 5 Implementing Server-Based AAA Accounting 5-1
5.1 Implementing Server-Based RADIUS Dial Accounting 5-1
5.2 Implementing Server-Based TACACS+ Router Accounting 5-4
5.3 AAA Disconnect Cause Code Descriptions 5-6
CHAPTER 6 Diagnosing and Troubleshooting AAA Operations 6-1
6.1 Overview of Authentication and Authorization Processes 6-2
6.2 Troubleshooting AAA Implementation 6-7

iv OL-0397-01
Contents
6.2.1 Troubleshooting Methodology Overview 6-7
6.2.2 Cisco IOS Debug Command Summary 6-7
6.3 AAA Troubleshooting Basics 6-8
6.3.1 Troubleshooting Dial-Based Local Authentication 6-9
6.3.2 Troubleshooting Dial-Based Server Authentication 6-10
6.3.3 Troubleshooting Dial-Based Local Authorization 6-13
6.3.4 Troubleshooting Dial-Based Server Authorization 6-15
6.3.5 Troubleshooting Router-Based Local Authentication 6-19
6.3.6 Troubleshooting Router-Based Server Authentication 6-21
6.3.7 Troubleshooting Router-Based Local Authorization 6-24
6.3.8 Troubleshooting Router-Based Server Authorization 6-26
6.4 Troubleshooting Scenarios 6-29
6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server
Authentication) 6-29
6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 6-30
6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 6-31
6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) 6-33
6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 6-34
6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 6-35
6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 6-36
APPENDIX A AAA Device Configuration Listings A-1
A.1 Sample Cisco IOS Configuration Listings A-1
A.1.1 Example Local-Based Router AAA Configuration A-2
A.1.2 Example Server-Based TACACS+ NAS Configuration A-5
A.1.3 Example Server-Based RADIUS NAS Configuration A-9
A.2 Router AAA Command Implementation Descriptions A-13
A.3 NAS AAA Command Implementation Descriptions A-13
A.4 CiscoSecure for UNIX Configuration Listings A-15
A.4.1 CSU.cfg Listing A-16
A.4.2 CSConfig.ini Listing A-19
A.4.3 Oracle User Environment Variable A-23
A.4.4 listener.ora Listing A-24
A.5 CiscoSecure Log Files A-25

OL-0397-01 v
Contents
APPENDIX B AAA Impact on Maintenance Tasks B-1
APPENDIX C Server-Based AAA Verification Diagnostic Output C1
C.1 Server-Based TACACS+ Dialup Authentication Diagnostics C1
C.2 Server-Based TACACS+ Dialup Authorization Diagnostics C2
C.3 Server-Based RADIUS Dialup Authentication Diagnostics C4
C.4 Server-Based RADIUS Dialup Authorization Diagnostics C5
C.5 Server-Based TACACS+ Router Authentication Diagnostics C7
C.6 Server-Based TACACS+ Router Authorization Diagnostics C9
C.6.1 Test Results for rtr_low Group C9
C.6.2 Test Results for rtr_tech Group C14

C.6.3 Test Results for rtr_super Group C20
INDEX

vi OL-0397-01
F I G U R E S
Figure 1-1 AAA-Based, Secure Network Access Scenario 1-2
Figure 1-2 Local-Based Access Options 1-7
Figure 1-3 Server-Based Access Options 1-8
Figure 2-1 Local-Based Dial Access Environment 2-2
Figure 2-2 Local-Based Router Environment 2-8
Figure 3-1 AAA-Based, Secure Network Access Scenario 3-1
Figure 4-1 Basic AAA Case Study Environment 4-2
Figure 4-2 Server-Based Dial Environment (TACACS+) 4-2
Figure 4-3 Server-Based Dial Environment (RADIUS) 4-6
Figure 4-4 Server-Based VTY Access (Telnet) 4-10
Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology 4-14
Figure 6-1 Basic AAA Case Study Environment 6-2
Figure 6-2 Dial Access Authentication and Authorization Flow Diagram 6-3
Figure 6-3 RADIUS Dial Access Authentication and Authorization Process 6-4
Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) 6-5
Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) 6-6

OL-0397-01 vii
Figures

viii OL-0397-01
T A B L E S
Table 1-1 Comparison of RADIUS and TACACS+ 1-4
Table 1-2 Examples of RADIUS AVPs 1-6
Table 1-3 Examples of TACACS+ AVPs 1-6
Table 1-4 General Service Definition Checklist 1-9
Table 1-5 AAA Service Definition Checklist 1-10
Table 1-6 AAA Security Checklist 1-12
Table 1-7 AAA Task Checklist 1-14
Table 4-1 Group Profile Command Summary 4-13
Table 5-1 AAA Disconnect Cause Code Listings 5-6
Table 6-1 Single User Failure; Individual Dial-in User Connection Fails 6-9
Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS 6-9
Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) 6-10
Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) 6-12
Table 6-5 User Cannot Start PPP 6-13
Table 6-6 Network Authorization Fails 6-14
Table 6-7 Unable to Access Specific Host or Network Service 6-14
Table 6-8 Multilink Fails 6-14
Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+) 6-16
Table 6-10 Network Authorization Fails (RADIUS and TACACS+) 6-17
Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) 6-17
Table 6-12 Multilink Fails (TACACS+) 6-18
Table 6-13 Multilink Fails (RADIUS) 6-18
Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+) 6-18
Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS) 6-18
Table 6-16 No EXEC Shell for TACACS+ 6-19
Table 6-17 No EXEC Shell for RADIUS 6-19
Table 6-18 Cannot Start Concurrent Sessions (TACACS+) 6-19
Table 6-19 Cannot Start Concurrent Sessions (RADIUS) 6-19
Table 6-20 Single User Failure; Individual Dial-in User Connection Fails 6-20
Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router 6-20
Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both 6-21

OL-0397-01 ix
Tables
Table 6-23 Single User Failure; Individual User Unable to Make a Connection 6-22
Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router 6-23
Table 6-25 Users Pass Authentication on Console or VTY, but Not Both 6-24
Table 6-26 User Fails Router Command 6-25
Table 6-27 User Disconnected After Entering a Password 6-25
Table 6-28 Users Access Incorrect Privilege Level Commands 6-26
Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-26
Table 6-30 User Fails Router Command 6-27
Table 6-31 User Disconnected After Entering Password 6-27
Table 6-32 Users Access Incorrect Privilege Level Commands 6-28
Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-28
Table 6-34 Router User Unable to Initiate Shell Session with Router 6-28
Table 6-35 AVPs Not Working on Console Port 6-28
Table A-1 Cisco IOS Commands Required to Set AAA for a Router A-13
Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) A-14

x OL-0397-01
Preface
This case study describes various Cisco-based security and accounting capabilities for monitoring and
managing access within a large-scale dial environment.
Purpose
This Internetworking Solutions Guide (ISG) case study provides examples intended to be models for
building an effective, Cisco AAA-based security environment for dial-based and router environments.
In following the procedures and recommendations provided in this document, readers should be able to:
• Understand the working relationship among various Cisco AAA components, including NASs,
AAA servers, and the AAA database.
• Configure and verify operation for these AAA components.
• Troubleshoot typical problems found in AAA environments.
Audience
The audience for this document consists of network engineers supporting large-scale dial networks. The
audience is expected to have a basic understanding of Cisco IOS software, and a working knowledge of
both the UNIX operating system and CiscoSecure for UNIX user interface.
Scope
This case study provides:
• Complete network device configurations and specific fragments to support implementation task
descriptions.
• Example diagnostic output showing verification of correct configuration.
• Troubleshooting output supporting problem scenarios show problem configurations and other AAA
environment failures.
• A foundation from which effective AAA-based security solutions can be tailored to specific
network requirements.
The information provided here does not include advanced tuning tips—nor does it provide a primer for
the uninitiated novice. In addition, site planning and preparation are beyond the scope of this case study.

xi
Preface
Related Documentation and Sites
Related Documentation and Sites

The following URLs provide the essentials for preparing to install Cisco Secure for UNIX and NT:
• CiscoSecure ACS for UNIX
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx
• CiscoSecure ACS for NT

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23
• Oracle database implementation

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csinstl.htm
Software Used in This Case Study

The features and capabilities described in this case require these software versions:
• Cisco IOS 12.0(7)T
• OS Solaris 2.5(1)
• CiscoSecure for UNIX 2.3(3)
• Oracle DB Server 7.3(4)
• Oracle DB Client 7.3(4)
• SQL*Plus: Release 3.3.4.0.1
To identify other software versions that might apply, please contact your Cisco customer service
representative.
Hardware Used in This Case Study

This case is built on a production environment consisting of a single authentication, authorization, and
accounting (AAA) server, an Oracle-based AAA database, a Cisco network access server (NAS), and a
router. The diagnostic captures and system configurations provided in this case study were derived from
the following systems:
• Cisco AS5300 or Cisco AS5800 network access server (NAS)
• Cisco 7206 VXR router
• Sun Microsystems server (UltraSPARC Enterprise 2 Model)
– Two 200 MHz processors
– One GB RAM
– One internal 4.2 GB disk drive
– CD-ROM drive
The system used as a platform for CiscoSecure ACS for UNIX 2.3 must meet with the minimum system
specifications described in the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/instl23.htm

xii
Preface
Document Conventions
Document Conventions
Convention Description
italic File names, paths to files, user names, and groups names used in
descriptions. Example: /var/log/csuslog
< > Angle brackets show nonprinting characters, such as passwords.
! An exclamation point at the beginning of a line indicates a comment
line. (Exclamation points are also displayed by the Cisco IOS software
for certain processes.)
[ ] Square brackets show default responses to system prompts.
Command Syntax Conventions

Convention Description
bold Command or keyword that you must enter. This format is used for
commands, paths to files, and file names when used within an example
illustrating required input.
italic Argument for which you supply a value.
[x] Optional keyword or argument that you enter.
{x | y | z} Required keyword or argument that you must enter.
[x {y | z}] Optional keyword or argument that you enter with a required keyword or
argument.
string Set of characters that you enter. Do not use quotation marks around the
character string, or the string will include the quotation marks.
screen Information that appears on the screen.
Important line of text in an example.
^ or Ctrl Control key—for example, ^D means press the Control and the D keys
simultaneously.
< > Nonprinting characters, such as passwords.
! Comment line at the beginning of a line of code.
Cisco Connection Online

Cisco Connection Online (CCO) is the primary, real-time support channel for Cisco Systems.
Maintenance customers and partners can self-register on CCO to obtain additional information and
services.

xiii
Preface
Documentation CD-ROM
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services
to customers and business partners of Cisco Systems. CCO services include product information,
product documentation, software updates, release notes, technical tips, the Bug Navigator,
configuration notes, brochures, descriptions of service offerings, and download access to public and
authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced
simultaneously: a character-based version and a multimedia version that resides on the World Wide
Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet
e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version
of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as
hyperlinks to related information.
You can access CCO in the following ways:
• http://www.cisco.com
• http://www-europe.cisco.com
• http://www-china.cisco.com
• Telnet: cco.cisco.com
• Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following
terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up
to 28.8 kbps.
For a copy of the CCO Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional
information, contact cco-team@cisco.com.
Note If you are a network administrator and need personal technical assistance with a Cisco
product that is under warranty or covered by a maintenance contract, contact the Cisco
Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To
obtain general information about Cisco Systems, Cisco products, or upgrades, contact
800 553-6387, 408 526-7208, or cs-rep@cisco.com.
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with
your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated
monthly; therefore, it might be more current than printed documentation. To order additional copies of
the Documentation CD-ROM, contact your local sales representative or call customer service. The
CD-ROM package is available as a single package or as an annual subscription. You can also access
Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com,
or http://www-europe.cisco.com.
Providing Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit comments
electronically. Click Feedback in the toolbar and select Documentation. After you complete the form,
click Submit to send it to Cisco.
You can also submit feedback on Cisco documentation as follows:

xiv
Preface
Acknowledgements
• Mail in the Cisco Reader Comment Card located at the front of this book
• Send an e-mail to bug-doc@cisco.com
• Send a fax to 408 527-8089
We appreciate your comments.
Acknowledgements
This ISG case study was created as a collaborative effort. The following team members participated in
the creation of this document: Joellen Amato, Dave Anderson, Robert “Bob” Brown, Alan Dowling,
Dianne Dunlap, Paul Hafeman, Anthony Hall, Kim Lew, Robert Lewis, Dave Leyland, Brian Murphy,
Dang Nguyen, Nilesh Panicker, Anjali Puri, Robert Sargent, David Sims, Tim Stevenson, Kris
Thompson, Craig Tobias, and Syed Atif Ullah.

xv
Preface
Acknowledgements

xvi
C H A P T E R 1
Cisco AAA Case Study Overview
This chapter summarizes the technology behind AAA security solutions, outlines typical network
definitions and network assumptions adopted for this case study, and lists tasks associated with
implementing, verifying, and troubleshooting the AAA environment presented. Specific sections
provided here are:
• 1.1 AAA Technology Summary
• 1.2 TACACS+ Overview
• 1.3 RADIUS Overview
• 1.4 Comparison of TACACS+ and RADIUS
• 1.5 Differences in Implementing Local and Server AAA
• 1.6 Scenario Description
• 1.7 Planning Your Network
• 1.8 Network Service Definitions
• 1.9 Security Implementation Policy Considerations
• 1.10 Network Equipment Selection
• 1.11 Task Check List
1.1 AAA Technology Summary

Dial access presents a challenge to network managers entrusted with network security. This case study
illustrates essential steps in planning and implementing authentication, authorization, and accounting
(AAA) technologies based on Cisco product capabilities.
For the purposes of this case study, the following generic definitions apply:
• Authentication: The process of validating the claimed identity of an end user or a device, such as a
host, server, switch, router, and so on.
• Authorization: The act of granting access rights to a user, groups of users, system, or a process.
• Accounting: The methods to establish who, or what, performed a certain action, such as tracking
user connection and logging system users.
Figure 1-1 illustrates a generalized view of a Cisco-based AAA environment, featuring a network
access server (NAS) and AAA server. This basic arrangement forms the foundation for this case study.

1-1
Chapter 1 Cisco AAA Case Study Overview
1.2 TACACS+ Overview
Figure 1-1 AAA-Based, Secure Network Access Scenario

Network element
management server
(NTP, Syslog, SNMP)
Oracle dB server
Analog lines PRI lines AAA

PSTN server
Clients Modems DNS

Cisco AS5x00 server
with integrated
modems
IP intranet
Default
gateway
Internet
firewall
Internet
35089
In the context of the Cisco-based AAA environment addressed here, the key operational elements are
network access servers (NASs), routers, and CiscoSecure Access Control Server for UNIX servers
(referred to in this document as AAA servers). Depending on the conventions and requirements of your
particular design, you can select a security environment which utilizes Terminal Access Controller
Access Control System Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS).
This case study addresses implementation of both environments.
1.1.1 AAA RFC References

Requests for Comments (RFCs) play a crucial role in defining the behavior of devices in complex
networking environments. The following RFCs are useful references for TACACS+ and RADIUS:
• TACACS+: http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt
• TACACS: http://www.ietf.org/rfc/rfc1492.txt
• MD5: http://www.ietf.org/rfc/rfc1321.txt
• RADIUS: http://www.ietf.org/rfc/rfc2138.txt
1.2 TACACS+ Overview

Key TACACS+ features:
• TACACS+ separates AAA into three distinct functions (Authentication, Authorization and
Accounting).
• TACACS+ supports router command authorization integration with advanced authentication
mechanisms, such as Data Encryption Standard (DES) and One-Time Password (OTP) key.
• TACACS+ supports 16 different privilege levels (0-15).

1-2
1.3 RADIUS Overview
• TACACS+ permits the control of services, such as Point-to-Point Protocol (PPP), shell, standard
log in, enable, AppleTalk Remote Access (ARA) protocol, Novell Asynchronous Services Interface
(NASI), remote command (RCMD), and firewall proxy.
• TACACS+ permits the blocking of services to a specific port, such as a TTY or VTY interface on
a router.
The most common services supported by TACACS+ are PPP for IP and router EXEC shell access using
console or VTY ports. EXEC shell allows users to connect to router shells and select services, such as
PPP, Telnet, TN3270, or manage the router itself.
Many TACACS+ servers are available on the market today; however, the AAA server is designed
specifically to be scalable and compatible with Cisco's broad line of routers, access servers, and
switches. Hence, this case utilizes the Cisco AAA server as the TACACS+ server of choice.
When configured correctly, the AAA server validates AAA and responds to requests from routers and
access servers with a pass or fail signal. The AAA server contains an internal database sized to 5000
users; therefore, an external Oracle database is used in our case study for user account attributes and
billing information.
The AAA server acts as a proxy server by using TACACS+ to authenticate, authorize, and account for
access to Cisco routers and network access servers.
1.3 RADIUS Overview

The RADIUS protocol was developed by Livingston Enterprises, Inc., as an access server authentication
and accounting protocol. The RADIUS specification (RFC 2138) is a proposed standard protocol and
RADIUS accounting standard (RFC 2139) is informational.
Although TACACS+ is considered to be more versatile, RADIUS is the AAA protocol of choice for
enterprise ISPs because it uses fewer CPU cycles and is less memory intensive.
Communication between a network access server (NAS) and a RADIUS server is based on the User
Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service.
Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled
devices rather than the transmission protocol.
RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is
usually a daemon process running on a UNIX or Windows NT machine. The client passes user
information to designated RADIUS servers and acts on the response that is returned. RADIUS servers
receive user connection requests, authenticate the user, and then return the configuration information
necessary for the client to deliver services to the user. A RADIUS server can act as a proxy client to
other RADIUS servers or other kinds of authentication servers.

1-3
1.4 Comparison of TACACS+ and RADIUS

Table 1-1 summarizes the differences between RADIUS and TACACS+.
Table 1-1 Comparison of RADIUS and TACACS+
RADIUS TACACS+
RADIUS uses UDP. TACACS+ uses TCP.
RADIUS encrypts only the password in the TACACS+ encrypts the entire body of the packet;
access-request packet; less secure. more secure.
RADIUS combines authentication and TACACS+ uses the AAA architecture, which
authorization. separates authentication, authorization, and
accounting.
Industry standard (created by Livingston). Cisco Proprietary.
RADIUS does not support ARA access, Net BIOS TACACS+ offers multiprotocol support.
Frame Protocol Control protocol, NASI, and X.25
PAD connections.
RADIUS does not allow users to control which TACACS+ provides two ways to control the
commands can be executed on a router. authorization of router commands: on a per-user
or per-group basis.
1.4.1 UDP and TCP

RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a
connection-oriented transport, while UDP offers best effort delivery. RADIUS requires additional
programmable variables, such as retransmit attempts and time-outs to compensate for best-effort
transport, and it lacks the level of built-in support that reliable transport offers:
• Using TCP provides a separate acknowledgment that a request has been received, within
(approximately) a network RTT, regardless of bandwidth. (TCP ACK).
• TCP provides immediate indication of a crashed (or not running) server (RST packets). You can
determine when a server has crashed and come back up if you use long-lived TCP connections.
UDP cannot tell the difference between a server that is out-of-service, slow, or non-existent server.
• By using TCP keepalives, you can detect server crashes out-of-band with actual requests.
Connections to multiple servers can be maintained simultaneously, and you only need to send
messages to the servers that are known to be up and running.
• TCP is more scalable than UDP.
1.4.2 Packet Encryption

RADIUS encrypts only the password in the access-request packet from the client to the server. The
remainder of the packet is in the clear. Other information, such as username, authorized services, and
accounting, can be captured by a third party.
RADIUS can use encrypted passwords by using the UNIX /etc/password file; however, this process is
slow because in involves a linear search of the file.

1-4
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the
header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful
to have the body of the packets in the clear. However, normal operation fully encrypts the body of the
packet for more secure communications.
1.4.3 Authentication and Authorization

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS
server to the client contain authorization information, making it difficult to decouple authentication and
authorization.
TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting.
This architecture allows separate authentication solutions that can still use TACACS+ for authorization
and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and
TACACS+ authorization and accounting. After a NAS passes authentication on a Kerberos server, it
requests authorization information from a TACACS+ server without having to re-authenticate the NAS
by using the TACACS+ authentication mechanism. The NAS informs the TACACS+ server that it has
successfully passed authentication on a Kerberos server, and the server then provides authorization
information.
During a session, if additional authorization checking is needed, the access server checks with a
TACACS+ server to determine if the user is granted permission to use a particular command. This
provides greater control, compared to RADIUS, over the commands that can be executed on the access
server while decoupling the authorization process from the authentication mechanism.
1.4.4 Multiprotocol Support

RADIUS does not support the following protocols (which are supported by TACACS+):
• AppleTalk Remote Access (ARA) protocol
• Net BIOS Frame Protocol Control protocol
• Novell Asynchronous Services Interface (NASI)
• X.25 PAD connection
1.4.5 Router Management

RADIUS does not allow users to control which commands can be executed on a router and which
cannot; therefore, when compared with TACACS+, RADIUS is not as useful for router management and
is not as flexible for terminal services.
TACACS+ provides two ways to control the authorization of router commands on a per-user or
per-group basis. The first way is to assign privilege levels to commands and have the router verify with
the TACACS+ server whether or not the user is authorized at the specified privilege level. The second
way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands
that are allowed.

1-5
1.5 Differences in Implementing Local and Server AAA
1.4.6 Interoperability
The RADIUS standard does not guarantee interoperability. Although several vendors implement
RADIUS clients, this does not ensure they are interoperable. There are approximately 45 standard
RADIUS ATTRIBUTES. Using standard ATTRIBUTES improves the likelihood of interoperability.
Using proprietary extensions reduces interoperability.
1.4.7 Attribute-Value Pairs (AVPs)

Throughout this case study, implementation tasks and diagnostic procedures refer to attribute-value
pairs (AVPs). Each AVP consists of a type identifier associated with one or more assignable values.
AVPs specified in user and group profiles define the authentication and authorization characteristics for
their respective users and groups. TACACS+ and RADIUS implement an array of AVPs, each with
separate type definitions and characteristics. Table 1-2 and Table 1-3 illustrate several typical AVPs.
Table 1-2 Examples of RADIUS AVPs
Attribute Type of Value

User-Name String
Password String
CHAP-Password String
Client-Id IP address
Login-Host IP address
Login-Service Integer
Login-TCP-Port Integer
Table 1-3 Examples of TACACS+ AVPs
Attribute Type of Value

Inacl Integer
Addr-pool String
Addr IP address
Idletime Integer
protocol Keyword
timeout Integer
Outacl Integer

AAA requirements differ between local-based and server-based environments. Throughout this case
study, procedures and examples refer to scenarios based on this important distinction.
In local-based AAA access, users are permitted or denied access based on local AAA IOS account
configuration. For the purposes of this case study, local-based AAA access features these attributes:

1-6
• User accounts are stored in router or NAS configurations.

• AVPs only are supported from EXEC shell terminal access.
• Limited set of AVPs are supported.
• AAA negotiation is performed internally by the Cisco IOS and is not protocol specific.
Figure 1-2 illustrates three local-based connectivity situations to consider:
• Local-based console access
• Local-based virtual terminal type (VTY) connections
• Local-based dial access
Figure 1-2 Local-Based Access Options
Local-based
console access
IP
Local-based
VTY access (Telnet)
IP
PSTN
Modem
IP
Local-based
31348
dial access
In server-based AAA access, users and groups are permitted or denied access based on AAA
negotiations between s router or NAS and the AAA server. See the following attributes of server-based
AAA access features:
• User or group profiles and accounting records stored in an internal or external database
• AVPs supported on both standard and EXEC shell-initiated PPP sessions
• Wide array of AVPs supported, including vendor-specific (non-Cisco) AVPs
Figure 1-3 illustrates the three server-based connectivity situations:
• Server-based console access
• Server-based VTY connections
• Server-based dial access

1-7
1.6 Scenario Description
Figure 1-3 Server-Based Access Options
Server-based
console access
IP
AAA server
Server-based
VTY access (Telnet)
IP
AAA server
Server-based
dial access
PSTN
Modem
IP
AAA server
31347
Each connectivity scenario illustrated in Figure 1-2 and Figure 1-3 involves situation-specific
requirements. As a result, each scenario also contains situation-specific implementation and
troubleshooting considerations. The diagnostic chapters that follow present a series of implementation
steps (configuring, verifying, and testing) symptoms, problems, and suggested diagnostic processes that
reflect both these differences and similarities.
1.6 Scenario Description

The baseline network environment for a hypothetical access network scenario is used as a foundation
for assessing the application of various security and management features available from Cisco.
Figure 1-1 (presented in “1.1 AAA Technology Summary”) illustrates the underlying network
environment and relationship between AAA components. The high-level AAA objectives:
• Enable secure dialup service to access an intranet and the Internet by using the public switched
telephone network (PSTN).
• Build a manageable, redundant, and secure access strategy that supports large dialup access
implementations.
• Provide versatile means of controlling administrative access to routers.

1-8
1.7 Planning Your Network
• Account for configuration changes in routers.
1.7 Planning Your Network

A network design engineer meets with each company to complete the following tasks:
• Complete a needs assessment dial questionnaire.
• Create a user-network service definition.
• Recommend a network implementation and operation strategy.
The following tables present two checklists that were completed for this case study. Table 1-4 focuses
on general networking issues. Table 1-5 focuses on AAA implementation issues. Both checklists apply
to a hypothetical network referred to in this case as Access Network.
Table 1-4 General Service Definition Checklist
General Access Network Checklist Questions Access Network Policy

What media do you want to use to provide dialup Plain old telephone service (POTS) analog
service? modems
ISDN
How many dial-in users does the new equipment 3 months: 2000 users
need to support over the next 3 months, 1 year,
1 Year: 5,000 users
and 5 years?
5 Years: 10,000 users
What kind of remote nodes do you want to Modems, terminal adapters, ISDN modems
support?
When users connect to modems, what will they be Support EXEC shell sessions (async terminal
allowed to do? service)
Support PPP sessions
Will you allow users to change their own Yes
passwords? If yes, how? EXEC shell (character-mode session)
What kind of dialup operating systems do you Windows, UNIX, Macintosh
want to support?
Do you want to support remote routers? Asynch DDR or multiple B-channel access
Do you want to use an external authentication Yes, Oracle
database such as Windows NT or Novel NDS?
Do you want to support per user protocol and Yes
attribute definitions?
Do you want to support dial out? No
Do you want to support PPP timeouts? No
Do you want to work with an existing accounting Yes
system?
Do you have an existing network element server? Yes

1-9
1.8 Network Service Definitions
Table 1-5 AAA Service Definition Checklist
Access Network AAA Checklist Questions Access Network Policy

What AAA protocols do you plan to deploy? RADIUS and TACACS+
Where do you want the users’ passwords to be External Oracle database
stored?
Do you plan to support one-time passwords? If so, No
what tool do you plan to use to support this
requirement?
Do you intend to implement database replication? No
Do you require support for token caching? No
What type of accounts currently exist? UNIX, NT
Do you plan to implement an AAA server? If so, Yes, CiscoSecure for UNIX
on which product?
What database do you plan to use? External, Oracle

Based on the checklist information provided in Table 1-4 and Table 1-5, the following service
definitions (stated as policies) can be asserted for this environment.
Dialup and router shell access AAA requirements are characterized in the following sections:
• 1.8.1 Authentication Policy
• 1.8.2 Authorization Policy
• 1.8.3 Accounting Policy
1.8.1 Authentication Policy

Separate the authentication policy into two distinct sections: router administration and dialup PPP.
Policies relating to router administration involve creating support for the following two authentication
elements:
• DES passwords stored in external database
• Local user if connection to AAA server is down
Policies relating to dialup PPP involve creating support for the following two authentication elements:
• Password Authentication Protocol (PAP) for dialup PPP authentication
• Challenge Handshake Authentication Protocol (CHAP) for remote ISDN devices

1-10
1.8.2 Authorization Policy

Separate the authorization policy into two distinct sections: router administration and dialup PPP.
Policies relating to router administration involve creating support for the following authorization
elements:
• Privilege level 15 command authorization
• Three levels of router administration command control (low, medium, and high)
• Privilege level 15 assigned to local users, which is valid only if an AAA server is down
Policies relating to dialup PPP involve creating support for the following authorization elements:
• Apply autocommand ppp negotiate to all groups other than router administrators
• Access control list filtering as required
• AVP support for all dial access devices
1.8.3 Accounting Policy

Accounting records are exported from an Oracle database using SQL queries. Separate the accounting
policy into two distinct sections: router administration and dialup PPP.
Policies relating to router administration involve creating support for the following accounting
elements:
• Failed log in attempts
• Privilege level 15 commands
• Failed command authorization
• Start, stop, and elapsed times of sessions
• Source IP address of routers
Policies relating to dialup PPP involve creating support for the following accounting elements:
• Failed log in attempts
• Start, stop, and elapsed time of sessions
• Disconnect cause codes
• Caller ID if applicable

1-11
1.9 Security Implementation Policy Considerations
1.9 Security Implementation Policy Considerations

Table 1-6 present checklists summarizing the key security policy elements of this case.
Table 1-6 AAA Security Checklist
Access Network AAA Checklist Questions Access Network Policy

What is the current security policy for passwords? PAP for dial-in PPP users
CHAP passwords for dialup routers
DES passwords for router administrators
What services will be denied? Concurrent sessions for dial-in users
EXEC shell access for dial-in PPP users
Access to specific hosts within the corporate
intranetwork
Access to specific network services, such as
Telnet, FTP, and rlogin
What type of mechanism will exist if AAA server Local privilege level 15 account
is down?
Authentication and authorization disabled on
console port
Are local accounts allowed in routers and NASs? Yes
What accounting information is required? Username
Privilege level of clients
Session start and stop times
Elapsed time
Privilege level 15 command usage
Configuration changes
Failed log in attempts
Failed command authorizations
What type of accounting mechanism will be used? Customer written SQL query to Oracle database
Who is responsible for reviewing daily logs? Network managers
Will users be allowed concurrent sessions? Dialup PPP = No
Dialup router = Yes
Router administrator = Yes
What type of administrative access will be Full control assigned to senior router
assigned to router administrators? administrators
Basic control assigned to junior router
administrators
Customized command control for mid-level
router administrators
Support for Multilink? Yes

1-12
1.10 Network Equipment Selection
In addition to these considerations, security-related attributes addressed in this case include:

• Per-User Static IP Address Policy—Static IP addresses are assigned to required personnel to access
specific areas within the internetwork.
• Password Authentication and Command Authorization Policy—DES password support is
segregated into two elements: privilege level and command authorization. Within that context, three
levels of privilege are supported in this case: low, medium, and high, with high having full control
assigned. Command authorization at privilege level 15 is enforced. A local user with privilege level
15 is used in the event that the connection to the AAA server is down.
1.10 Network Equipment Selection

Figure 1-1 (presented in “1.1 AAA Technology Summary”) shows the specific devices used in the
dialup access environment. Based on the requirements detailed in Table 1-4, Table 1-5, and Table 1-6,
the following network entities were selected for this case study:
• Remote clients using modems to access the IP intranet and IP Internet through the public switched
telephone network (PSTN).
• An AAA server.
• An password authentication server.
• An external Oracle database server acts as the repository for all user profile information.
• An element management server performs basic dial access system management by using the
network time protocol (NTP), system logs (syslog), and simple network management protocol
(SNMP).
• A remote AAA server performs basic user authentication.
• A default gateway forwards packets to the IP intranet and IP Internet.

1-13
1.11 Task Check List

Table 1-7 summarizes AAA management implementation and operation activities for the hypothetical
network in this case study. This case focuses on illustrating implementation of specific AAA-related
security and management options over an Access Path implementation. Refer to Cisco AS5x00 Case
Study for Basic IP Modem Service for specifics regarding commissioning Cisco access servers to
support modem services at the following URL:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/as5xipmo/index.htm
Table 1-7 AAA Task Checklist
Task Topic
Chapter 2, “Implementing the Local AAA 2.1 Implementing Local Dialup
Subsystem” Authentication
2.2 Implementing Local Dialup
Authorization
2.3 Implementing Local Router
Authentication
2.4 Implementing Local Router
Authorization
2.5 Implementing Local Router Accounting
Chapter 3, “Implementing Cisco AAA 3.1 Installing CiscoSecure for UNIX with
Servers” Oracle
Chapter 4, “Implementing the Server-Based 4.1 Implementing Server-Based TACACS+
AAA Subsystem” Dialup Authentication
4.2 Implementing Server-Based TACACS+
Dialup Authorization
4.3 Implementing Server-Based RADIUS
Dialup Authentication
4.4 Implementing Server-Based RADIUS
Dialup Authorization
Router Authentication
Router Authorization

1-14
Table 1-7 AAA Task Checklist
Task Topic
Chapter 5, “Implementing Server-Based AAA 5.1 Implementing Server-Based RADIUS
Accounting” Dial Accounting
Router Accounting
Chapter 6, “Diagnosing and Troubleshooting 6.1 Overview of Authentication and
AAA Operations” Authorization Processes
6.2 Troubleshooting AAA Implementation
• 6.2.1 Troubleshooting Methodology
Overview
• 6.2.2 Cisco IOS Debug Command
Summary
6.3 AAA Troubleshooting Basics
6.4 Troubleshooting Scenarios

1-15

1-16
C H A P T E R 2
Implementing the Local AAA Subsystem
This chapter focuses on local AAA implementation and describes the following topics:
• 2.1 Implementing Local Dialup Authentication
• 2.2 Implementing Local Dialup Authorization
• 2.3 Implementing Local Router Authentication
• 2.4 Implementing Local Router Authorization
Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication,
authorization, and accounting as they relate to AAA security implementation.
Server-based authentication, authorization, and accounting issues are described in the following
chapters:
• Chapter 3, “Implementing Cisco AAA Servers”
• Chapter 4, “Implementing the Server-Based AAA Subsystem”
• Chapter 5, “Implementing Server-Based AAA Accounting”
• Chapter 6, “Diagnosing and Troubleshooting AAA Operations”
Caution The example configuration fragments used throughout this chapter include IP addresses,
passwords, authentication keys, and other variables that are specific to this case study. If
you use these fragments as foundations for you own configurations, be sure that your
specifications apply to your environment.

2-1
Chapter 2 Implementing the Local AAA Subsystem
2.1 Implementing Local Dialup Authentication

These steps help you to establish local-based dial authentication as illustrated in Figure 2-1:
1. Configure basic dial access.
2. Verify basic dial access.
Figure 2-1 Local-Based Dial Access Environment
PSTN
Modem
IP
Local-based
35054
dial access
Step 1 Configure basic dial access.

Include the following Cisco IOS configuration commands in your configuration to construct dial access
local authentication control:
aaa new-model
aaa authentication login default local
aaa authentication ppp default if-needed local
username diallocal password xxxxxx
interface Group-Async1
ip unnumbered Loopback0
no ip directed-broadcast
encapsulation ppp
ip tcp header-compression passive
no logging event link-status
dialer in-band
dialer idle-timeout 900
async mode interactive
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp max-bad-auth 3
ppp authentication pap chap
group-range 1 48
line 1 48
exec-timeout 48 0
autoselect during-login
autoselect ppp
absolute-timeout 240
script dialer cisco_default
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input all
transport output pad telnet rlogin udptn

2-2
Note See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A,

“AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA
commands.
Step 2 Verify basic dial access.

a. To verify user access, initiate a login process as follows:
maui-nas-01#login
User Access Verification
Username:diallocal
Password: <password>
b. To determine that local dial access authentication is operating correctly, enter the debug aaa
authentication and debug ppp authentication commands.
The following debug output contains only pertinent information:
maui-nas-01#
Debugs in NAS then initiate dialup:
maui-nas-01#debug aaa authentication

AAA Authentication debugging is on
maui-nas-01#debug ppp authentication
PPP authentication debugging is on
maui-nas-01#show debug
General OS:
PPP:
PPP authentication debugging is on

2-3
The following shell-initiated PPP session example shows the AAA debug output that confirms
correct configuration for local authentication:
Note The method used is LOCAL.
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''

ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
113136: Feb 4 10:11:32.582 CST: As1 PPP: Treating connection as a callin
113137: Feb 4 10:11:32.582 CST: AAA/MEMORY: dup_user (0x61DF306C) user='dialuser'
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1
source='AAA dup lcp_reset'
113138: Feb 4 10:11:32.582 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication
needed. user='diallocal' port='tty1' rem_addr='async/81560'
113139: Feb 4 10:11:32.582 CST: AAA/MEMORY: free_user (0x619C4940) user='dialuser'
113140: Feb 4 10:11:33.158 CST: AAA/MEMORY: dup_user (0x6193A788) user='dialuser'
source='AAA dup lcp_reset'
113141: Feb 4 10:11:33.158 CST: AAA/MEMORY: free_user (0x61DF306C) user='dialuser'
113142: Feb 4 10:11:33.158 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication
needed. user='diallocal' port='tty1' rem_addr='async/81560'

2-4
2.2 Implementing Local Dialup Authorization
The following example of a non-shell-initiated PPP session shows AAA debug output that confirms
correct configuration for local authentication:
Note The method used is LOCAL.
113151: Feb 4 10:13:27.670 CST: AAA/MEMORY: create_user (0x61DFE188) user=''

113152: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): port='tty2' list=''
113156: Feb 4 10:13:27.710 CST: AAA/AUTHEN/ABORT: (776784700) because Autoselected.
113157: Feb 4 10:13:27.710 CST: AAA/MEMORY: free_user (0x61DFE188) user='' ruser=''
port='tty2' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113158: Feb 4 10:13:29.842 CST: As2 PPP: Treating connection as a callin
113159: Feb 4 10:13:34.834 CST: As2 PAP: I AUTH-REQ id 1 len 18 from "diallocal"
113160: Feb 4 10:13:34.834 CST: As2 PAP: Authenticating peer diallocal
113161: Feb 4 10:13:34.838 CST: AAA: parse name=Async2 idb type=10 tty=2
113162: Feb 4 10:13:34.838 CST: AAA: name=Async2 flags=0x11 type=4 shelf=0 slot=0
adapter=0 port=2 channel=0
113163: Feb 4 10:13:34.838 CST: AAA: parse name=Serial0:3 idb type=12 tty=-1
113164: Feb 4 10:13:34.838 CST: AAA: name=Serial0:3 flags=0x51 type=1 shelf=0 slot=0
113165: Feb 4 10:13:34.838 CST: AAA/MEMORY: create_user (0x61ABBCE4) user='dialuser'
ruser='' port='Async2' rem_addr='async/81560' authen_type=PAP service=PPP priv=1
113166: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): port='Async2' list=''
action=LOGIN service=PPP
113168: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = UNKNOWN
113170: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = PASS
113171: Feb 4 10:13:34.838 CST: As2 PAP: O AUTH-ACK id 1 len 5

These processes help you to accomplish the following tasks:
1. Configure dial access configuration for local authorization on the NAS.
2. Verify and troubleshoot local authorization from NAS.
3. Verify that access list 110 is assigned.
Note Attribute-value pairs (AVPs) only are supported with EXEC shell initiated PPP
sessions for local accounts. Configure dial access clients to “Bring Up a Terminal
Window After Dial”.

2-5
Step 1 Configure dial access configuration for local authorization on the NAS.
Include the following Cisco IOS configuration commands in your configuration to construct dial access
local authorization:
aaa new-model
aaa authentication ppp default if-needed local
aaa authorization exec default local if-authenticated
aaa authorization network default local if-authenticated
username dialclient access-class 110 password ciscorocks

username dialclient autocommand ppp negotiate
access-list 110 deny tcp any any eq telnet

access-list 110 permit tcp any any

commands.
Step 2 Verify and troubleshoot local authorization from NAS.

To verify local dial access authorization is operating correctly, enter the debug aaa authorization
command.
The following EXEC sequence illustrates that the appropriate command is enabled:
5800-NAS#show debug
General OS:
AAA Authorization debugging is on
The following example of a shell-initiated session shows the AAA debug output that confirms correct
configuration for local authorization. Some points to note about this debug output:
• Method used is LOCAL.
• Autocommand used is PPP negotiate.
• Access list used is 110.
• Authorization is successful.
The following tests illustrate operations described in “2.4 Implementing Local Router Authorization”
and include relevant router output:
1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled).
2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed.
3. User diallocal is authorized PPP Network Service.
4. User diallocal is authorized LCP.
5. User diallocal is authorized IPCP.
The following diagnostic results are presented in the order in which they are generated during the
authorization process. Specific output fragments are differentiated with brief explanatory notes to help
you identify relevant information.

2-6
Note The debug command output can vary depending on Cisco IOS versions.
1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled).
NAS debug output:
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Port='tty10' list='' service=EXEC
07:10:52: AAA/AUTHOR/EXEC: As10 (693880654) user='diallocal'
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV service=shell
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV cmd*
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): found list "default"
07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Method=LOCAL
07:10:52: As10 AAA/AUTHOR (693880654): Post authorization status = PASS_ADD
2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs

processed.
NAS debug output:
07:10:52: AAA/AUTHOR/EXEC: Processing AV service=shell
07:10:52: AAA/AUTHOR/EXEC: Processing AV cmd*
07:10:52: AAA/AUTHOR/EXEC: Processing AV autocmd=ppp
07:10:52: AAA/AUTHOR/EXEC: Processing AV acl=110
07:10:52: AAA/AUTHOR/EXEC: Authorization successful
3. User diallocal is authorized PPP Network Service.

NAS debug output:
07:10:52: As10 AAA/AUTHOR/PPP (2856468577): Port='tty10' list='' service=NET
07:10:52: AAA/AUTHOR/PPP: As10 (2856468577) user='diallocal'
07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV service=ppp
07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV protocol=ip
07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV addr-pool*default
07:10:52: As10 AAA/AUTHOR/PPP (2856468577): found list "default"
07:10:52: As10 AAA/AUTHOR/PPP (2856468577): Method=LOCAL
07:10:52: As10 AAA/AUTHOR (2856468577): Post authorization status = PASS_REPL
4. User diallocal is authorized LCP.

NAS debug output:
07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV service=ppp
07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV protocol=ip
07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV addr-pool*default
07:10:54: AAA/MEMORY: free_user (0x61851148) user='diallocal' ruser='' port='tty
10' rem_addr='65004/65301' authen_type=ASCII service=LOGIN priv=1
07:10:56: AAA/MEMORY: free_user (0x61532710) user='diallocal' ruser='' port='tty
10' rem_addr='65004/65301' authen_type=ASCII service=PPP priv=1
07:10:56: As10 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
07:10:58: As10 AAA/AUTHOR/LCP: Authorize LCP
07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Port='tty10' list='' service=NET
07:10:58: AAA/AUTHOR/LCP: As10 (3185006257) user='diallocal'
07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV service=ppp
07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV protocol=lcp
07:10:58: As10 AAA/AUTHOR/LCP (3185006257): found list "default"
07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Method=LOCAL

2-7
2.3 Implementing Local Router Authentication
5. User diallocal is authorized IPCP.

NAS debug output:
07:10:58: As10 AAA/AUTHOR/LCP: Processing AV service=ppp
07:10:58: As10 AAA/AUTHOR/LCP: Processing AV protocol=lcp
07:10:58: As10 AAA/AUTHOR/FSM: (0): Can we start IPCP?
07:10:58: As10 AAA/AUTHOR/FSM (321297806): Port='tty10' list='' service=NET
07:10:58: AAA/AUTHOR/FSM: As10 (321297806) user='diallocal'
07:10:58: As10 AAA/AUTHOR/FSM (321297806): send AV service=ppp
07:10:58: As10 AAA/AUTHOR/FSM (321297806): send AV protocol=ip
07:10:58: As10 AAA/AUTHOR/FSM (321297806): found list "default"
07:10:58: As10 AAA/AUTHOR/FSM (321297806): Method=LOCAL

07:10:58: As10 AAA/AUTHOR/FSM: We can start IPCP
Step 3 Verify that access list 110 is assigned.

To verify that access list 110 is being used to control access, enter the show line command as follows:
maui-nas-03#show line 10
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
A 10 TTY - inout - 110 - 1 0 0/0 -
Note Access lists can be defined as either input or output access lists. As configured and applied
in this environment, access list 110 is an output access list assigned with the acl=110 AVP.
In the show line listing, AccO refers to output access list 110. In this case, AccI is not set
(indicated by a dash).

These processes help you to establish local-based router authentication as illustrated in Figure 2-2:
1. Configure basic router access.
2. Verify local authentication operation.
Figure 2-2 Local-Based Router Environment

Local-based
VTY access (Telnet)
IP
35053

2-8
Step 1 Configure basic router access.

Include the following Cisco IOS configuration commands in your configuration to enforce local on all
interfaces except the console port:
username rtr_super privilege 15 password ciscorules
!
aaa new-model
aaa authentication login NO_AUTHENT none
!
line con 0
login authentication NO_AUTHENT
Note The NO_AUTHENT list disables authentication on the console port. See “A.2
Router AAA Command Implementation Descriptions” in Appendix A, “AAA
Device Configuration Listings” for notes regarding Cisco IOS AAA commands.
Step 2 Verify local authentication operation.

a. To verify user access, initiate a login process as follows:
maui-rtr-03#login
Username: rtr_super
Password: <password>
maui-rtr-03#

2-9
2.4 Implementing Local Router Authorization
b. To determine that local dial access authentication is operating correctly, enter the debug aaa
authentication command as follows:
maui-rtr-03#debug aaa authentication
maui-rtr-03#show debug
General OS:
maui-rtr-03#terminal monitor
Feb 17 15:34:47.147: AAA: parse name=tty3 idb type=-1 tty=-1

Feb 17 15:34:47.147: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3
channel=0
Feb 17 15:34:47.147: AAA/MEMORY: create_user (0x61F88D2C) user='' ruser=''
port='tty3' rem_addr='172.22.61.17' authen_type=ASCII service=LOGIN priv=1
Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): port='tty3' list='' action=LOGIN
service=LOGIN
Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): using "default" list
Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): Method=LOCAL
Feb 17 15:34:47.147: AAA/AUTHEN (3701879404): status = GETUSER
Feb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): continue_login (user='(undef)')
Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETUSER
Feb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): Method=LOCAL
Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETPASS
Feb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): continue_login (user='rtr_super')
Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = GETPASS
Feb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): Method=LOCAL
Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = PASS

Local router authorization is implemented through router command authorization configuration. The
following example:
• Shows how to create two privilege levels (1 and 15) with local access and how to control the access
to global configuration mode.
• Provides a method to gain access by using the enable password if the local login fails.
Follow a methodical approach when dealing with TACACS+ in routers to prevent the need to perform
password recovery.
Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to
disable AAA authentication and authorization before changing to boot ROM
mode. For configuration notes regarding disabling AAA to access boot ROM
mode, see Appendix B, “AAA Impact on Maintenance Tasks.”
These processes are intended to help you to accomplish the following tasks:
1. Configure local router authorization at privilege level 15.
2. Verify local router authorization is set to privilege level 15.

2-10
Step 1 Configure local router authorization at privilege level 15.

Include the following Cisco IOS configuration commands in your configuration to enforce local
authorization at privilege level 15 on all interfaces except the console port:
!
username rtr_super privilege 15 password ciscorules
!
aaa new-model
aaa authentication login default local enable
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 NO_AUTHOR none
aaa authorization commands 15 local if-authenticated
!
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
Note You must first log out, and then log back into the router following the inclusion of
the aaa authorization commands 15 local if-authenticated command
(illustrated in the preceding configuration fragment). Doing this ensures that you
log in as the user rtr_super (in this case study example). The NO_AUTHENT list
disables authentication on the console port. The NO_AUTHOR list disables
EXEC and command authorization on the console port. See “A.2 Router AAA
Command Implementation Descriptions” in Appendix A, “AAA Device
Configuration Listings” for notes regarding key Cisco IOS AAA commands.
Step 2 Verify local router authorization is set to privilege level 15.

Enter the following commands to verify correct authorization:
maui-rtr-03#debug aaa authorization
General OS:
maui-rtr-03#login
Username: rtr_super
Password:
The following tests illustrate operations described in “2.4 Implementing Local Router Authorization”
and include relevant router output.
1. User rtr_super is authorized EXEC shell access.
2. User rtr_super logs is assigned priv-lvl 15 AVP.
3. User rtr_super successfully performs privilege level 15 command.

2-11

Router debug output:
Mar 13 14:08:54.871 CST: AAA/MEMORY: create_user (0x6188BD2C) user='' ruser=''
Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Port='tty2' list=''
service=EXEC
Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: tty2 (294199586) user='rtr_super'
Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV service=shell
Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV cmd*
Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): found list "default"
Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Method=LOCAL
Mar 13 14:09:00.511 CST: AAA/AUTHOR (294199586): Post authorization status = PASS_ADD
2. User rtr_super logs is assigned priv-lvl 15 AVP.

Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV service=shell
Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV cmd*
Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Authorization successful
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): Port='tty2' list=''
service=CMD
3. User rtr_super successfully performs privilege level 15 command.

Mar 13 14:09:01.648 CST: AAA/AUTHOR/CMD: tty2 (2192867088) user='rtr_super'
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV service=shell
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd=configure
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=terminal
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=<cr>
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): found list "default"
Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): Method=LOCAL
Mar 13 14:09:01.648 CST: AAA/AUTHOR (2192867088): Post authorization status =
PASS_ADD

These processes help you to accomplish the following tasks:
1. Configure basic local accounting for router access.
2. Verify and troubleshoot local accounting from VTY (Telnet) based access to the router.

2-12
Step 1 Configure basic local accounting for router access.

Include the following Cisco IOS configuration commands in your configuration to construct local based
router accounting for EXEC and command authorization for privilege level 15 commands:
username rtr_super privilege level 15 password ciscorules
aaa new-model
aaa authorization commands 15 default local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting exec NO_ACCOUNT none
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting commands 15 NO_ACCOUNT none
line con 0
accounting commands 1 NO_ACCOUNT
accounting exec NO_ACCOUNT
Note In the preceding configuration fragment, the start-stop option is entered for
EXEC shell sessions and the stop-only option is entered for privilege-level 15
commands. The router sends a start packet in the beginning of a shell service and
a stop packet when the session terminates. A stop packet is only sent upon
completion of a privilege level 15 command in the router. Additionally, note the
use of the NO_ACCOUNT list to disable AAA accounting on the console port.
Step 2 Verify and troubleshoot local accounting from VTY (Telnet) based access to the router.
Enter the debug aaa accounting command to verify local router accounting is operating as expected.
The following EXEC sequence illustrates that the appropriate commands are enabled:
General OS:
AAA Accounting debugging is on
The following tests illustrate operations described in “2.5 Implementing Local Router Accounting” and
include relevant router output.
2. User rtr_super successfully performs configure terminal, a privilege level 15 command.
The following diagnostic results are presented in the order in which they are generated during a typical
authorization and command request process. Specific output fragments are separated out with brief
explanatory notes to help you identify relevant information.

2-13

Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, port tty3
Apr 11 16:48:32.483: AAA/ACCT/EXEC: Found list "default"
Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, Port tty3, task_id=362
start_time=955471712 timezone=CST service=shell
Apr 11 16:48:32.483: AAA/ACCT: user rtr_super, acct type 0 (1526108857):
Method=tacacs+ (tacacs+)
Apr 11 16:48:33.487: TAC+: (1526108857): received acct response status = SUCCESS
2. User rtr_super successfully performs configure terminal, a privilege level 15 command.

Apr 11 16:51:52.741: AAA/ACCT/CMD: User rtr_super, Port tty3, Priv 15: "configure
terminal <cr>"
Apr 11 16:51:52.741: AAA/ACCT/CMD: Found list "default"
Apr 11 16:51:52.741: AAA/ACCT: user rtr_super, acct type 3 (2701117300):
Apr 11 16:51:53.545: TAC+: (2701117300): received acct response status = SUCCESS

2-14
C H A P T E R 3
Implementing Cisco AAA Servers
This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1,
“Cisco AAA Case Study Overview” for information regarding this case study’s network requirements
and environment details for this case study. Figure 3-1 illustrates the general networking environment
in which this CSU is implemented.
These sections focus on the following topics:
• 3.1 Installing CiscoSecure for UNIX with Oracle
• 3.1.4 Creating and Verifying Basic User Profile
Figure 3-1 AAA-Based, Secure Network Access Scenario

Network element
management server
(NTP, Syslog, SNMP)
Oracle dB server

PSTN server
Clients Modems DNS

Cisco AS5x00 server
with integrated
modems
IP intranet
Default
gateway
Internet
firewall
Internet
35089

3-1
Chapter 3 Implementing Cisco AAA Servers
3.1 Installing CiscoSecure for UNIX with Oracle

These processes of help you to install CiscoSecure for UNIX:
• 3.1.1 Creating Oracle Tablespace
• 3.1.2 Verifying the Oracle Database Instance
• 3.1.3 Installing CiscoSecure for UNIX
• 3.1.4 Creating and Verifying Basic User Profile
3.1.1 Creating Oracle Tablespace

You must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section
are for reference.
Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the
database.
For detailed Oracle installation notes, go to the following location:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csbsdoc.htm
Example of creating a Oracle tablespace:

<CSUserver>$su - oracle
Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996
<CSUserver>$$ORACLE_HOME/bin/svrmgrl
Oracle Server Manager Release 2.3.4.0.0 - Production
Copyright (c) Oracle Corporation 1994, 1995. All rights reserved.
Oracle7 Server Release 7.3.4.0.1 - Production

With the distributed option
PL/SQL Release 2.3.4.0.0 - Production
SVRMGR>connect internal
Connected.
SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m;
Statement processed.
SVRMGR>create user csecure identified by csecure default tablespace cstb;
SVRMGR>grant dba to csecure identified by csecure;
SVRMGR>exit
Server Manager complete.

3-2
3.1.2 Verifying the Oracle Database Instance

Before you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the
following five pieces of information:
• The Oracle user account for CiscoSecure (csecure)
• The password for the Oracle account (csecure)
• TNS service name for the Oracle server (ciscosj)
• The location of $ORACLE_HOME (/opt/oracle/product/7.3.4)
• The number of Connections to use for ORACLE RDBMS (50)
Step 1 To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed,
enter the following command. Log in to the $ORACLE_HOME as follows:
<CSUserver>$env | grep ORACLE_HOME
ORACLE_HOME=/opt/oracle/product/7.3.4
Note This environment variable should have been configured during Oracle installation
by the DBA.
Step 2 On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by
entering the following command:
<CSUserver>$ps -ef |grep smon
oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj
The command returns the ora_smon_<SID> process if the server is running. Notice the database
instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this
case, with username of csecure and password of csecure) and start the database by using Server
Manager (svrmgrl) and Oracle listener (lsnrctl) as follows:
<CSUserver>$$ORACLE_HOME/bin/svrmgrl
SVRMGR>connect internal
SVRMGR>startup
ORACLE instance started.
Total System Global Area 4576056 bytes
Fixed Size 39816 bytes
Variable Size 4118448 bytes
Database Buffers 409600 bytes
Redo Buffers 8192 bytes
Database mounted.
Database opened.

3-3
<CSUserver>$$ORACLE_HOME/bin/lsnrctl start
LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46
Copyright (c) Oracle Corporation 1994. All rights reserved.
Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait...
TNSLSNR for Solaris:Version 2.3.4.0.0 - Production

System parameter file is /opt/oracle/product/7.3.4/network/admin/listener.ora
Log messages written to /opt/oracle/product/7.3.4/network/log/listener.log
Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus))
Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY))
Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521))
Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Solaris:Version 2.3.4.0.0 - Production
Start Date 12-APR-00 09:40:50
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security OFF
SNMP OFF
Listener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.ora
Listener Log File /opt/oracle/product/7.3.4/network/log/listener.log
Services Summary...
ciscoaus has 1 service handler(s)
The command completed successfully
Step 3 To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter
Security Manager using the sqlplus process:
<CSUserver>$sqlplus csecure/csecure@ciscosj
SQL>select * from user_sys_privs;
USERNAME PRIVILEGE ADM

------------------------------ ---------------------------------------- ---
CSECURE UNLIMITED TABLESPACE NO
Note Ensure that the assigned resource role/privilege for the username and password is
as shown.
The command returns a table with a column listing the privileges granted to the Oracle database
account. The default tablespace assigned to the Oracle database account must be at least 200MB. The
size is verified by the installation script.
Step 4 To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows:
<CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj
TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28
Copyright (c) Oracle Corporation 1995. All rights reserved.
Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521))

OK (80 msec)

3-4
Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the
PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number
of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is
set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study,
at least four of the connections are reserved for mandatory background server processes. In addition,
the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during
the installation.
3.1.3 Installing CiscoSecure for UNIX

The general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX
(CSU) on a Sun Solaris workstation. Installation consists of the following steps:
1. Start the CSU installation process by invoking the pkgadd program.
2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:
3. Create /var/log/csuslog file.
4. Configure the AAA server for maximum level debugging.
5. Restart the AAA server.
6. Restart the syslog daemon.

3-5
Step 1 Start the CSU installation process by invoking the pkgadd program.
The process that follows illustrates the general installation sequence. Extraneous output was omitted
where noted for brevity.
Note The following installation process requires approximately 20 minutes.
<CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris
The following packages are available:

1 CSCEacs CiscoSecure Access Control Software
(sun4) 2.3(3)
Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]:1
Processing package instance <CSCEacs> from </opt/install/ciscosecure/CiscoSecure

-2.3.3.solaris>
CiscoSecure Access Control Software

(sun4) 2.3(3)
Copyright(c) 1996-1999 Cisco Systems, Inc.

CiscoSecure Access Control Server
Version 2.3(3)
All Rights Reserved.
Copyright (c) 1994-1999 Netscape Communications Corporation

Copyright (c) 1988-1999 Sybase, Inc.
Trade Mark WebLogic, Inc.
Notice:
By using this product, you agree to be bound by the terms of
the license supplied with this product. If you do not agree
to these terms, promptly return the unused product, manuals,
related equipment, and hardware (with proof of purchase) to
the place of purchase for a full refund.
To install this product, you must agree to accept the terms

of the enclosed license [accept=y,exit=n,exit=q]: y
checking patches...
************************************************************************
* Notice: *
* This installation program saves your Database files from a previous *
* CiscoSecure install. If you have not installed CiscoSecure before, *
* you should answer YES to the next question. If you have performed *
* a 'package remove' and are installing a new version of CiscoSecure *
* and want to retain your previous Database files, you should answer *
* NO to the next question. *
************************************************************************
Is this a new install (y/n/q) (default: yes, q to quit)?y
Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure

3-6
IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q]
If the hostname of this server is not the same as its fully qualified domain
name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter
to use the default (default: CSUserver) [?,q]
Enter the AAA Server License key (default: <none>) [?,q]
Enter the TACACS+ NAS name to use (default: <none>) [?,q]
Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules
Select any or all Token Cards to use

1 CryptoCard
2 Secure-Computing SafeWord
3 SDI SDI Token Card
Enter selection (default: none) [?,??,q]:
Choose Database
1 SQLAnywhere Sybase SQL Anywhere
2 ORACLE Oracle Enterprise
3 SYBASE Sybase Enterprise
Enter selection (default: SQLAnywhere) [?,??,q]:2
Enter the username for the ORACLE DB account [?,q]csecure
Enter the password for the ORACLE DB account [?,q]csecure
Enter the TNS service name for the Oracle Server [?,q]ciscosj
Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4
Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server

process (default: 9900) [0-65535,?,q]
Enter a unique name for the CiscoSecure DB Server Process (default:

CSdbServer) [?,q]
Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50
Enter the directory Path to use for the AAA server profile caching
(default: /, q to quit)?
Modify any selections below?
New CiscoSecure Install YES

CiscoSecure Directory /opt/ciscosecure
CiscoSecure IP Address 172.23.25.41
CiscoSecure Web Server Name CSUserver
Profile Cache Directory /
AAA License Key <none>
TACACS+ NAS Name <none>
TACACS+ NAS Secret Key SECRET12345
Token Cards selected none
Data Base ORACLE
DB User Account Name csecure
DB User Account Passwd csecure
Oracle TNS Name ciscosj
Oracle Home /opt/oracle/product/7.3.4
CiscoSecure DB Server IP Address 172.23.25.41
CiscoSecure DB Server Port 9900
CiscoSecure DB Server Proc Name CSdbServer

3-7
DB Server Connections 50
Modify any values [y,n,q]: n
cs_install.log being written to /tmp directory
Using </opt/ciscosecure> as the package base directory.

## Processing package information.
## Processing system information.
6 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user

permission during the process of installing this package.
Do you want to continue with the installation of <CSCEacs> [y,n,?]y
Installing CiscoSecure Access Control Software as <CSCEacs>
## Executing preinstall script.

## Installing part 1 of 1.
Note Process output is omitted at this point because it is not relevant to the installation
task presented in this chapter.
[ verifying class <TSERVER> ]

## Executing postinstall script.
Creating the initial database tables and views........
Loading properties from /opt/ciscosecure/config/CSConfig.ini

Finished loading properties.
Data Source = ORACLE
Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username =
csecure password = ********
Connected to jdbc:weblogic:oracle:ciscosj
Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)
Version 2.5.4
sql = select tablespace_name, floor(sum(bytes)/(1024*1024)) from sys.dba_free_sp

ace where tablespace_name = (select default_tablespace from sys.dba_users where
username = USER) group by tablespace_name
Total free space in CSTB tablespace is 199 MB.

Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql%
Executing SQL statements..

3-8
Note Process output is omitted at this point because it is not relevant to the installation
task presented in this chapter.
Successfully done.
Initializing RADIUS data in the database........
Loading properties from /opt/ciscosecure/config/CSConfig.ini

Finished loading properties.
Data Source = ORACLE
Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username =
csecure password = ********
Connected to jdbc:weblogic:oracle:ciscosj
Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26)
Version 2.5.4
Radius data version: 23

Adding SERVER_LIST
Adding DICTIONARY_LIST
Adding SERVER.172.23.25.41
Adding DICTIONARY.IETF
Adding DICTIONARY.Cisco
Adding DICTIONARY.Ascend
Adding DICTIONARY.Cisco11.1
Adding DICTIONARY.Ascend5
No update to dictionary list
Update radius version: INSERT INTO cs_id (id, type) VALUES (?, ?)
Successfully done.
Installation is complete. However, further configuration may be necessary.

For more information on the steps necessary to finish configuration, read
the /opt/ciscosecure/DOCS/README.txt file.
Results of this install are saved in the /tmp/cs_install.log file and in

/opt/ciscosecure/logfiles/cs_install.log.
NOTE: For AAA Server tuning, refer to

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm#
xtocid192003
Installation of <CSCEacs> was successful.
Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function:
Enter the following command:
#added by rbrown@cisco.com on 02/28/00
local0.debug /var/log/csuslog
Note Do not use whitespace to separate the above statements in /etc/syslog.conf. Use
only tabs.
Step 3 Create /var/log/csuslog file.

3-9
Enter the touch command to create the csulog file.

<CSUserver>$touch /var/log/csuslog;chmod 777 csuslog
Step 4 Configure the AAA server for maximum level debugging.

Modify /opt/ciscosecure/config/CSU.cfg as follows:
NUMBER config_logging_configuration = 0x7ffffffff
Step 5 Restart the AAA server.

Enter the following command to restart the AAA server:
<CSUserver>$/etc/rc0.d/K80CiscoSecure
Stopping CiscoSecure Processes:
CiscoSecure AutoRestart Stopped

Fast Track Server Stopped
Fast Track Admin Program Stopped
Acme Server Stopped
AAA Server Stopped
DBServer Stopped
<CSUserver>$/etc/rc2.d/S80CiscoSecure
Starting CiscoSecure Processes:
Fast Track Admin Started

FastTrack Server (Delayed Start)
DBServer Started
AAA Server starts in 15 Seconds: 123456789012345
AAA Server Started
Acme Server Started
Cisco AutoRestart started
Step 6 Restart the syslog daemon.

Enter the follow command to restart the syslog daemon:
<CSUserver>$ps -ef |grep syslog
root 150 1 0 Feb 26 ? 0:00 /usr/sbin/syslogd
<CSUserver>$kill -HUP 150
3.1.4 Creating and Verifying Basic User Profile

These processes help you to accomplish basic user profile creation and verification:
1. Create user csu_test.
2. Verify user csu_test.
3. Configure the router for basic authentication.
4. Log in to the router and verify user access.
5. Review the AAA server log.

3-10
Step 1 Create user csu_test.

Enter the following commands to add the user csu_test:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocks

Profile Successfully Added
Step 2 Verify user csu_test.

Enter the following commands to verify settings for user csu_test:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_test
User Profile Information
user = csu_test{
profile_id = 18
profile_cycle = 1
password = des "********"
}
Step 3 Configure the router for basic authentication.

Log in to the router and include the following commands:
aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host 172.22.53.201 key ciscorules
Step 4 Log in to the router and verify user access.

Enter the user name and password:
Username:csu_test
Password:<password>
Step 5 Review the AAA server log.

Enter the tail command to assess the csulog file:
Note This CSU log fragment illustrates user csu_test being authenticated and permitted
privilege level 15 access.
<CSUserver>$tail -f /var/log/csuslog
Feb 29 16:52:28 CSUserver last message repeated 20 times1
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8)
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user:
csu_test
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user:
csu_test
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e)
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG -
Feb 29 16:52:30 CSUserver User Access Verification
Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username:
Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated
Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)
Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password:
Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e)
Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS =
coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15]

3-11

3-12
C H A P T E R 4
Implementing the Server-Based AAA Subsystem
This chapter focuses on the following server-based AAA implementation topics:

• 4.1 Implementing Server-Based TACACS+ Dialup Authentication
• 4.2 Implementing Server-Based TACACS+ Dialup Authorization
• 4.3 Implementing Server-Based RADIUS Dialup Authentication
• 4.4 Implementing Server-Based RADIUS Dialup Authorization
• 4.5 Implementing Server-Based TACACS+ Router Authentication
• 4.6 Implementing Server-Based TACACS+ Router Authorization
Note See Chapter 2, “Implementing the Local AAA Subsystem,” for specifics of local AAA
implementation. See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions
of authentication, authorization, and accounting as they relate to AAA security
implementation.

4-1
Chapter 4 Implementing the Server-Based AAA Subsystem
4.1 Implementing Server-Based TACACS+ Dialup Authentication
Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based
AAA components, including a AAA server and its associated AAA database.
Figure 4-1 Basic AAA Case Study Environment

Network element
management server
(NTP, Syslog, SNMP)
Oracle dB server

PSTN server
Clients Modems DNS

Cisco AS5x00 server
with integrated
modems
IP intranet
Default
gateway
Internet
firewall
Internet
35089
4.1 Implementing Server-Based TACACS+ Dialup
Authentication
The following section focuses on server-based dialup authentication configuration. In this context,
server-based refers to actions dependent upon an external AAA server. These actions are described in
a series of general steps along with related commands, server configurations, and diagnostic steps as
appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.
Figure 4-2 Server-Based Dial Environment (TACACS+)

Server-based
dial access
PSTN
Modem
IP
AAA server
35051

4-2
4.1 Implementing Server-Based TACACS+ Dialup Authentication
These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authentication on NAS.
2. Configure a user profile in the database.
3. Verify the AAA server-based user configuration.
4. Verify and troubleshoot authentication from the AAA server.
5. Verify and troubleshoot PPP authentication from the NAS.
Step 1 Configure TACACS+ server-based authentication on NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based
dial access authentication control with TACACS+:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication ppp default if-needed group tacacs+
!

commands.
Step 2 Configure a user profile in the database.

Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules –a
'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp
{\n }\n }\n’
Caution When entering AddProfile to create users or groups, it is possible to successfully create
users or groups that have invalid database parameters that result in profile errors viewable
in /var/log/csuslog.
Step 3 Verify the AAA server-based user configuration.

Enter this server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial
user = tac_dial{
profile_id = 23
profile_cycle = 1
password = pap "********"
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}

4-3
4.2 Implementing Server-Based TACACS+ Dialup Authorization
Step 4 Verify and troubleshoot authentication from the AAA server.

Enter the tail command:.
Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for a

description of relevant diagnostic output.
Step 5 Verify and troubleshoot PPP authentication from the NAS.

Enter the debug aaa authentication and debug ppp authentication commands to confirm
authentication from the NAS perspective.
Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for

relevant diagnostic output.

This section focuses on implementing of server-based dialup authorization and presents applicable
configuration segments, server commands and file listings, and diagnostic steps.
1. Configure TACACS+ server-based authorization on the NAS.
4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.
5. Verify and troubleshoot shell-initiated PPP authorization on the NAS.
Step 1 Configure TACACS+ server-based authorization on the NAS.

dial access authorization with TACACS+:
aaa new-model
aaa authentication ppp default if-needed group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
!
tacacs-server host x.x.x.x key ciscorules

commands.

4-4

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules –pw
pap,ciscorules –a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n
set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’

Enter this UNIX server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest
An example of a ViewProfile output of the user profile looks like this:

user = dialtest{
profile_id = 25
profile_cycle = 1
service=shell {
default_cmd=permit
}
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}
Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.
Enter the following UNIX server command to confirm that the authorization is operating correctly:
<CSUServer>$tail -f /var/log/csuslog
Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.”
Step 5 Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Enter the debug aaa authorization command to verify server-based authorization is operating correctly
for dial access.
Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.”

4-5
4.3 Implementing Server-Based RADIUS Dialup Authentication

This section focuses on the configuration of server-based, RADIUS dialup authentication configuration.
In this context, server-based refers to actions that depend on an external AAA server. Figure 4-3
illustrates a simplified server-based dial environment.
1. Configure RADIUS server-based authentication on access server.
4. Enter the debug aaa authentication and debug ppp authorization commands to confirm
authentication from NAS perspective.
Figure 4-3 Server-Based Dial Environment (RADIUS)
Server-based
dial access
PSTN
Modem
IP
AAA server
35051

4-6
Step 1 Configure RADIUS server-based authentication on access server.

dial access authentication control with RADIUS:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default if-needed group radius
!
encapsulation ppp
dialer in-band
no fair-queue
no cdp enable
ppp max-bad-auth 3
group-range 1 48
!
line 1 48
exec-timeout 48 0
autoselect ppp
modem InOut
transport input all
transport output lat pad telnet rlogin udptn v120 lapb-ta
radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules

commands.

a. Create a RADIUS NAS configuration by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a
'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary
="DICTIONARY.Cisco"\n }\n'
b. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules
-a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'
Description of attributes specified in AddProfile configuration:

– 6=2 (meaning Framed-Protocol=ppp)
– 7=1 [meaning User-Service-Type (Framed-User)]

4-7
4.4 Implementing Server-Based RADIUS Dialup Authorization

a. Enter this server command to view the AAA server-based NAS configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105
user = NAS.172.22.53.105{
profile_id = 76
profile_cycle = 1
NASName="172.22.53.105" {
SharedSecret="ciscorules"
RadiusVendor="Cisco"
Dictionary="DICTIONARY.Cisco"
}
b. Enter this command to verify the AAA server user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial
user = rad_dial{
profile_id = 62
profile_cycle = 1
radius=Cisco {
reply_attributes= {
6=2
7=1
}
}
Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm
authentication from NAS perspective.
Note See “C.3 Server-Based RADIUS Dialup Authentication Diagnostics.”

1. Configure RADIUS server-based authorization on the NAS.
4. Verify and troubleshoot RADIUS network authorization on the NAS.
5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.

4-8
Step 1 Configure RADIUS server-based authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS
authorization assigning access-list 110 to the user, rad_dial:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius if-authenticated
!
!
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 deny tcp any any

commands.

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a
'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n'

user = rad_dial{
profile_id = 62
profile_cycle = 1
radius=Cisco {
reply_attributes= {
6=2
7=1
9,1="ip:inacl=110"
}
}
Note The Cisco AVP inacl=110 is included to enable an input access-list.
Step 4 Verify and troubleshoot RADIUS network authorization on the NAS.

Enter the debug aaa authorization command to verify dial access server-based authorization is
operating correctly for dial access.
Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.”

4-9
4.5 Implementing Server-Based TACACS+ Router Authentication
Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command.
Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.”
4.5 Implementing Server-Based TACACS+ Router

Authentication
This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a
router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for
a router.
1. Configure TACACS+ server-based authentication on the router.
2. Configure and verify the group rtr_basic:
3. Create the member rtr_test and assign this user to group rtr_basic.
4. Verify user rtr_test.
5. Log in to the router and verify proper authentication.
Figure 4-4 Server-Based VTY Access (Telnet)
Server-based
VTY access (Telnet)
IP
35050
AAA server

4-10
Step 1 Configure TACACS+ server-based authentication on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce AAA
server-based command authorization on a router (excluding the console port):
aaa new-model
!
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
!
line con 0
Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A,

commands.
Step 2 Configure and verify the group rtr_basic:

a. Create the group rtr_basic by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a
'service=shell{\ndefault cmd=deny\n}\n'
b. Verify the group rtr_basic by entering the ViewProfile command

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basic
Group Profile Information
group = rtr_low{
profile_id = 66
profile_cycle = 1
service=shell {
default cmd=deny
}
}
Step 3 Create the member rtr_test and assign this user to group rtr_basic.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr
rtr_basic

4-11
Step 4 Verify user rtr_test.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test
user = rtr_test{
profile_id = 66
profile_cycle = 1
member = rtr_basic
}
Step 5 Log in to the router and verify proper authentication.

Enter the login command to access the router command interface and monitor the output of debug aaa
authentication from a separate shell session. Monitor the output of the AAA server by consulting the
csuslog file using the tail command.
Note See “C.5 Server-Based TACACS+ Router Authentication Diagnostics.”

4-12
4.6 Implementing Server-Based TACACS+ Router Authorization

The following examples, including authorization-related IOS command listings and AAA server
profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups
are created with low (rtr_low), medium (rtr_tech), and high (rtr_super) access. The default_cmd AVP
(defined in the AAA server profile) is used to control access to privilege level 15 commands. In this
case, privilege level 15 is the highest level of command access privilege allowed and is reserved for
super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated
with each of the administrative groups defined in this section.
Table 4-1 Group Profile Command Summary
Group
Cisco IOS Command rtr_super rtr_tech rtr_low
debug all Denied Denied Denied
debug * Permitted Permitted Denied
clear * Permitted Permitted Denied
reload Permitted Denied Denied
show running-config Permitted Denied Denied
write terminal
copy running-config startup-config Permitted Permitted Denied
write memory
configure terminal Permitted Denied Denied
Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization
between a router and an AAA server. Troubleshooting and verifying is divided into three stages:
authentication, EXEC authorization and command authorization. Each stage is accompanied by
information particular to that stage:
• Cisco IOS Configuration Fragments (on left)
• Troubleshooting and verification methods for the router and AAA server (on right)

4-13
Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology
Cisco IOS Client Decision Flow Troubleshoot/Verify

Authentication
Router user Did No From Cisco IOS Client

requests login authentication debug aaa authentication
to TACACS+ server. succeed?
From AAA Server
aaa new-model tail -f /var/log/csuslog
aaa authentication login default group tacacs+ Yes Verify user
user=rtr_geek
tacacs-server host ip-address key secret-key password=des
EXEC Authorization
AAA authorization
begins (EXEC)
aaa authorization exec default group From Cisco IOS Client

tacacs+ if-authenticated debug aaa authorization
Did
No From AAA Server
authorization
succeed? tail -f /var/log/csuslog
Verify user or group
service=shell
Yes
Command Authorization
AAA authorization
command begins
(command)
aaa authorization commands 15 default

tacacs+ if-authenticated
From Cisco IOS Client
Did debug aaa authorization
No
authorization
succeed? From AAA Server
tail -f /var/log/csuslog
Verify user or group
default_cmd=permit
Yes or priv_lvl=15
or cmd=permit
AAA accounting
35076
begins

1. Configure TACACS+ server-based authorization from the console port on the router.
2. Configure, verify, and test operation of the AAA server group rtr_low.
3. Configure, verify, and test operation of the AAA server group rtr_tech.
4. Configure, verify, and test operation of AAA server Group rtr_super.

4-14
Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to
disable AAA authentication and authorization before changing to boot ROM
mode. For configuration notes regarding disabling AAA to access boot ROM
mode, see Appendix B, “AAA Impact on Maintenance Tasks.”
Step 1 Configure TACACS+ server-based authorization from the console port on the router.
Include the following Cisco IOS configuration commands in your configuration to enforce router-based
security with TACACS+:
aaa new-model
aaa authorization exec default group tacacs+
aaa authorization commands 15 default group tacacs+
!
ip http server
!
!
line con 0
Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A,

commands.

4-15
Step 2 Configure, verify, and test operation of the AAA server group rtr_low.
The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the
requirements specified in Table 4-1:
a. Create the group rtr_low.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a
'service=shell{\ndefault cmd=deny\n}\n'
b. Verify the group rtr_low.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low
group = rtr_low{
profile_id = 66
profile_cycle = 1
service=shell {
default cmd=deny
}
c. Create the member rtr_dweeb and assign this user to group rtr_low.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw
des,ciscorules
d. Verify the user rtr_dweeb.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweeb
user = rtr_dweeb{
profile_id = 66
profile_cycle = 1
member = rtr_low
}
e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:
– Simultaneously monitor the output of debug aaa authorization from a console shell session
and the AAA server csuslog file.
– Log in to the router by using a new terminal window with the rtr_dweeb account and enter the
commands shown in Table 4-1.
– From the AAA server, enter the following command to obtain the matching csuslog content:
Note See “C.6 Server-Based TACACS+ Router Authorization Diagnostics.”

4-16
Step 3 Configure, verify, and test operation of the AAA server group rtr_tech.
The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the
requirements specified in Table 4-1:
a. Create the group rtr_tech.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell
{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny
all\n}\ncmd=configure{\ndeny .*}\n}\n'
b. Verify the group rtr_tech.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_tech
group = rtr_tech{
profile_id = 47
profile_cycle = 1
service=shell {
default cmd=permit
cmd=debug {
deny all
permit .*
}
cmd=reload {
deny all
}
cmd=configure {
deny .*
}
}
c. Create the member rtr_techie and assign this user to group rtr_tech.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw
des,ciscorules
d. Verify the user rtr_techie.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techie
user = rtr_techie{
profile_id = 39
profile_cycle = 1
member = rtr_tech
}
e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:
– Log in to the router by using a new terminal window with the rtr_techie account and enter the

4-17
Step 4 Configure, verify, and test operation of AAA server Group rtr_super.
The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with
the requirements specified in Table 4-1:
a. Create the group rtr_super.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell
{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n'
b. Verify the group rtr_super.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_super
group = rtr_super{
profile_id = 40
profile_cycle = 1
service=shell {
default cmd=permit
cmd=debug {
deny all
permit .*
}
}
c. Create the member rtr_geek and assign this user to group rtr_super.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek -pr rtr_super -pw
des,ciscorules
Profile Successfully
d. Verify the user rtr_geek.

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geek
user = rtr_geek{
profile_id = 45
profile_cycle = 1
member = rtr_super
}
e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:

4-18
– Log in to the router by using a new terminal window with the rtr_geek account and enter the

4-19

4-20
C H A P T E R 5
Implementing Server-Based AAA Accounting
This chapter focuses on the following two topics:

• 5.1 Implementing Server-Based RADIUS Dial Accounting
• 5.2 Implementing Server-Based TACACS+ Router Accounting
Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication,
authorization, and accounting as they relate to AAA security implementation.
5.1 Implementing Server-Based RADIUS Dial Accounting

The information compiled by the Cisco IOS client focuses on the performance of intermediate systems
in terms of AAA accounting packet output, disconnect cause codes, elapsed time, packets in/out, and
other useful information. This section addresses configuring server-based RADIUS dial accounting on
the AAA server and the Cisco IOS client or network access server (NAS).
1. Configure the server-based RADIUS dial accounting on the AAA server.
2. Configure server-based RADIUS dial accounting on the NAS.
3. Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to
Oracle dB instance.
4. Verify AAA accounting from the NAS.
Step 1 Configure the server-based RADIUS dial accounting on the AAA server.
Include the following configuration line in /opt/ciscosecure/CLI/config/CSU.cfg to enable group
membership accounting:
config_acct_fn_enable = 1

5-1
Chapter 5 Implementing Server-Based AAA Accounting
For detailed accounting performance, go to:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto
cid84517
Step 2 Configure server-based RADIUS dial accounting on the NAS.

Include the following Cisco IOS commands in your configuration file to support dialup authentication,
authorization, and accounting.
aaa new-model
aaa authentication login default group radius local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default stop-only group radius
aaa accounting network default stop-only group radius
Step 3 Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle
dB instance.
The following examples illustrate the use of SQL query commands to monitor user rad_dial being
disconnected due to idletime configured with the line configuration session-timeout command in the
NAS:
<CSUServer>$/export/home/oracle> sqlplus
SQL*Plus: Release 3.3.4.0.1 - Production on Mon Apr 17 17:41:52 2000
Copyright (c) Oracle Corporation 1979, 1996. All rights reserved.
Enter user-name:csecure/csecure@ciscoaus
Connected to:
Oracle7 Server Release 7.3.4.0.1 - Production
PL/SQL Release 2.3.4.0.0 - Production
SQL> select * from cs_accounting_log where blob_data like '%rad_dial%';
LOG_ID BLOB_ORDINAL BLOB_DATA

--------------------------------------------------------------------------------
172.22.87.3 rad_dial Async20 65004 stop server=danvers time=17:36:33

date=04/17/2000 task_id=40 timezone=CST service=ppp protocol=ip
addr=172.22.83.12 disc-cause=4 disc-cause-ext=1021 pre-bytes-in=132
pre-bytes-out=139 pre-paks-in=5 pre-paks-out=7 bytes_i
Note The disc-cause and disc-cause-ext output both reflect idle timeouts from
Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this
chapter.
Step 4 Verify AAA accounting from the NAS.

Review and verify user rad_dial disconnecting session from the NAS by using the Cisco IOS
show caller user and debug aaa accounting commands.
The following example illustrates local accounting diagnostic output in which user rad_dial is
disconnected because of a line configuration session-timeout command configured in the NAS:

5-2
Note User rad_dial dials into maui-nas-03. Note the session-timeout was applied.
maui-nas-03#show caller user rad_dial detail
User: rad_dial, line tty 20, service Async

Active time 00:00:47, Idle time 00:00:00
Timeouts: Absolute Idle Idle
Session Exec
Limits: 04:00:00 00:15:00 00:48:00
Disconnect in: 03:59:12 00:14:59 -
TTY: Line 20, running PPP on As20
Location: PPP: 172.22.83.12
DS0: (slot/unit/channel)=0/0/2
Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits
Status: Ready, Active, No Exit Banner, Async Interface Active
HW PPP Support Active, Modem Detected
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
Modem Callout, Modem RI is CD,
Line usable as async interface, Modem Autoconfigure
Integrated Modem
Modem State: Ready, Modem Configured
User: rad_dial, line As20, service PPP

Timeouts: Absolute Idle
Limits: - 00:15:00
Disconnect in: - 00:14:50
User rad_dial is disconnected after 15 minutes of inactivity and an accounting packet is sent to the AAA
Server:
General OS:
*Apr 17 17:36:35.262 CST: AAA/ACCT/ACCT_DISC: Found list "default"

*Apr 17 17:36:35.262 CST: Async20 AAA/DISC: 4/"Idle Timeout"
*Apr 17 17:36:35.262 CST: AAA/ACCT/ACCT_DISC: Found list "default"
*Apr 17 17:36:35.262 CST: Async20 AAA/DISC/EXT: 1021/"Idle Timeout"
*Apr 17 17:36:35.262 CST: Async20 AAA/DISC: 4/"Idle Timeout"
*Apr 17 17:36:35.262 CST: Async20 AAA/DISC/EXT: 1021/"Idle Timeout"
Note The disc-cause and disc-cause-ext both reflect idle timeouts from Table 5-1
listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter.

5-3
5.2 Implementing Server-Based TACACS+ Router Accounting

1. Configure the server-based TACACS+ router accounting on the AAA server.
2. Configure server-based TACACS+ EXEC and command level accounting on the router.
3. Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle
dB instance.
4. Verify and troubleshoot server-based accounting operation from the router.
Step 1 Configure the server-based TACACS+ router accounting on the AAA server.
config_acct_fn_enable = 1
For detailed accounting performance, go to:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto
cid84517
Step 2 Configure server-based TACACS+ EXEC and command level accounting on the router.
Include the following Cisco IOS commands in your configuration file to enable router EXEC and
command AAA authentication, authorization, and accounting:
aaa new-model
aaa authentication login NO_AUTHEN none
aaa accounting exec default stop-only group tacacs+
line con 0
login authentication NO_AUTHEN
Note Authentication and authorization is disabled on the console port with the use of
the NO_AUTHEN and NO_AUTHOR named lists.

5-4
Step 3 Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB
instance.
The following example illustrates the use of the SQL query select command to monitor user rtr_geek
entering the configure terminal privilege level 15 command:
SQL>select * from cs_accounting_log where blob_data like '%rtr_geek%';

--------------------------------------------------------------------------------
Mon Apr 17 14:06:27 2000
Client-Id = 172.22.80.3
Client-Port-Id = 0
NAS-Port-Type = Async
User-Name = "rtr_geek"
Acct-Status-Type = Stop

--------------------------------------------------------------------------------
172.22.87.3 rtr_geek tty0 async stop server=danvers time=18:10:02
date=04/17/2000 task_id=52 timezone=CST service=shell priv-lvl=15
cmd=configure terminal <cr>
Step 4 Verify and troubleshoot server-based accounting operation from the router.
Enter the configure terminal command to test AAA accounting behavior as follows (be sure the
debug aaa accounting command is enabled):
General OS:
maui-nas-03#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
maui-nas-03(config)#^Z
This debug command output results from entering the configure terminal command:
*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: User rtr_geek, Port tty0, Priv 15:
"configure terminal <cr>"
*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: Found list "default"
*Apr 17 18:14:45.726 CST: AAA/ACCT: user rtr_geek, acct type 3 (1057208544):
*Apr 17 18:14:45.930 CST: TAC+: (1057208544): received acct response status = SUCCESS

5-5
5.3 AAA Disconnect Cause Code Descriptions

Table 5-1 lists the disconnect codes reported by Cisco AAA accounting records. The disconnect cause
codes are referred to in “5.1 Implementing Server-Based RADIUS Dial Accounting.”
Table 5-1 AAA Disconnect Cause Code Listings
Disconnect Cause Code Description

1 User Request
2 Lost Carrier
3 Lost Service
4 Idle Timeout
5 Session Timeout
6 Admin Reset
7 Admin Reboot
8 Port Error
9 NAS Error
10 NAS Request
11 NAS Reboot
12 Port Unneeded
13 Port Preempted
14 Port Suspended
15 Service Unavailable
16 Callback
17 User Error
18 Host Request
1002 Unknown
1004 CLID Auth Fail
1010 No Carrier
1011 AAA_VAL_DISC_LOST_CARR
1012 No Modem result codes
1020 AAA_VAL_DISC_USER_REQ
1021 AAA_VAL_DISC_IDL_TIMOUT
1022 Exited Telnet
1023 Peer has No IPADDR
1024 AAA_VAL_DISC_LOST_SERV
1025 Password failure
1026 TCP Disabled
1027 Control-C Detected
1028 AAA_VAL_DISC_HOST_REQ

5-6
Table 5-1 AAA Disconnect Cause Code Listings
Disconnect Cause Code Description

1040 LCP Neg Timeout
1041 LCP Neg Failed
1042 PAP Auth Failed
1043 CHAP Auth Failed
1044 Remote Auth Failed
1045 Received Terminate
1046 Upper Layer Req Close
1100 AAA_VAL_DISC_SES_TIMOUT
1101 Fail Security
1102 AAA_VAL_DISC_CALLBACK
1120 AAA_VAL_DISC_SERV_UNAVAIL

5-7

5-8
C H A P T E R 6
Diagnosing and Troubleshooting AAA
Operations
This chapter focuses on diagnosing and troubleshooting negotiations between AAA devices. This
section reviews the case study environment and outlines the protocol flows associated with AAA
negotiations in the context of this network environment. The subsequent sections focus on specific
troubleshooting techniques as follows:
• 6.1 Overview of Authentication and Authorization Processes
• 6.2 Troubleshooting AAA Implementation
• 6.3 AAA Troubleshooting Basics
• 6.4 Troubleshooting Scenarios

6-1
Chapter 6 Diagnosing and Troubleshooting AAA Operations
6.1 Overview of Authentication and Authorization Processes

Before jumping immediately into troubleshooting AAA problems, it is useful to review authentication
and authorization processes. Figure 6-1 provides the general scenario this case study is built around.
The primary elements of this environment are the AAA server, the AAA database, and the NAS.
Figure 6-1 Basic AAA Case Study Environment

Network element
management server
(NTP, Syslog, SNMP)
Oracle dB server

PSTN server
Clients Modems DNS

Cisco AS5x00 server
with integrated
modems
IP intranet
Default
gateway
Internet
firewall
Internet
35089

6-2
The negotiation suggested in Figure 6-1 is expanded in Figure 6-2 which presents the logical flow of
the authentication and authorization processes and illustrates the relationship between the elements
within the TACACS+ based AAA negotiation. While the network access server (NAS) communicates
directly with the AAA server, the AAA server in turn exchanges information with the Oracle database
server.
Figure 6-2 Dial Access Authentication and Authorization Flow Diagram
Network
access server
Result TACACS+
query
CiscoSecure
ACS
Fail
Valid user
Pass
Fail SQL Valid

Password = ? password
Pass Oracle
Pass
database
Pass
Fail
Authorization
Pass
27815

6-3
The RADIUS dial-access authentication and authorization illustrated in Figure 6-3 describes RADIUS
negotiation between the NAS and the AAA server. User rad_dial is permitted PPP access through
EXEC shell (character mode) or autoselect PPP (packet mode).
Figure 6-3 RADIUS Dial Access Authentication and Authorization Process

AAA
Network server
NAS
time
AAA Server
Access request User Configuration
Send username
password user=rad_dial{
Authentication and
password=PAP "****"
Authorization
Access accept radius=Cisco{

User-Service-Type
reply_attributes={
(Shell-User)
6=6
User-Service-Type 6=2
(Framed-User) 7=1
}
Framed-Protocol =
}
PPP
35048
Note Unlike TACACS+, the authentication and authorization processes are not handled as
separate stages in RADIUS-based AAA access control.

6-4
Figure 6-4 and Figure 6-5 expand on the basic negotiation flow depicted in Figure 6-2 by illustrating
the specific TACACS+ negotiation process associated with particular users, as defined in their
respective CSU profiles.
Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled)
Network AAA server

Access server
time
Send start
Oracle
Authentication
Get user DB
Send user
Get pass
Send password
Pass
CSU User Configuration
user x =
Authorization
User = x
password = PAP
Send AV service = shell
AV cmd* service = shell {
default_cmd = permit
}
Pass service = shell {

user = x protocol = ip {
Send AV service = ppp set addr-pool = default
protocol = IP }
addr-pool = default
Authorization
Pass protocol = lcp {

user = x }
Send AV service = ppp
protocol = lcp
Pass
user = x
Send AV service = ppp
protocol = ip
27812
Pass
The difference in authorization behavior stems from the use of two commands in the AAA server user
configurations. The default_cmd=permit command included in the example in Figure 6-4 enables
default privilege level 15 commands for user x.
As configured in Figure 6-4, the session for user x depicts a process that involves either a shell initiated
or a standard PPP session. The same negotiations are used in initiating shell access to a router.

6-5
Both figures depict the stages of dial access authentication and authorization sessions between an access
server and an AAA server. The key difference is defined in the CSU user configuration (profiles)
included in each illustration. In Figure 6-4, EXEC shell access authorization is permitted while it is not
permitted in the illustration depicted in Figure 6-5.
Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled)
Network AAA server

Access server
time
Send start
Oracle
Get user database
Send Abort
Authentication
Autoselect PPP
user = x
CSU User Configuration
Authenticate
peer user = y
password = PAP
Send password
service = shell {
Pass set autocmd = ppp negotiate
}
LCP service = ppp {
request protocol = ip{
set addr pool = default
Pass }
Authorization
Network
protocol = lcp {
user = y }
service = ppp
protocol = lcp
Pass
CONFREQ
for options
27813
Pass
The example session illustrated in Figure 6-5 omits the default_cmd=permit AVP and instead includes
the autocmd=ppp negotiate AVP disabling EXEC shell access to IOS devices. User y fails any attempt
to access the router and receives the message PPP not allowed on this interface as a result of the
PPP configuration statement. This distinction provides an element of security, blocking access to
routers.

6-6

These sections help you to accomplish the following tasks:
• 6.2.1 Troubleshooting Methodology Overview
• 6.2.2 Cisco IOS Debug Command Summary
6.2.1 Troubleshooting Methodology Overview

The troubleshooting methodology adopted in this chapter follows these general steps:
1. Isolating the problem.
– Gathering detailed information about trouble.
– Determining the starting point and fault isolation procedures.
2. Correcting the problem.
– Making appropriate hardware, software, or configuration changes to correct the problem.
3. Verifying that the trouble is corrected.
– Performing operational tests to verify that trouble is corrected.
The troubleshooting tables presented in “6.3 AAA Troubleshooting Basics” and the example scenarios
presented in “6.4 Troubleshooting Scenarios” generally follow this methodology in listing typical
symptoms, and provide associated problems and diagnostics measures.
6.2.2 Cisco IOS Debug Command Summary

Output from Cisco IOS debug commands provide a valuable source of information and feedback
concerning state transitions and functions within the AAA subsystem environment.
Use the debug commands that follow for capturing AAA-related transitions and functions:
• debug condition user username
Enabling this debug command sets conditional debugging for a specific user and generates output
debugs related to the user. This command is helpful in an enterprise environment for
troubleshooting.
• debug aaa authentication
Enabling this debug command displays authentication information with TACACS+ and RADIUS
client/server interaction.
• debug aaa authorization
Enabling this debug command displays authorization information with TACACS+ and RADIUS
• debug aaa accounting
Enabling this debug command displays accounting information with TACACS+ and RADIUS
• debug tacacs
Enabling this debug command displays TACACS+ interaction between IOS client and AAA Server.
• debug radius

6-7
Enabling this debug command displays RADIUS interaction between the IOS client and the AAA
server.
In addition to debug command output gathered directly from devices running Cisco IOS, a Cisco AAA
server can be configured to collect important operational diagnostics.
Go to the following link for information regarding configuring and using CSU ACS logs:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/troubles.htm

AAA operational diagnostic activity for access environments is divided into the following basic areas:
• Dial-based versus router-based access
• Local versus server access
• Authentication and authorization processes
These three areas can be associated with eight underlying diagnostic situations which are addressed in
the following subsections:
• 6.3.1 Troubleshooting Dial-Based Local Authentication
• 6.3.2 Troubleshooting Dial-Based Server Authentication
• 6.3.3 Troubleshooting Dial-Based Local Authorization
• 6.3.4 Troubleshooting Dial-Based Server Authorization
• 6.3.5 Troubleshooting Router-Based Local Authentication
• 6.3.6 Troubleshooting Router-Based Server Authentication
• 6.3.7 Troubleshooting Router-Based Local Authorization
• 6.3.8 Troubleshooting Router-Based Server Authorization
The following sections address each of the diagnostic topics separately. Detailed scenarios are provided
in “6.4 Troubleshooting Scenarios.”
The diagnostics summaries address the troubleshooting process using three basic stages:
1. Identifying symptoms
2. Isolating problems
3. Resolving problems
Each diagnostic table includes suggestions for identifying and isolating problems. Diagnostic
information is provided in “6.4 Troubleshooting Scenarios.” Specific diagnostic output is included to
illustrate how network entities react to failures and how to discern specific failures.
Note Some of the symptoms described in the following tables can be caused by a variety of
problems other than AAA issues. Because this case study focuses on AAA-based security
topics, the problems and diagnostics provided here focus on AAA issues.

6-8
6.3.1 Troubleshooting Dial-Based Local Authentication

The following symptoms are addressed in separate tables in this section:
• Single User Failure; Individual Dial-in User Connection Fails
• Multiple User Failure; All Dial-in Users Unable to Connect to NAS
Table 6-1 Single User Failure; Individual Dial-in User Connection Fails
Problem Suggested Diagnostic Steps

User entered invalid username or password. 1. To verify local account, enter:
<NAS>#debug aaa authentication
Test login with username/password.

Look for “user not found” or “password
validation” failure.
2. If user is not found, add the user. If password
validation failure, reenter login with
username and password combination.
Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS

AAA behavior configured incorrectly in NAS. 1. Enter this diagnostic command in NAS:
<NAS>#debug aaa authentication
2. To verify local authentication is configured

correctly, enter:
<router>#show running-config
3. Verify inclusion of one of these commands:
or
aaa authentication login ppp default local

Shell initiated PPP session passes, but is torn 1. Enter this diagnostic command in NAS:
down. <NAS>#debug aaa authentication
2. To verify AAA is configured correctly in

NAS, enter:
<NAS>#show running-config
3. Verify inclusion of this command:
aaa authentication ppp default if-needed

local

6-9
6.3.2 Troubleshooting Dial-Based Server Authentication

• Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)
• Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+)
Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)

User name not in server database. 1. To verify user is in database, enter:
<CSUserver>$/opt/ciscosecure/CLI/ViewPr
ofile –p 9900 –u username
User entered password incorrectly. 1. Verify password case-sensitivity.

2. Monitor user activity in AAA server:
<CSUserver>$tail –f
/var/log/csuslog|grep username
3. Review csuslog file for errors (for example, if

user is configured for OTP, verify
PASSCODE is accepted from OTP server.
4. Reset user password or synchronize
PASSCODE if needed.
User profile configured incorrectly. The error 1. To verify user profile is programmed with
message “bad method for user” reported in correct password type, enter:
csuslog file. <CSUserver>$/opt/ciscosecure/CLI/ViewPr
2. Verify user profile privilege is sufficient to

perform task.
3. Verify profile is configured for correct
password type. For example, PAP for OTP.
User account disabled due to too many failed 1. To view user profile, enter:
logins. <CSUserver>$/opt/ciscosecure/utils/bin/
ViewProfile -p 9900 -u username
2. Verify that the profile is not disabled. If it is

disabled, compare set server
current-failed-login counters to max failed
login setting in CSU.cfg file.
3. If these attributes are the same, reset user
profile status to enabled and reset the set
server current-failed-login counter by using
the web-based administration utility.

6-10
Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+)

User account password or profile expired. 1. To view profile, enter:
2. For TACACS+: Look for expiration in

profile, such as:
expires = "24 Jan 2000"
3. For RADIUS: Look for expiration in profile,

such as:
Password-Expiration = "24 Jan 2000"

User workstation configured incorrectly. 1. Review user dialup networking setup.
2. To review user profile, enter:
3. Check for setup for parameter such as

“Requires encrypted password.”
User exceeded the maximum number of To review user profile, enter:
concurrent sessions. <CSUserver>$/opt/ciscosecure/CLI/ViewPr
For TACACS+, look for this AVP:
max-sessions
For RADIUS, look for this AVP:
Maximum-Channels

6-11
Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and
TACACS+)

Connection between NAS and AAA server is Verify network connectivity between NAS and
down. AAA server. Enter these diagnostic commands in
NAS:
<NAS>#show tacacs
<NAS>#debug tacacs
<NAS>#debug radius
<NAS>#ping CSU-server-name
TACACS+ or RADIUS key incorrect in NAS or Review NAS and CSU configurations for shared
AAA server. secret.
In NAS, enter:
In AAA server, enter:

<CSUserver>$grep NAS-IP-Address
/opt/ciscosecure/config/CSU.cfg
Maximum number of users exceeded. 1. Verify license key is entered correctly in

AAA server. Enter the following commands
at the CSUserver:
<CSUserver>$grep license-key
2. To review expiration date of license key,

enter:
/var/log/csuslog

6-12
Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and
TACACS+)

Group profile password type does not match type 1. To review NAS configuration, enter:
specified in NAS group-async or dialer interface <NAS># show running-config
configuration (for example, PPP authentication
PAP). 2. Verify group-async or dialer interface is
configured with correct password type. For
example, for OTP, PAP must be specified.
3. Verify group profile matches group-async or
dialer interface configuration in NAS.
Shell initiated PPP session passes, but is torn 1. Enter this diagnostic command in NAS:
down. <NAS>#debug aaa authentication
2. To verify correct AAA configuration is

configured in NAS, enter:
3. Verify these commands are included in the

NAS configuration:

tacacs+
or

radius
6.3.3 Troubleshooting Dial-Based Local Authorization

• User Cannot Start PPP
• Network Authorization Fails
• Unable to Access Specific Host or Network Service
• Multilink Fails
Table 6-5 User Cannot Start PPP

User client configuration error. Refer to MS troubleshooting chapter:
http://support.microsoft.com/support/kb/arti
cles/Q130/0/79.asp?LNG=ENG&SA=ALLK
B

6-13
Table 6-6 Network Authorization Fails

1
Attribute-value pairs (AVPs) not assigned . 1. Enter this diagnostic command in NAS:
<NAS>#debug aaa authorization

NAS, enter:
aaa authorization exec default local

1. AAA authorization only supported on shell sessions with local accounts.
Table 6-7 Unable to Access Specific Host or Network Service

Access list assigned to user. 1. Verify local account not restricted with
access-class AVP:
2. Enter these NAS commands to determine

whether access list is assigned to user:
<NAS>#show caller user userid detail
<NAS>#show line
3. To review access list with this NAS

command, enter:
<NAS>#show access-list ACL-number
Table 6-8 Multilink Fails

User profile restricted. To verify user account is not restricted by
inclusion of max-links AVP, enter:
ofile -p 9900 -u username

6-14
6.3.4 Troubleshooting Dial-Based Server Authorization

• Multiple Users Cannot Start PPP (RADIUS and TACACS+)
• Network Authorization Fails (RADIUS and TACACS+)
• User or Group Members Unable to Access Specific Host or Network Service (RADIUS and
TACACS+)
• Multilink Fails (TACACS+)
• Multilink Fails (RADIUS)
• Session Fails to Disconnect After Expected Idle Timeout (TACACS+)
• Session Fails to Disconnect After Expected Idle Timeout (RADIUS)
• No EXEC Shell for TACACS+
• No EXEC Shell for RADIUS
• Cannot Start Concurrent Sessions (TACACS+)
• Cannot Start Concurrent Sessions (RADIUS)

6-15
Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+)

AAA authorization configured incorrectly in 1. Enter this diagnostic command in NAS:
NAS. <NAS>#debug aaa authorization

NAS, enter:
aaa authorization network default group

tacacs+
or

radius
Does not have PPP service assigned. 1. To view group profile, enter:
ofile –p 9900 –g groupname
2. For TACACS+, verify the following

commands are assigned to group:
service=ppp
protocol=lcp
protocol=ip
3. For RADIUS, verify the following commands

are assigned to group:
Service-Type=Framed
Framed-Protocol=ppp
Group lacks shell service assigned (EXEC 1. To view group profile, enter:
shell-initiated PPP session only). <CSUserver>$/opt/ciscosecure/CLI/ViewPr
2. For TACACS+, verify the following

command is assigned to group:
service=shell
3. For RADIUS, verify the following command

is assigned to group:
User-Service-Type (Shell-User)

6-16
Table 6-10 Network Authorization Fails (RADIUS and TACACS+)

AVPs not assigned. 1. Enter this diagnostic command in NAS:
<NAS>#debug aaa authorization

NAS, enter:

tacacs+
or

radius
Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS
and TACACS+)

Access list assigned to user. 1. To view group profile, enter:
Verify group account not restricted with inacl

AVP.
2. Enter these NAS commands to determine
whether access list is assigned to user:
<NAS>#show caller user userid detail
<NAS>#show line
3. Review access list with this NAS command:

<NAS>#show access-list ACL-number

6-17
Table 6-12 Multilink Fails (TACACS+)

User or group profile lacks proper AVP. 1. To verify group account includes
protocol=multilink AVP assigned, enter:
2. Review profile for load-threshold AVP and

whether it is configured properly.
User or group profile restricted. To verify group account not restricted with
max-links AVP, enter:
Table 6-13 Multilink Fails (RADIUS)

User or group profile lacks proper AVP. To verify group account includes
framed-protocol=multilink AVP assigned,
enter:
User or group profile restricted. To verify group account not restricted with
max-links AVP, enter:
Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+)

The idletime AVP not configured on group To verify group account includes idletime AVP
profile. assigned, enter:
Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS)

The Idle-Timeout AVP not configured on group To verify group account includes Idle-Timeout
profile. AVP assigned, enter:

6-18
Table 6-16 No EXEC Shell for TACACS+

User or group lacks service=shell AVP assigned. To verify service=shell is assigned to user or
group, enter:
Table 6-17 No EXEC Shell for RADIUS

User or group does not have User-Service-Type To verify User-Service-Type (Shell-User) is
AVP assigned. assigned to user or group, enter:
Table 6-18 Cannot Start Concurrent Sessions (TACACS+)

User exceeds the maximum number of concurrent 1. To review the user profile, enter:
sessions. <CSUserver>$/opt/ciscosecure/CLI/ViewPr
2. Look for the following AVP:
server max sessions
Table 6-19 Cannot Start Concurrent Sessions (RADIUS)

Maximum-Channels
6.3.5 Troubleshooting Router-Based Local Authentication


6-19
• Single User Failure; Individual Dial-in User Connection Fails

• Multiple User Failure; All Dial-in Users Unable to Connect to Router
• Users Can Access Router by Using Console or VTY, but Not Both
Table 6-20 Single User Failure; Individual Dial-in User Connection Fails

User entered invalid username or password. 1. To verify local account, enter:
<router>#debug aaa authentication
2. Test login with username/password.

3. Look for user not found or password
validation failure.
Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router

AAA behavior configured incorrectly in router. 1. Enter this diagnostic command in router:
2. To verify local authentication is configured

correctly, enter:
aaa authentication login/ppp default local

6-20
Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both

Incorrect AAA configuration in router. 1. Enter this diagnostic command in router:

router, enter:
3. Verify method used for console

authentication matches VTY method.
For example:
• AAA configuration:
aaa authentication login listname group

tacacs+
• Console line configuration:
line con 0
login authentication listname
• VTY line configuration:
line vty 0 4
6.3.6 Troubleshooting Router-Based Server Authentication

• Single User Failure; Individual User Unable to Make a Connection
• Multiple User Failure; All Dial-In Users Unable to Connect to the Router
• Users Pass Authentication on Console or VTY, but Not Both

6-21
Table 6-23 Single User Failure; Individual User Unable to Make a Connection

User name not in server database. 1. To verify user is in database, enter:
User entered password incorrectly. 1. Verify password case sensitivity.
2. To monitor user activity in AAA server, enter:
<CSUserver>$tail –f
/var/log/csuslog|grep username
3. Review csuslog file for errors.

User profile configured incorrectly. The error 1. To verify user profile is programmed with
message “bad method for user” reported in correct password type, enter:
csuslog file. <CSUserver>$/opt/ciscosecure/CLI/ViewPr
2. Verify user profile privilege is sufficient to

perform task.
3. Verify profile is configured for correct
password type. For example, DES or clear
text.
User account disabled due to too many failed 1. To view user profile, enter:
logins. <CSUserver>$/opt/ciscosecure/utils/bin/
2. Verify that the profile is not disabled. If it is

disabled, compared set server
current-failed-login counters to max failed
login setting in CSU.cfg file.
3. If these attributes are the same, reset user
profile status to enabled and reset the set
server current-failed-login counter by using
the web-based administration utility.
User account password or profile expired. 1. To view profile, enter:
2. Look for expiration in profile, such as:

expires = "24 Jan 2000"

server max sessions

6-22
Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router

Connection between router and AAA server Verify network connectivity between router and
down. AAA server. Enter these diagnostic commands in
router:
<router>#show tacacs
<router>#debug tacacs
<router>#debug radius
<router>#ping CSU-IP-address
TACACS+ key incorrect in router or AAA server. Review router and CSU configurations for shared
secret.
In the router, enter:
In the AAA server, enter:

<CSUserver>$grep router-IP-address
Maximum number of users exceeded. 1. Verify license key is entered correctly in
AAA server. Enter the following commands
at the CSUserver:
2. To review the expiration date of the license

key, enter:
/var/log/csuslog

6-23
Table 6-25 Users Pass Authentication on Console or VTY, but Not Both

Incorrect AAA configuration in 1. Enter this diagnostic command in router:
router. <router>#debug aaa authentication
2. To verify AAA is configured correctly in router, enter.

3. Verify method used for console authentication matches VTY

method.
For example:
• AAA configuration:
aaa authentication login listname group tacacs+
• Console line configuration:
line con 0
• VTY line configuration:
line vty 0 4
6.3.7 Troubleshooting Router-Based Local Authorization

• User Fails Router Command
• User Disconnected After Entering a Password
• Users Access Incorrect Privilege Level Commands
• Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is
Disconnected”

6-24
Table 6-26 User Fails Router Command

AAA configuration error. 1. Enter this diagnostic command in router to
determine method of authorization and
failure:
<router>#debug aaa authorization

router, enter:
Example:
If aaa authorization commands is used, ensure
method specified is local.
User profile lacks appropriate privilege level to To review privilege configuration in router, enter:
perform command. <router>#show running-config
Example:
Cisco IOS command aaa authorization
commands 15 default local is used, but user does
not have a corresponding privilege level assigned.
User profile lacks appropriate enable level to To review enable privilege level configuration in
perform command. router, enter.
Example of relevant Cisco IOS commands:
aaa authentication enable default local
enable 15 secret
enable 10 secret2
In this example, users at enable level 10 cannot

perform privilege level 15 commands.
Table 6-27 User Disconnected After Entering a Password

Authorization failed service. Looks like an To review AAA configuration, enter:
authentication problem, but is an authorization <router>#show running-config
failure.
If aaa authorization exec command specifies
method other than local, user fails shell access.
For example, aaa authorization exec default
tacacs+ results in local user failing authorization.

6-25
Table 6-28 Users Access Incorrect Privilege Level Commands

AAA behavior incorrectly configured. 1. Enter this diagnostic command in router to
determine level of command authorization:
2. To review AAA configuration in router, enter:

3. Verify AAA configured properly in router.

For example:
local
Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is
Disconnected”

The autocommand ppp negotiate command 1. To review correct configuration is configured
assigned to user. in router, enter:
Look for autocommand ppp negotiate

command assigned to user.
2. Delete autocommand ppp negotiate if
appropriate.
6.3.8 Troubleshooting Router-Based Server Authorization

• User Fails Router Command
• User Disconnected After Entering Password
• Users Access Incorrect Privilege Level Commands
• Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is
Disconnected”
• Router User Unable to Initiate Shell Session with Router
• AVPs Not Working on Console Port

6-26
Table 6-30 User Fails Router Command

AAA configuration error. 1. Enter this diagnostic command in router to
determine method of authorization and
failure:
2. To review AAA configuration in router, enter:

Example:
If aaa authorization commands is used, ensure
method specified is tacacs+.
User profile lacks appropriate privilege level to To view user profile for appropriate priv-lvl=x
perform command. AVP, enter:
<CSUserver>$/opt/ciscosecure/utils/bin/
User profile lacks appropriate enable privilege To view user profile for appropriate enable
level to perform command. privilege level, enter:
For example:
privilege = des "********" 15
Table 6-31 User Disconnected After Entering Password

Authorization failed service. To review AAA configuration, enter:
If aaa authorization exec command specifies

method other than TACACS+, user fails shell
access.
For example, aaa authorization exec default
local results in TACACS+ user failing
authorization.

6-27
Table 6-32 Users Access Incorrect Privilege Level Commands

AAA behavior incorrectly configured. 1. Enter this diagnostic command in router to
determine level of command authorization:

router, enter
Example of relevant Cisco IOS command:

group tacacs+
User profile configured incorrectly. To view user profile for appropriate priv-lvl=x
AVP, enter:
Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is
Disconnected”

The autocommand ppp negotiate AVP assigned 1. To view user profile for inclusion of
to user. autocommand ppp negotiate AVP assigned
to user, enter:
2. Delete autocommand ppp negotiate if

appropriate.
Table 6-34 Router User Unable to Initiate Shell Session with Router

Lack of service=shell AVP; user sees To view user profile for inclusion of service=shell
“Authorization failed service” error message. AVP, enter:
Table 6-35 AVPs Not Working on Console Port

Feature is not supported on console ports. None. Feature not supported.

6-28

The following example troubleshooting scenarios elaborate the process of diagnosing, correcting, and
testing several problems addressed in “6.3 AAA Troubleshooting Basics”:
• 6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server
Authentication)
• 6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication)
• 6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication)
• 6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization)
• 6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization)
• 6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization)
• 6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization)
6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+

Dial-Based Server Authentication)
This scenario focuses on a server-authentication failure for a dial-based connection and provides a
statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics
include output from relevant debug commands and other troubleshooting tools. See Table 6-4 for
additional related problems.
Symptom Multiple user failure; all dial-in users unable to connect to NAS. See Table 6-4.
Possible Cause TACACS+ key incorrect in NAS or AAA server. See Table 6-4.
Action Complete troubleshooting steps to isolate and resolve this possible cause.
Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa
authentication command executed on a NAS. The last line of this debug output shows the failure
expressed for user dial_tac.
088189: Jan 27 18:37:22.972 CST: AAA/MEMORY: create_user (0x61D7A2E0) user=’’ ruser=’’
port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
088190: Jan 27 18:37:22.976 CST: AAA/AUTHEN/START (953379418): port=’tty51’ list= =30356
25154
088203: Jan 27 18:37:26.216 CST: TAC+: ver=192 id=3035625154 received AUTHEN status =
GETPASS
088204: Jan 27 18:37:26.216 CST: AAA/AUTHEN (3035625154): status = GETPASS
088205: Jan 27 18:37:30.337 CST: AAA/AUTHEN/CONT (3035625154): continue_login
(user=’dial_tac’)
088207: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): Method=ADMIN (tacacs+)
088208: Jan 27 18:37:30.337 CST: TAC+: send AUTHEN/CONT packet id=3035625154
FAIL
Step 2 Enter the following command to assess warnings and errors reported in the AAA server log file:

6-29
The AAA server log file reports the following warning when no key is specified (indicating that there
is no encryption key):
Jan 27 18:35:17 coachella CiscoSecure: WARNING - Insecure configuration: No encryption
key for NAS <default>
Step 3 Review NAS configurations for shared secret configuration. To obtain the NAS configuration, enter:
The following configuration fragment specifies the TACACS+ server and key. In this case, the key is
bobbit.
tacacs-server host 172.22.53.201 key bobbit
Review the AAA server configuration for the corresponding server shared secret configuration. View
the CSU.cfg file with vi (or a similar tool):
<CSUserver>$vi /opt/ciscosecure/config/CSU.cfg
Find the key configuration in the CSU.cfg AAA server configuration file and review it for the NAS
specification. In this example, this configuration is missing.
NAS config_nas_config =
{
{
"172.22.53.201",
"",
If the key is properly configured, it appears between the quotation marks following the IP address
specification. In this case, the key is missing. Because it is not specified in the AAA server
configuration file, users’ access is blocked.
Step 4 Update key specifications and restart the AAA server. Verify successful dialup operation.
6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server

Authentication)
Symptom Single user failure; individual dial-in user unable to connect to NAS. See Table 6-3.
Possible Cause User enters invalid password. See Table 6-3.
authentication command executed on a NAS. This command results in a stream of diagnostic output.

6-30
The last line in the following output shows the AAA authentication request sent to AAA server for user
dial_tac:
(user=’dial_tac’)
The NAS receives FAIL from AAA server for user:

092857: Jan 27 22:19:08.185 CST: TAC+: ver=192 id=543609479 received AUTHEN status = FAIL
092858: Jan 27 22:19:08.185 CST: AAA/AUTHEN (543609479): status = FAIL
The user session is torn down and AAA process is freed:

092859: Jan 27 22:19:10.185 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’
ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN
priv=1
Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file:
In this case, the AAA server log reports an incorrect password for user dial_tac:
Jan 27 22:19:08 coachella CiscoSecure: NOTICE - Authentication - Incorrect password; [NAS
= 172.22.63.1, Port = tty51, User = dial_tac, Service = 1, Priv = 1]
Jan 27 22:19:08 coachella CiscoSecure: INFO - Profile: user = dial_tac {
Jan 27 22:19:08 coachella set server current-failed-logins = 1
Note Following the failure, the current-failed-login counter increments. This counter
is described in Table 6-3.
Step 3 If the user does not exist in the database (but should), create a new user, or provide feedback if password
or login were entered incorrectly by the user.
6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication)

Symptom Single user failure; individual dial-in user unable to connect to NAS. See Table 6-3.
Possible Cause User does not exist in the database. See Table 6-3.
authentication command executed on a NAS.

6-31
The following output fragment shows the AAA process starting on NAS.
092794: Jan 27 22:15:39.132 CST: AAA/MEMORY: create_user (0x61D87A70) user=’’ ruser=’’
port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
092795: Jan 27 22:15:39.132 CST: AAA/AUTHEN/START (3576082779): port=’tty51’
list=’INSIDE’ action=LOGIN service=LOGIN
GETPASS is sent to AAA server for verification for user dial_test:

092806: Jan 27 22:15:41.132 CST: AAA/AUTHEN/START (3285027777): Method=ADMIN (tacacs+)
092807: Jan 27 22:15:41.132 CST: TAC+: send AUTHEN/START packet ver=192 id=32850=27777
GETPASS
(user=’dial_test’)
The NAS then receives the authentication FAIL message from the AAA server:
FAIL
092815: Jan 27 22:15:43.540 CST: AAA/AUTHEN (3285027777): status = FAIL
The session is torn down and AAA process is freed:

092816: Jan 27 22:15:45.540 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_test’
ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
092817: Jan 27 22:15:45.540 CST: AAA: parse name=tty51 idb type=-1 tty=-1
092818: Jan 27 22:15:45.540 CST: AAA: name=tty51 flags=0x11 type=5 shelf=0 slot
Step 2 Enter the following command to assess warning and errors reported in the AAA server log file:
AAA server log file shows that the AAA server did not find user dial_test in cache (profile caching is
enabled):
Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Profile USER = dial_test not found in
cache.
The AAA server log file also shows that AAA server did not find user in the database; next, the AAA
server conducts a search for the unknown_user account:
Jan 27 22:15:41 coachella CiscoSecure: WARNING - User dial_test not found, using
unknown_user
AAA server finally again reports user not found after exhausting its search:
Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Password:
Jan 27 22:15:43 coachella CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (c3cd8bc1)
Jan 27 22:15:43 coachella CiscoSecure: DEBUG - Authentication - User not found;
[NAS = 172.22.63.1, Port = tty51, User = dial_test, Service = 1]
Step 3 Enter the following command to view a user profile in the database:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_test
Error: Unable to find profile
RC = 3

6-32
Step 4 If the user does not exist in the database (but should), create a new user, or provide feedback if password
or login were entered incorrectly by the user.
6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server

Authorization)
This scenario focuses on a server-authorization failure for a dial-based connection and provides a
Symptom Multiple users cannot start PPP. See Table 6-9.
Possible Cause Group does not have service=ppp AVP assigned. See Table 6-9.
authentication command executed on a NAS. The following output fragment shows the PPP service
authorization request being initiated for user dial_tac; then, being denied by the AAA server:
111802: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV service=ppp
111803: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV protocol=lcp
111804: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): found list "default"
111805: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): Method=tacacs+(tacacs+)
111806: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): user=dial_tac
111807: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV service=ppp
111808: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV protocol=lcp
111809: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR (153050196): Post authorization status =
FAIL
111810: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR/LCP: Denied
AAA server log file shows that the AAA server successfully authenticated the user, but that the PPP
service request was denied due to an authorization failure:
Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS =
172.22.63.1, Port = Async2, User = dial_tac, Priv = 1]
Feb 3 20:48:58 coachella CiscoSecure: DEBUG - AUTHORIZATION request (468d69de)
Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authorization - Failed service; [
NAS = 172.22.63.1, user = dial_tac, port = Async2, input: service=ppp protocol=lcp
output: ]
Step 3 Add service=ppp and related AVPs protocol=ip and protocol=lcp.

6-33
6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server
Authorization)
Symptom Network authorization fails. See Table 6-10.
Possible Cause AVPs not assigned. See Table 6-10.
Step 1 Review the group profile. In this case, the group profile shows inacl=110 is assigned to the
aaa_test_group profile:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g aaa_test_group
group = aaa_test_group{
profile_id = 64
profile_cycle = 7
service=ppp {
protocol=ip {
inacl=110
}
protocol=lcp {
}
}
}
authentication command executed on a NAS. The following output fragment shows that no AAA
authorization for service=net taking place.
112037: Feb 3 21:18:04.994 CST: AAA/MEMORY: create_user (0x61DF0AE8) user=’dial_tac’
ruser=’’ port=’Async5’ rem_addr=’async/81560’ authen_type=PAP service=PPP priv=1
The following log file fragment confirms that access is permitted with no AAA authentication.
Feb 3 21:18:05 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS =
172.22.63.1, Port = Async5, User = dial_tac, Priv = 1]
Feb 3 21:18:05 coachella CiscoSecure: INFO - Profile: user = dial_tac {
Feb 3 21:18:05 coachella set server current-failed-logins = 0
Feb 3 21:18:05 coachella profile_cycle = 12
Feb 3 21:18:05 coachella }
Step 4 Add aaa authorization network default group tacacs+ global command to the NAS configuration.

6-34
6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server

Authorization)
Symptom No EXEC shell (terminal window after dial). See Table 6-16.
Possible Cause User or group does not have service=shell AVP assigned. See Table 6-16.
authentication command executed on a NAS. The following output fragment shows the request sent to
AAA server to start service=shell:
092730: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Port=’tty52’
list=’INSIDE’ service=EXEC
092738: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Method=ADMIN
(tacacs+)
092739: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): user=dial_tac
092740: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV service=shell
The following output fragments illustrate notification of the failure from AAA server for service=shell:
092741: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV cmd*
092742: Jan 27 21:57:41.559 CST: AAA/AUTHOR (3818889333): Post authorization status =
FAIL
The following fragment illustrates the Authorization FAILED message being detected by the debug aaa
authorization process:
092743: Jan 27 21:57:41.559 CST: AAA/AUTHOR/EXEC: Authorization FAILED
092744: Jan 27 21:57:43.559 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’
ruser=’’ port=’tty52’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1
In this case, the authentication succeeds for user dial_tac, as illustrated in the following csuslog file
fragment:
Jan 27 21:57:40 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS =
172.22.63.1, Port = tty52, User = dial_tac, Priv = 1]
However, the csuslog file also shows that the authorization failed service for user dial_tac because the
service=shell AVP is not assigned:
Jan 27 21:57:40 coachella CiscoSecure: DEBUG -
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075)
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS =
172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ]

6-35
Step 3 Enter the following command to review the user profile. This profile shows that the AVP service=shell
is not assigned to user dial_tac:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_tac
user = dial_tac{
profile_id = 63
profile_cycle = 4
member = aaa_test_group
}
Step 4 Assign service=shell AVP.
6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server

Authorization)
This scenarios focuses on a server-authorization failure for a dial-based connection using the RADIUS
protocol and provides a statement of a symptom, suggests a specific problem, and summarizes
diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting
tools. See Table 6-9 for additional related problems.
Symptom PPP session is not established. See Table 6-9.
Possible Cause User or group does not have correct PPP reply attributes. See Table 6-9.
authentication command executed on a NAS. The following fragment illustrates the Authorization
FAILED message being detected by the debug aaa authorization process:
*Apr 5 23:12:28.228: AAA/AUTHOR/EXEC: Authorization FAILED
*Apr 5 23:12:30.228: AAA/MEMORY: free_user (0x612311BC) user='rad_dial' ruser=''
port='tty4' rem_addr='408/3241933' authen_type=ASCII service=LOGIN priv=1
*Apr 5 23:12:30.936: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown
, call lasted 61 seconds
*Apr 5 23:12:30.980: %LINK-3-UPDOWN: Interface Serial0:0, changed state to down
Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file:
In this case, the authorization fails for user rad_dial, as illustrated in the following csuslog file
fragment:
Apr 6 15:14:03 sleddog CiscoSecure: INFO - RADIUS: Servicing requests from NAS
(172.23.84.35), sending host <172.23.84.35>

6-36
However, the csuslog file also shows that the authorization failed service for user dial_tac because the
service=shell AVP is not assigned:
Jan 27 21:57:40 coachella CiscoSecure: DEBUG -
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075)
Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS =
172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ]
Step 3 Enter the following command to view a user profile in the database:

user = rad_dial{
profile_id = 23
set server current-failed-logins = 0
profile_cycle = 4
radius=Cisco {
reply_attributes= {
7=1
9,1="ip:inacl=110"
}
}
Note In this profile, the missing reply_attribute is 6=2.
Step 4 Add the following RADIUS AVP: Frame-Protocol=ppp (entered as 6=2 in AddProfile command
input).

6-37

6-38
A P P E N D I X A
AAA Device Configuration Listings
This appendix provides the following configuration listings:

• A.1.1 Example Local-Based Router AAA Configuration
• A.1.2 Example Server-Based TACACS+ NAS Configuration
• A.1.3 Example Server-Based RADIUS NAS Configuration
• A.4.1 CSU.cfg Listing
• A.4.2 CSConfig.ini Listing
• A.4.3 Oracle User Environment Variable
• A.4.4 listener.ora Listing
A.1 Sample Cisco IOS Configuration Listings

The following listing represents the complete running configuration for the router and NAS used to
illustrate AAA implementation in this solution guide. Listings are included for TACACS+ and RADIUS
configurations.

A-1
Appendix A AAA Device Configuration Listings
A.1.1 Example Local-Based Router AAA Configuration

The following example of a local-based router configuration includes both dial-in and EXEC shell
access configurations.
maui-rtr-03#show running-config
Building configuration...
Current configuration:
!
! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr
! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname maui-rtr-03
!
no logging console
aaa new-model
aaa authorization exec default local
aaa authorization commands 15 default local
aaa accounting exec default start-stop group tacacs+
enable secret 5 xxxxxxxxxxxxxxxxx
!
username admin privilege 15 password 7 xxxxxxxxxxxx
!
!
!
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
ip domain-name maui-onions.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
!
!
!
!
!
interface Loopback0
ip address 172.22.255.3 255.255.255.255
!
interface ATM1/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Serial2/0
ip address 10.10.10.1 255.255.255.0
!

A-2
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
interface Ethernet3/0
ip address 172.22.241.3 255.255.255.0
ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5
!
no ip address
shutdown
!
no ip address
shutdown
!
no ip address
shutdown
!
interface FastEthernet4/0
ip address 172.22.80.1 255.255.255.0
ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5
half-duplex
!
router eigrp 69
network 172.22.0.0
!
ip default-gateway 172.22.53.1
ip classless
ip http server
!
snmp-server engineID local 00000009020000D0BB7F5054
snmp-server community cisco xx
snmp-server community rules xx
snmp-server trap-source Loopback0
snmp-server contact
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps config
snmp-server enable traps envmon
tacacs-server host 172.22.53.201 key biteme
tacacs-server key ciscorules
!
line con 0

A-3

transport input none
line aux 0
line vty 0 4
!
ntp clock-period 17179912
ntp source Loopback0
ntp update-calendar
ntp server 172.22.255.1
end

A-4
A.1.2 Example Server-Based TACACS+ NAS Configuration

The following example of a server-based NAS configuration includes both dial-in and EXEC shell
access configurations for TACACS+ implementations:
maui-nas-03#show running-config
maui-nas-03#sh run
!
version 12.0
!
hostname maui-nas-03
!
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa accounting exec default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
!
username admin privilege 15 password 7 xxxxxxxxxxxxx
username diallocal access-class 110 password 7 xxxxxxxxxxx
username diallocal autocommand ppp
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/7
!
!
resource-pool disable
!
!
!
!
!
clock timezone CST -6
ip subnet-zero
no ip domain-lookup
ip name-server 172.22.53.210
!
isdn switch-type primary-ni
isdn voice-call-failure 0
partition flash 2 24 8
!
!
!
controller T1 0

A-5
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
clock source line secondary 1
!
controller T1 2
!
controller T1 3
!
controller T1 4
!
controller T1 5
!
controller T1 6
!
controller T1 7
!
!
interface Loopback0
ip address 172.22.87.3 255.255.255.255
no ip route-cache
no ip mroute-cache
!
interface Loopback1
ip address 172.22.83.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Ethernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232

A-6
!
interface Serial2
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:23
description "PRI D channel"
ip unnumbered Dialer1
encapsulation ppp
no ip route-cache
timeout absolute 240 0
dialer rotary-group 1
dialer-group 5
isdn switch-type primary-5ess
isdn incoming-voice modem
no fair-queue
compress stac
no cdp enable
!
interface FastEthernet0
ip address 172.22.80.3 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
no fair-queue
no cdp enable
ppp max-bad-auth 3
group-range 1 192
!
interface Dialer1

A-7
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
no logging event link-statustimeout absolute 240 0
dialer in-band
dialer idle-timeout 300 either
dialer-group 5
no fair-queue
compress stac
no cdp enable
ppp max-bad-auth 3
ppp multilink
!
router eigrp 69
network 172.22.0.0
!
ip local pool default 172.22.83.2 172.22.83.254
ip classless
ip http server
!
tacacs-server host 172.22.53.204
snmp-server engineID local 0000000902000050546B87BC
snmp-server community xxxxxxxxx RO
snmp-server community xxxxxxxxx RW
banner login ^CC
Welcome to maui-nas-03
Maui-onions Lab
Learning Rack ISG
^C
!
line con 0
line 1 192
session-timeout 15
exec-timeout 48 0
autoselect ppp
refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C
modem InOut
transport input all
line aux 0
line vty 0 4
!
end

A-8
A.1.3 Example Server-Based RADIUS NAS Configuration

The following example of a server-based NAS configuration includes both dial-in and EXEC shell
access configurations for RADIUS implementations:
maui-nas-03#show running-config
maui-nas-03#sh run
!
version 12.0
!
hostname maui-nas-03
!
aaa new-model
aaa authentication login default group radius local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default stop-only group radius
aaa accounting network default start-stop group radius
!
username admin privilege 15 password 7 xxxxxxxxxxxxx
username diallocal access-class 110 password 7 xxxxxxxxxxx
username diallocal autocommand ppp
spe 1/0 1/7
spe 2/0 2/7
!
!
resource-pool disable
!
!
!
!
!
clock timezone CST -6
ip subnet-zero
no ip domain-lookup
ip name-server 172.22.53.210
!
isdn switch-type primary-ni
isdn voice-call-failure 0
partition flash 2 24 8
!
!
!
controller T1 0
framing esf
clock source line primary

A-9
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
!
controller T1 2
!
controller T1 3
!
controller T1 4
!
controller T1 5
!
controller T1 6
!
controller T1 7
!
!
interface Loopback0
ip address 172.22.87.3 255.255.255.255
no ip route-cache
no ip mroute-cache
!
interface Loopback1
ip address 172.22.83.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Ethernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0
no ip address
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2

A-10
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:23
description "PRI D channel"
ip unnumbered Dialer1
encapsulation ppp
no ip route-cache
timeout absolute 240 0
dialer rotary-group 1
dialer-group 5
isdn switch-type primary-5ess
isdn incoming-voice modem
no fair-queue
compress stac
no cdp enable
!
interface FastEthernet0
ip address 172.22.80.3 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
no fair-queue
no cdp enable
ppp max-bad-auth 3
group-range 1 192
!
interface Dialer1
no ip address

A-11
encapsulation ppp
no ip route-cache
no ip mroute-cache
no logging event link-statustimeout absolute 240 0
dialer in-band
dialer idle-timeout 300 either
dialer-group 5
no fair-queue
compress stac
no cdp enable
ppp max-bad-auth 3
ppp multilink
!
router eigrp 69
network 172.22.0.0
!
ip local pool default 172.22.83.2 172.22.83.254
ip classless
ip http server
!
tacacs-server host 172.22.53.204
snmp-server engineID local 0000000902000050546B87BC
snmp-server community xxxxxxxxx RO
snmp-server community xxxxxxxxx RW
banner login ^CC
Welcome to maui-nas-03
Maui-onions Lab
Learning Rack ISG
^C
!
line con 0
line 1 192
session-timeout 15
exec-timeout 48 0
autoselect ppp
refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C
modem InOut
transport input all
line aux 0
line vty 0 4
!
end

A-12
A.2 Router AAA Command Implementation Descriptions
A.2 Router AAA Command Implementation Descriptions

Configurations addressed in this section focus on router administration configurations. Router
administration configurations cause functions to run within the router shell. Examples include
commands executed from a the router console, commands executed with a VTY connection, and a
shell-initiated session established using a modem. Each is an example of an EXEC function. Table A-1
provides commands relevant for a router in a Cisco IOS AAA environment.
Table A-1 Cisco IOS Commands Required to Set AAA for a Router
Cisco IOS Command Description/Application Comment

tacacs-server key secret-key Specifies encryption key; must be the same in AAA server.
aaa new-model Enables AAA. Forces an implicit login authentication default
against all lines/console interfaces and an implicit
ppp authentication pap default against all PPP interfaces.
aaa authentication login default group Causes router to forward all login requests to AAA server.
tacacs+
aaa authorization exec default group tacacs+ Use default list for authorization to verify service=shell attribute is
if-authenticated assigned to user and download appropriate shell attributes assigned
in AAA server.
aaa authorization commands 15 default Use command authorization for privilege level 15 commands that
group tacacs+ if-authenticated must be assigned to router users for successful operation of these
commands.
aaa accounting exec default start-stop group Logs EXEC shell information for user profile in start-stop
tacacs+ TACACS+ format.
aaa accounting commands 15 default Sends TACACS+ accounting stop record at the end of a privilege
stop-only group tacacs+ level 15 command.
aaa accounting system default stop-only Performs accounting for all system level events not associated with
group tacacs+ users, such as reloads in stop-start TACACS+ format.
ip tacacs source-interface FastEthernet0/0/0 Specifies this interface IP address for management in the AAA
server.
ip http server Enables HTTP server access.
ip http authentication aaa Forces AAA authentication and authorization at privilege level 15.
tacacs-server host IP-address Specifies AAA server.
A.3 NAS AAA Command Implementation Descriptions

Configurations addressed in this section focus on AAA with PPP. These configurations differ from
router administration configurations. PPP is a network level function and is separate from router shell
functions. You can configure PPP to be initiated automatically or you can initiate PPP with a terminal
window after dialing in to a NAS. Table A-2 lists commands relevant for a NAS providing PPP access
a Cisco IOS AAA environment.
Note The following table lists Cisco IOS configuration commands required to support both
TACACS+ and RADIUS AAA implementations.

A-13
A.3 NAS AAA Command Implementation Descriptions
Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)
IOS Command Description/Application Comment

aaa new-model Enables authentication, authorization, and accounting. Forces an
implicit login authentication default against all lines/console
interfaces and an implicit ppp authentication pap default against
all ppp interfaces.
aaa authentication login default group Causes router to forward all login requests to a TACACS+ server.
tacacs+
aaa authentication login default group radius Causes router to forward all login requests to a RADIUS server.
aaa authentication ppp default if-needed Use default list for PPP authentication; the if-needed keyword
group radius allows clients using “Terminal Window after Dial” option to
successfully authenticate to RADIUS server and negotiate PPP,
without using Windows dialup networking username and password
combination.
aaa authentication ppp default if-needed Use default list for PPP authentication; the if-needed keyword
group tacacs+ allows clients using “Terminal Window after Dial” option to
successfully authenticate to TACACS+ server and negotiate PPP,
without using Windows dialup networking username and password
combination.
aaa authorization exec default group radius Use default list to verify authorization.
if-authenticated
aaa authorization exec default group tacacs+ Use default list for authorization to verify service=shell attribute is
if-authenticated assigned to user and download appropriate shell attributes assigned
in AAA server.
aaa authorization network default group Use default list for authorization to verify service=-ppp attribute is
tacacs+ if-authenticated assigned to user or group and download appropriate PPP attributes
assigned in AAA server. Command specifies that authorization is
only permitted if user or group is properly authenticated through
TACACS+.
aaa authorization network default group Use default list for authorization to verify Service-Type=Framed
radius if-authenticated attribute is assigned to user or group and download appropriate PPP
attributes assigned in AAA server. Command specifies that
authorization is only permitted if user or group is properly
authenticated through RADIUS.
tacacs+ TACACS+ format.
aaa accounting network default start-stop Logs all network related services requests, such as PPP in
group tacacs+ stop-start TACACS+ format.
radius RADIUS format.
aaa accounting network default start-stop Logs all network related services requests, such as PPP in
group radius stop-start RADIUS format.

A-14
A.4 CiscoSecure for UNIX Configuration Listings
Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+)
IOS Command Description/Application Comment

tacacs-server host IP-address key secret-key Specifies AAA server. Specifies encryption key; must be the same
in AAA server.
radius-server host IP-address auth-port 1645 Specifies RADIUS AAA server IP address by using default UDP
acct-port 1646 key secret-keys Port 1645 for authentication and authorization and UDP Port 1646
for accounting.

This section provides the following listings:
• A.4.1 CSU.cfg Listing
• A.4.2 CSConfig.ini Listing
• A.4.4 listener.ora Listing
• A.4.3 Oracle User Environment Variable
For a complete description of AAA server files, go to:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx

A-15
A.4.1 CSU.cfg Listing

# cd /opt/ciscosecure/config
# ls
CSConfig.ini CSU.cfg CSU.cfg.sav
# cat CSU.cfg
LIST config_license_key = {"a73dc113d300a5ba3459"};
STRING config_update_log_filename = "/opt/ciscosecure/logfiles/passwd_chg.log";
/* store accounting records here when database fails */
/* default = /var/log/CSAccountingLog */
STRING config_acct_filename = "/var/log/CSAccountingLog";
/* AAA Server Metrics */

/* default = 0 (disable) */
NUMBER config_metrics_enable = 0; /* 1 to enable, 0 to disable */
/* default = 8 seconds */
NUMBER config_metrics_log_interval = 8; /* in seconds */
/* Callerid as Username */
/* default = 1 (enable) */
NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */
/* Use default user profile when user/callerid can't be found */

NUMBER config_defaultuser_enable = 1; /* 1 to enable, 0 to disable */
/* AAA Server MaxSessions Configuration */

NUMBER config_maxsessions_enable = 0; /* 1 to enable, 0 to disable */
/* default = 24 hours */
NUMBER config_maxsessions_session_timeout = 1440; /* in minutes */
/* default = 60 minutes */
NUMBER config_maxsessions_purge_interval = 60; /* in minutes */
/* AAA Server Distributed MaxSessions Configuration */

NUMBER config_distmaxsessions_enable = 0; /* 1 to enable, 0 to disable */
/* default = 0 (disabled) */
NUMBER config_dms_periodic_stats_interval = 0; /* 0 to disable, otherwise inte
rval in seconds */
/* Cryptocard challenge lookahead */

/* default = 0, which is same as 1, do only 1 challenge, don't look ahead */
/* the maximum number of challenge look ahead is 20 */
NUMBER config_cryptocard_challenge_lookahead = 0;
/* Group Profile Cache Timeout; 0 == no timeout */

/* default = 5 seconds */
NUMBER config_cache_group_timeout = 5; /* in seconds */
/* Per-user accounting function */

NUMBER config_acct_fn_enable = 1; /* 1 to enable, 0 to disable */
/* Extended Radius support */

NUMBER config_hex_string_support_enable = 0; /* 1 to enable, 0 to disable */
STRING config_server_ip_address = "172.23.25.41";

NUMBER config_token_cache_absolute_timeout = 86400;
NUMBER config_system_logging_level = 0x80;
NUMBER config_logging_configuration = 0xffffffff;
NUMBER config_warning_period = 20;
NUMBER config_expiry_period = 60;

A-16
NUMBER config_local_timezone = -8; /* set this for your timezone */

NUMBER config_use_host_timezone = 0; /* set value to 1 to always use system time
*/
NUMBER config_record_write_frequency = 5; /* update frequency in seconds */
NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails accepted *
/
/* before account is disabled. *
/
NAS config_nas_config = {
{
"", /* NAS name can go here */
"ciscorules", /* NAS/CiscoSecure secret key */
"", /* message_catalogue_filename */
1, /* username retries */
2, /* password retries */
1 /* trusted NAS for SENDPASS */
}
};
AUTHEN config_external_authen_symbols = {
{
"./libskey.so",
"skey"
}
,
{
"./libpap.so",
"pap"
}
,
{
"./libchap.so",
"chap"
}
,
{
"./libarap.so",
"arap"
}
};
AUTHOR config_external_author_symbols = {
{
"./libargs.so",
"process_input_arguments",
"process_input_arguments_ok",
"process_input_arguments_fail",
"process_output_arguments",
"process_output_arguments_ok",
"process_output_arguments_fail"
}
};
/*
* Sample of pre/post process configuration.
*
AUTHOR config_external_author_symbols = {
{
"./libcustomerprovided.so",
"customer_function"
}
};
*

A-17
* end sample
*/
ACCT config_external_acct_symbols = {
{
"./libacctmember.so",
"acct_member_fn"
}
};
ADMIN config_external_admin_symbols = {
"./libadmin.so"
};
DB config_external_database_symbols = {
{
"./libdb.so",
"",
""
}
};
PARSER config_external_parser_symbols = {
"./libt+.so"
};
EVENT config_external_event_symbols = {
{
"./libdb.so",
"",
""
}
};
DMS config_external_dms_symbols = {
"./libCiscoDMS.so"
};
#
#

A-18
A.4.2 CSConfig.ini Listing

#
#cat CSConfig.ini
############################################################
#
# $Archive: $
#
# (C) Copyright 1996 Cisco Systems. All rights reserved.
#
# This is CiscoSecure DBServer main initialization file.
#
# $Log: $
#
# $NoKeyWords: $
#
############################################################
;<--------------------- Ruler Line -------------------------------------------->
; 1 2 3 4 5 6 7 8
;2345678901234567890123456789012345678901234567890123456789012345678901234567890
;
;-------------------------------------------------------------------------------
[System]
; Location where the system is installed
RootDir=/opt/ciscosecure
; Location of the default profile (default= $RootDir/config/DefaultProfile)

DefaultProfile=/opt/ciscosecure/config/DefaultProfile
;-------------------------------------------------------------------------------
[System Error]
SysErrorFileDir = /opt/ciscosecure/logfiles
; DBServer gets the default path for System error handler here
; if it was not specified at command line with option
; [-LOGPATH path] when starting the DBServer deamon.
; DBServer must have sufficient access privilege to create this
: path and the log file if it does not already exist.
; log levels are 1 thru 10 where Minor=1, Moderate=5, Severe=8, Catastrophic=10

; (note: Catastrophic errors will shutdown the daemon)
MinLogLevel = 8
;-------------------------------------------------------------------------------
[SessionMgr]
; Session Manager configurables, purge interval is in minutes
MaxSessions=1000
PurgeInterval=60
;-------------------------------------------------------------------------------
[AccountingMgr]
;If this parameter=enable then log acct packets into cs_accounting_log database
table
LogRawAccountingPacketToDB = enable
;If we are logging accounting records then this parameter decides whether to buffer the
records
; in memory and then save them to the database using a background process. Enabl
ing this will
; increase burst authentication performance.
;If enabled the DBServer will create enough buffers to match the value of 2 less
than
; the number of database connections available.

A-19
; NOTE: There is a risk of losing records that are in memory in the event of the
DBServer going
; down ungracefully.
BufferAccountingPackets = enable
;This parameter decides the size of each accounting packet buffer. Legal values
are from 5 to 1000
AccountingBufferSize = 500
; if parameter=enable then dbserver will process user max session info and save
in memory,
; if disabled then ArchiveMaxSessionInfoToDB will also be disabled.
ProcessInMemoryMaxSessionInfo = enable
; If this parameter=enable then log user max session info into cs_user_accounting
database table
; Note that if the BufferAccountingPackets parameter is enabled AND
ProcessInMemoryMaxSessionInfo
; is enabled then max session info records will be buffered as well.
ArchiveMaxSessionInfoToDB = enable
; This is how often (in minutes) the system checks for accounting sessions to
; purge.
; NOTE: The purge interval is actually dependant upon a system background task
; that is not guaranteed to run more frequently than 60 minutes. This
; value is therefore not accurate to the minute and should not be set to
; less than 60.
AcctPurgeInterval=60
; This is how long (in minutes) a session can be considered

; active before it is purged.
; NOTE: This value is dependent on the AcctPurgeInterval setting and is not
; accurate to the minute. It is not intended to be set to less than 60.
AcctPurgeTimeOut=1440
;-------------------------------------------------------------------------------
[DBServer]
DBServerName = CSdbServer
Protocol=TCP
MaxPacketSize = 4096
; Each DBServer process should have it's own unique name.

; Do not put the hostname here in case more than one instance
; of the DBServer is running on the same machine
;The following is for internal use only by the DBServer

;Date format expected from the client application such as the GUI,
;to be used for parsing date/time string. The dbserver will reject
;inputs that contains other date/time format. This format will also
;be used to return date/time strings.
;Examples, "d MMM yyyy" => "12 Feb 1997", "EEE MMM d hh:mm:ss z yyyy" => "Tue Ap
r 1 09:26:55 PST 1997"
DateFormat = "d MMM yyyy"
DateTimeFormat = "EEE MMM d hh:mm:ss z yyyy"
;-------------------------------------------------------------------------------
[ValidClients]
100 = sleddog
; Add list of trusted clients above ^^^^ in the format:
; ClientID = Client's Host Name
; CGI stub's clientID=100, and it's host name
; For example 100 = localhost or 100 = 192.92.182.2
; 101 = 192.92.190.5
;

A-20
;if ValidateClients=true, then we only allow the clients with ids listed
;above to connect to the dbserver
ValidateClients = false
;if FastAdminValidateClients = true, then we only allow the clients with ids
;listed below to connect to the FastAdmin
FastAdminValidateClients = false
;-------------------------------------------------------------------------------
[Protocol TCP]
HostName = sleddog
Port = 9900
; Name of host server
; Daemon port number

;Port=5001
;-------------------------------------------------------------------------------
[Workers Pool]
; Maximum numbers of connection workers in pool, beyond which
; newly added workers will be ignored (or deleted).
MaxInPool=50
;-------------------------------------------------------------------------------
[Database]
DataSource = ORACLE
DriverType = JDBC-Weblogic-Oracle
; Specify the rdbms installed and the driver type
; (ODBC or JDBC) that interfaces with the rdbms.
; Driver=ODBC or Driver=JDBC, then go to the [ODBC]
; or [JDBC] section to fill in the URL info.
# Oracle with ODBC

;DataSource = ORACLE
;DriverType = ODBC-Visigenic-Oracle
# Oracle with JDBC

;DataSource = ORACLE
;DriverType = JDBC-Weblogic-Oracle
# SQLAnywhere with ODBC

;DataSource = SQLAnywhere
;DriverType = ODBC-SQLAnywhere
# Sybase with ODBC

;DataSource = SYBASE
;DriverType = ODBC-Visigenic-Sybase
# Sybase with JDBC

;DataSource = SYBASE
;DriverType = JDBC-Weblogic-Sybase
# Test with some other DB that we did not qualify

;DataSource = OtherDB
;DriverType = ODBC-Visigenic
# names of data dictionary

ProfileAttr = cs_profile_attr_dict
ProfileCol = cs_profile_col_dict
UserAcct = cs_user_account_attr_dict
;-------------------------------------------------------------------------------
[SQLAnywhere]
;this is the bundle database
ConnectionLicense = 12

A-21
Username = DBA
Password = SQL
;-------------------------------------------------------------------------------
[OtherDB]
;number of open connections allowed to the data source(based on db license)
Username = csecure
Password = csecure
;-------------------------------------------------------------------------------
[ORACLE]
ConnectionLicense=4
Username = csecure
Password = csecure
;-------------------------------------------------------------------------------
[SYBASE]
Username = csecure
Password = csecure
;-------------------------------------------------------------------------------
[ODBC-SQLAnywhere]
;ODBC driver information
Manager = sun.jdbc.odbc.JdbcOdbcDriver
Driver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=<database_file>;Start="dbeng50 -u
d"
;Property below is required for internal use only: connection usage property
PrepareStatement = 0
;-------------------------------------------------------------------------------
[ODBC-Visigenic-Oracle]
Driver = jdbc:odbc:Oracle
;-------------------------------------------------------------------------------
[ODBC-Visigenic-Sybase]
Driver = jdbc:odbc:SybaseDBLib
;-------------------------------------------------------------------------------
[JDBC-Weblogic-Oracle]
;JDBC driver information
Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManager
Driver=jdbc:weblogic:oracle:ciscosj
;-------------------------------------------------------------------------------
[JDBC-Weblogic-Sybase]
;JDBC driver information
Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManager
Driver=jdbc:weblogic:sybase

A-22
;-------------------------------------------------------------------------------
[ProfileCaching]
EnableProfileCaching = OFF
;Polling period in minutes for cs_trans_log table
; Interval in seconds can be specified by fraction.
; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds.
; Setting to 0 disbles polling.
DBPollInterval = 30
;-------------------------------------------------------------------------------
A.4.3 Oracle User Environment Variable

#su - oracle
Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996
$env
HOME=/export/home/oracle
HZ=100
LD_LIBRARY_PATH=/opt/oracle/product/7.3.4/lib:/usr/openwin/lib:/usr/dt/lib:/usr/
lib
LOGNAME=oracle
ORACLE_DOC=/doc
ORACLE_HOME=/opt/oracle/product/7.3.4
ORACLE_SID=ciscosj
ORACLE_TERM=xsun5
ORAENV_ASK=NO
PATH=/usr/bin::/opt/oracle/product/7.3.4:/opt/oracle/product/7.3.4/bin:/usr/ccs/
bin:
SHELL=/bin/sh
TERM=ansi
TMPDIR=/var/tmp
TNS_ADMIN=/opt/oracle/product/7.3.4/network/admin
TZ=GMT-8

A-23
A.4.4 listener.ora Listing

$cd $ORACLE_HOME/
$ls
bin jdbc nlsrtl3 orainst precomp sqlplus
book22 lib ocommon otrace rdbms svrmgr
dbs network oracore3 plsql slax
$cd network/admin
$ls
csmgen.tcl listener.ora tcl7.4 tnsnames.ora
csmman.man sqlnet.fdf tk4.0
$cat listener.ora
#
# Installation Generated Net V2 Configuration
# Version Date: Sep-16-97
# Filename: Listener.ora
#
LISTENER =
(ADDRESS_LIST =
(ADDRESS= (PROTOCOL= IPC)(KEY= ciscosj))
(ADDRESS= (PROTOCOL= IPC)(KEY= PNPKEY))
(ADDRESS= (PROTOCOL= TCP)(Host= sleddog)(Port= 1521))
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME= sleddog.)
(ORACLE_HOME= /opt/oracle/product/7.3.4)
(SID_NAME = ciscosj)
)
)
STARTUP_WAIT_TIME_LISTENER = 0
CONNECT_TIMEOUT_LISTENER = 10
TRACE_LEVEL_LISTENER = OFF
$ls
csmgen.tcl listener.ora tcl7.4 tnsnames.ora
csmman.man sqlnet.fdf tk4.0
$cat tnsnames.ora
#
# Installation Generated NetV2 Configuration
# Version Date: Sep-30-97
# Filename: Tnsnames.ora
#
ciscosj =
(DESCRIPTION =
(ADDRESS = (PROTOCOL= TCP)(Host= sleddog)(Port= 1521))
(CONNECT_DATA = (SID = ciscosj))
)

A-24
A.5 CiscoSecure Log Files

$CSUBASE/logfiles/cs_install.log
$CSUBASE/logfiles/cs_shutdown.log
$CSUBASE/logfiles/cs_startup.log
$CSUBASE/logfiles/csdblog_<date>
$CSUBASE/logfiles/passwd_chg.log
$CSUBASE/ns-home/CSUServer/logs/access
$CSUBASE/ns-home/CSUServer/logs/errors
$CSUBASE/ns-home/admserver/errors
$CSUBASE/ns-home/admserver/access
$CSUBASE/ns-home-httpd-csuserver/logs

A-25

A-26
A P P E N D I X B
AAA Impact on Maintenance Tasks
Most BootFlash images do not recognize all Cisco IOS aaa commands. As a result, invoking a
BootFlash image can lead to a password recovery situation unless the Cisco IOS fragments listed in this
appendix are used to disable AAA. One example of a situation requiring the inclusion of this
configuration is a software image upgrade for a Cisco AS5200 access server.
Include the following Cisco IOS commands to disable AAA authentication and authorization on the
console and VTY ports of a NAS:
line con 0
line vty 0 4
Note Refer to “4.6 Implementing Server-Based TACACS+ Router Authorization” for related
implementation information.

B-1
Appendix B AAA Impact on Maintenance Tasks

B-2
A P P E N D I X C
Server-Based AAA Verification Diagnostic
Output
This appendix is organized into the following sections:

• C.1 Server-Based TACACS+ Dialup Authentication Diagnostics
• C.2 Server-Based TACACS+ Dialup Authorization Diagnostics
• C.3 Server-Based RADIUS Dialup Authentication Diagnostics
• C.4 Server-Based RADIUS Dialup Authorization Diagnostics
• C.5 Server-Based TACACS+ Router Authentication Diagnostics
• C.6 Server-Based TACACS+ Router Authorization Diagnostics
Diagnostic examples present captured output from debug command (router) and tail command (AAA
server) listings.
Note Output fragments provided here are excerpted from the applicable debug command output
or AAA server csuslog file—unless otherwise noted. Diagnostic content is gathered from
the AAA server by using the tail -f /var/log/csuslog command. Pertinent portions of
output are included as fragments of complete listings.
C.1 Server-Based TACACS+ Dialup Authentication Diagnostics

The following test results for “4.1 Implementing Server-Based TACACS+ Dialup Authentication”
provide relevant NAS and AAA server log output:
1. Authentication login is successful for user tac_dial.
2. PAP authentication request for user tac_dial.
3. Creation of user tac_dial, service=ppp.
4. Authentication PASS received from AAA server.
Note Use these debug commands: debug aaa authentication and

debug ppp authentication.

C-1
Appendix C Server-Based AAA Verification Diagnostic Output
C.2 Server-Based TACACS+ Dialup Authorization Diagnostics
authentication process. Specific output fragments are differentiated with brief explanatory notes to help
1. Authentication login is successful for user tac_dial.

AAA server csuslog output:
Feb 4 10:40:13 coachella CiscoSecure: DEBUG - AUTHENTICATION START request
(8d2d325f)
Feb 4 10:40:13 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful;
[NAS = 172.22.63.1, Port = Async3, User = tac_dial, Priv = 1]
2. PAP authentication request for user tac_dial.

NAS debug output:
113288: Feb 4 10:40:13.696 CST: As3 PAP: I AUTH-REQ id 1 len 23 from "tac_dial"
113289: Feb 4 10:40:13.696 CST: As3 PAP: Authenticating peer tac_dial
3. Creation of user tac_dial, service=ppp.

NAS debug output:
113290: Feb 4 10:40:13.696 CST: AAA: parse name=Async3 idb type=10 tty=3
113291: Feb 4 10:40:13.696 CST: AAA: name=Async3 flags=0x11 type=4 shelf=0 slot=0
113292: Feb 4 10:40:13.696 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1
113293: Feb 4 10:40:13.696 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0
113294: Feb 4 10:40:13.696 CST: AAA/MEMORY: create_user (0x61E09254) user='tac_dial'
ruser='' port='Async3' rem_addr='async/81560' authen_type=PAP service=PPP priv=1
113295: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): port='Async3' list=''
action=LOGIN service=PPP
4. Authentication PASS received from AAA server.

NAS debug output:
113297: Feb 4 10:40:13.696 CST: AAA/AUTHEN (2368549471): status = UNKNOWN
113298: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): Method=tacacs+
(tacacs+)
113299: Feb 4 10:40:13.696 CST: TAC+: send AUTHEN/START packet ver=193 id=2368549471
113300: Feb 4 10:40:13.900 CST: TAC+: ver=193 id=2368549471 received AUTHEN status =
PASS

The following test results for “4.2 Implementing Server-Based TACACS+ Dialup Authorization”
provide relevant NAS and AAA server log output:
1. User dialtest is authorized EXEC shell access to the NAS.
2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs.
3. User dialtest is authorized EXEC shell access to NAS.
4. User dialtest is assigned the addr-pool=default AVP through network authorization.

C-2
5. User dialtest is assigned the inacl=110 AVP through network authorization.

6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs.
Note Use this debug command: debug aaa authorization.
1. User dialtest is authorized EXEC shell access to the NAS.

Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (365f23d3)
Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS
= 172.23.84.35, user = dialtest, port = tty8, input: service=shell cmd* output: ]
2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs.
Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (74e5f744)
= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip
addr-pool*default output: inacl=110]
Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (78655fcd)
= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=lcp output:
]
Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (cae30c69)
= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip output:
addr-pool=default inacl=110]
3. User dialtest is authorized EXEC shell access to NAS.

NAS debug output:
*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): Port='tty8' list=''
service=EXEC
*Apr 6 00:12:29.932: AAA/AUTHOR/EXEC: As8 (912204755) user='dialtest'
*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): send AV service=shell
*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): send AV cmd*
*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): found list "default"
*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): Method=tacacs+ (tacacs+)
*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): user=dialtest
*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): send AV service=shell
*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): send AV cmd*
*Apr 6 00:12:30.136: As8 AAA/AUTHOR (912204755): Post authorization status =
PASS_ADD

C-3
C.3 Server-Based RADIUS Dialup Authentication Diagnostics
4. User dialtest is assigned the addr-pool=default AVP through network authorization.

NAS debug output:
*Apr 6 00:12:31.480: AAA/AUTHOR/PPP: As8 (1961228100) user='dialtest'
*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV service=ppp
*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV protocol=ip
*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV addr-pool*default
*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): found list "default"
*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): Method=tacacs+ (tacacs+)
*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): user=dialtest
*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV service=ppp
*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV protocol=ip
*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV addr-pool*default
*Apr 6 00:12:31.684: As8 AAA/AUTHOR (1961228100): Post authorization status =
PASS_ADD
5. User dialtest is assigned the inacl=110 AVP through network authorization.

NAS debug output:
*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV service=ppp
*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV protocol=ip
*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV addr-pool*default
*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV inacl=110
6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs.
NAS debug output:
*Apr 6 00:33:05.860: As9 AAA/AUTHOR/IPCP: Says use pool default
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Pool returned 172.23.25.37
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV service=ppp
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV protocol=ip
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr-pool=default
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV inacl=110
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr*172.23.25.37
*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Authorization succeeded
C.3 Server-Based RADIUS Dialup Authentication Diagnostics

The following test results for “4.3 Implementing Server-Based RADIUS Dialup Authentication”
provide relevant NAS output:
1. User rad_dial successfully passes authentication on port Async 5).
2. User rad_dial successfully passes authentication.
Note Use these debug commands: debug aaa authentication and debug ppp
authentication.
authentication process. Specific output fragments are differentiated with brief explanatory notes to help
identify relevant information.

C-4
C.4 Server-Based RADIUS Dialup Authorization Diagnostics
1. User rad_dial successfully passes authentication on port Async 5).

NAS debug output:
00:38:42: AAA/MEMORY: create_user (0x61619F48) user='rad_dial' ruser='' port='Async5'
rem_addr='65004/65301' authen_type=PAP service=PPP priv=1
00:38:42: AAA/AUTHEN/START (3896270890): port='Async5' list='' action=LOGIN
service=PPP
00:38:42: AAA/AUTHEN/START (3896270890): using "default" list
00:38:42: AAA/AUTHEN (3896270890): status = UNKNOWN
00:38:42: AAA/AUTHEN/START (3896270890): Method=radius (radius)
00:38:42: AAA/AUTHEN (3896270890): status = PASS
2. User rad_dial successfully passes authentication.

NAS debug output:
Apr 6 16:18:19 danvers CiscoSecure: INFO - Profile: user = rad_dial {
Apr 6 16:18:19 danvers set server current-failed-logins = 0
Apr 6 16:18:19 danvers profile_cycle = 9

The following test results for “4.4 Implementing Server-Based RADIUS Dialup Authorization” provide
relevant NAS server log output:
1. User rad_dial is authorized for protocol=lcp.
2. User rad_dial is authorized for IPCP.
3. Input access-list is verified as 110 while the output access-list is shown as not set.
Note Use these commands: debug aaa authorization and show caller user rad_dial
detail.
authorization process. Specific output fragments are differentiated with brief explanatory notes to you

C-5
1. User rad_dial is authorized for protocol=lcp.

NAS debug output:
01:02:17: AAA/MEMORY: create_user (0x61504AC4) user='rad_dial' ruser='' port='As
ync6' rem_addr='65004/65301' authen_type=PAP service=PPP priv=1
01:02:17: As6 AAA/AUTHOR/LCP: Authorize LCP
01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Port='Async6' list='' service=NET
01:02:17: AAA/AUTHOR/LCP: As6 (3341570658) user='rad_dial'
01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV service=ppp
01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV protocol=lcp
01:02:17: As6 AAA/AUTHOR/LCP (3341570658): found list "default"
01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Method=radius (radius)
2. User rad_dial is authorized for IPCP.

NAS debug output:
01:02:17: As6 AAA/AUTHOR/LCP: Processing AV service=ppp
01:02:17: As6 AAA/AUTHOR/FSM: (0): Can we start IPCP?
01:02:17: As6 AAA/AUTHOR/FSM (2347737596): Port='Async6' list='' service=NET
01:02:17: AAA/AUTHOR/FSM: As6 (2347737596) user='rad_dial'
01:02:17: As6 AAA/AUTHOR/FSM (2347737596): send AV service=ppp
01:02:17: As6 AAA/AUTHOR/FSM (2347737596): send AV protocol=ip
01:02:17: As6 AAA/AUTHOR/FSM (2347737596): found list "default"
01:02:17: As6 AAA/AUTHOR/FSM (2347737596): Method=radius (radius)
01:02:17: As6 AAA/AUTHOR/FSM: We can start IPCP
01:02:17: As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5
01:02:17: As6 AAA/AUTHOR/IPCP: Processing AV service=ppp
01:02:17: As6 AAA/AUTHOR/IPCP: Processing AV inacl=110
01:02:17: As6 AAA/AUTHOR/IPCP: Authorization succeeded
01:02:17: As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5
01:02:18: As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5
01:02:18: As6 AAA/AUTHOR/IPCP: Processing AV service=ppp
01:02:18: As6 AAA/AUTHOR/IPCP: Processing AV inacl=110
01:02:18: As6 AAA/AUTHOR/IPCP: Authorization succeeded
01:02:18: As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5
01:02:18: As6 AAA/AUTHOR/IPCP: Start. Her address 172.22.83.5, we want 172.22.8 3.5
3. Input access-list is verified as 110 while the output access-list is shown as not set.

C-6
C.5 Server-Based TACACS+ Router Authentication Diagnostics
Output from show caller user rad_dial detail from NAS:

User: rad_dial, line tty 116, service Async
Timeouts: Absolute Idle Idle
Session Exec
Limits: 04:00:00 - 00:48:00
Disconnect in: 03:58:30 - -
TTY: Line 116, running PPP on As116
Location: PPP: 172.22.83.37
DS0: (slot/unit/channel)=0/0/20
Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits
Status: Ready, Active, No Exit Banner, Async Interface Active
HW PPP Support Active, Modem Detected
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
Modem Callout, Modem RI is CD,
Line usable as async interface, Modem Autoconfigure
Integrated Modem
Modem State: Ready, Modem Configured
User: rad_dial, line As116, service PPP

Timeouts: Absolute Idle
Limits: - -
Disconnect in: - -
PPP: LCP Open, PAP (<- AAA), IPCP, CDPCP
LCP: -> peer, ACCM, AuthProto, MagicNumber, PCompression, ACCompression
<- peer, ACCM, MagicNumber, PCompression, ACCompression
NCP: Open IPCP, CDPCP
IPCP: <- peer, Address
-> peer, Address
IP: Local 172.22.83.1, remote 172.22.83.37
Access list (I/O) is 110/not set, default (I/O) not set/not set
Counts: 14 packets input, 1399 bytes, 0 no buffer
1 input errors, 1 CRC, 0 frame, 0 overrun
15 packets output, 1448 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets

The following test results for “4.5 Implementing Server-Based TACACS+ Router Authentication”
provide relevant router output:
1. Get user and password interaction between router and AAA server.
2. User rtr_test successfully logs in.
Note Use this debug command: debug aaa authentication.
authentication process. Specific output fragments are differentiated with brief explanatory notes to you
1. Get user and password interaction between router and AAA server.

C-7

Feb 24 11:10:27.101 CST: AAA/MEMORY: create_user (0x61F74900) user='' ruser=''
Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): port='tty2' list=''
Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): using "default" list
Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): Method=tacacs+ (tacacs+)
Feb 24 11:10:27.105 CST: TAC+: send AUTHEN/START packet ver=192 id=2925282821
Feb 24 11:10:27.305 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETUSER
Feb 24 11:10:27.305 CST: AAA/AUTHEN (2925282821): status = GETUSER
Feb 24 11:10:30.549 CST: AAA/AUTHEN/CONT (2925282821): continue_login
(user='(undef)')
Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): status = GETUSER
Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+)
Feb 24 11:10:30.549 CST: TAC+: send AUTHEN/CONT packet id=2925282821
Feb 24 11:10:30.749 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETPASS
Feb 24 11:10:30.749 CST: AAA/AUTHEN (2925282821): status = GETPASS
Feb 24 11:10:33.981 CST: AAA/AUTHEN/CONT (2925282821): continue_login
(user='rtr_test')
Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): status = GETPASS
Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+)
Feb 24 11:10:33.981 CST: TAC+: send AUTHEN/CONT packet id=2925282821
Feb 24 11:10:34.181 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = PASS
Feb 24 11:10:34.181 CST: AAA/AUTHEN (2925282821): status = PASS
Feb 24 11:10:34.381 CST: TAC+: (2248458861): received author response status =
PASS_ADD
2. User rtr_test successfully logs in.

[NAS = 172.22.255.3, Port = tty2, User = rtr_test, Priv = 1

C-8
C.6 Server-Based TACACS+ Router Authorization Diagnostics

The following test results illustrate three separate user types as described in “4.6 Implementing
Server-Based TACACS+ Router Authorization”, belonging to three separate user groups: rtr_low,
rtr_tech, and rtr_super. The example output is provided in the following sections:
• C.6.1 Test Results for rtr_low Group
• C.6.2 Test Results for rtr_tech Group
• C.6.3 Test Results for rtr_super Group
Note Use this debug command: debug aaa authorization.
C.6.1 Test Results for rtr_low Group

Test results follow for each Cisco IOS command summarized in Table 4-1, including relevant router
output and AAA server log output:
1. User rtr_dweeb is authorized EXEC shell access.
2. User rtr_dweeb enters enable mode.
3. User rtr_dweeb fails debug all command.
4. User rtr_dweeb fails debug ip packet command.
5. User rtr_dweeb fails clear ip cache command.
6. User rtr_dweeb fails reload command.
7. User rtr_dweeb fails show running-config command.
8. User rtr_dweeb fails write terminal command.
9. User rtr_dweeb fails copy running-config startup-config command.
10. User rtr_dweeb fails write memory command.
11. User rtr_dweeb fails configure terminal command.

C-9
1. User rtr_dweeb is authorized EXEC shell access.

Feb 18 11:44:36.115 CST: AAA/MEMORY: create_user (0x61F883B4) user='' ruser='' p
ort='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1
Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Port='tty3'
list=''service=EXEC
Feb 18 11:44:42.135 CST: AAA/AUTHOR/EXEC: tty3 (1279405337) user='rtr_dweeb'
Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV service=shell
Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV cmd*
Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): found list "default"
Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Method=tacacs+ (tacacs+)
Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): user=rtr_dweeb
Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV service=shell
Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV cmd*
Feb 18 11:44:42.335 CST: AAA/AUTHOR (1279405337): Post authorization status =
PASS_ADD
Feb 18 11:44:42.335 CST: AAA/AUTHOR/EXEC: Authorization successful

[NAS = 172.22.255.3, Port = tty3, User = rtr_dweeb, Priv = 1]
Feb 18 11:44:41 coachella CiscoSecure: DEBUG -
Feb 18 11:44:42 coachella CiscoSecure: DEBUG - AUTHORIZATION request (4c422d19)
Feb 18 11:44:42 coachella CiscoSecure: DEBUG - Authorization - Request authorized;
[NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd* output:
]
2. User rtr_dweeb enters enable mode.

Feb 18 11:44:45.651 CST: AAA/MEMORY: free_user (0x61CC44D4) user='' ruser=''
port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15
3. User rtr_dweeb fails debug all command.

Feb 18 11:44:49.875 CST: tty3 AAA/AUTHOR/CMD (2800178490): Port='tty3' list=''
service=CMD
Feb 18 11:44:49.875 CST: AAA/AUTHOR/CMD: tty3 (2800178490) user='rtr_dweeb'
Feb 18 11:44:49.875 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV service=shell
Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd=debug
Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=all
Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=<cr>
Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): found list "default"
Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): Method=tacacs+ (tacacs+)
Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd=debug
Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=all
Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=<cr>
Feb 18 11:44:50.079 CST: AAA/AUTHOR (2800178490): Post authorization status = FAIL

C-10

Feb 18 11:44:49 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a6e7553a)
Feb 18 11:44:49 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS =
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug
cmd-arg=all cmd-arg=<cr> output: ]
4. User rtr_dweeb fails debug ip packet command.

service=CMD
Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=ip
Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=packet
Feb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=ip
Feb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=packet

Feb 18 11:44:55 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f39c4398)
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug
cmd-arg=ip cmd-arg=packet cmd-arg=<cr> output: ]
5. User rtr_dweeb fails clear ip cache command.

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):Port='tty3'
list=''service=CMD
Feb 18 11:45:00.483 CST:AAA/AUTHOR/CMD:tty3 (3223867754) user='rtr_dweeb'
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV service=shell
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd=clear
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=ip
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=cache
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=<cr>
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):found list "default"
Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):Method=tacacs+(tacacs+)
Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):user=rtr_dweeb
Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV service=shell
Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd=clear
Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=ip
Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=cache
Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=<cr>
Feb 18 11:45:00.687 CST:AAA/AUTHOR (3223867754):Post authorization status = FAIL

Feb 18 11:45:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (c028516a)
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=clear
cmd-arg=ip cmd-arg=cache cmd-arg=<cr> output: ]

C-11
6. User rtr_dweeb fails reload command.

service=CMD
Feb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): send AV cmd=reload
Feb 18 11:45:03.911 CST: AAA/AUTHOR/TAC+: (410330894): send AV cmd=reload

Feb 18 11:45:03 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1875270e)
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=reload
cmd-arg=<cr> output: ]
7. User rtr_dweeb fails show running-config command.

service=CMD
Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV cmd=show
Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV
cmd-arg=running-config
Feb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV cmd=show
Feb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV

Feb 18 11:45:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (84c8a4c4)
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell
cmd=showcmd-arg=running-config cmd-arg=<cr> output: ]

C-12
8. User rtr_dweeb fails write terminal command.

service=CMD
Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd=write
Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd-arg=terminal
Feb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd=write
Feb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd-arg=terminal

Feb 18 11:45:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a391af86)
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=write
cmd-arg=terminal cmd-arg=<cr> output: ]
9. User rtr_dweeb fails copy running-config startup-config command.

service=CMD
Feb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd=copy
cmd-arg=startup-config
Feb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV cmd=copy

Feb 18 11:45:17 coachella CiscoSecure: DEBUG - AUTHORIZATION request (43e3a6d5)
cmd=copycmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ]

C-13
10. User rtr_dweeb fails write memory command.

service=CMD
Feb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd-arg=memory
Feb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): send AV cmd-arg=memory

Feb 18 11:45:20 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3faef965)
cmd=writecmd-arg=memory cmd-arg=<cr> output: ]
11. User rtr_dweeb fails configure terminal command.

service=CMD
Feb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): send AV cmd=configure
Feb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): send AV cmd=configure

Feb 18 11:45:32 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1f9fdd35)
172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=configure
C.6.2 Test Results for rtr_tech Group

Tests results follow for each of the Cisco IOS commands summarized in Table 4-1, including relevant
router output and AAA server log output:
1. User rtr_techie is authorized EXEC shell access.
2. User rtr_techie enters enable mode.
3. User rtr_techie is denied the debug all command.

C-14
4. User rtr_techie is permitted debug ip packet command.

5. User rtr_techie is permitted clear ip cache command.
6. User rtr_techie is denied reload command.
7. User rtr_techie is permitted show running-config command.
8. User rtr_techie is permitted write terminal command.
9. User rtr_techie is permitted copy running-config starting config command.
10. User rtr_techie is permitted write memory command.
11. User rtr_techie is denied configure terminal command.
1. User rtr_techie is authorized EXEC shell access.

Feb 18 14:27:32.388 CST: AAA/MEMORY: create_user (0x61CC44D8) user='' ruser=''
Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Port='tty3'
list=''service=EXEC
Feb 18 14:27:36.984 CST: AAA/AUTHOR/EXEC: tty3 (3820424789) user='rtr_techie'
Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV service=shell
Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV cmd*
Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): found list "default"
Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Method=tacacs+ (tacacs+)
Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): user=rtr_techie
Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): send AV cmd*
PASS_ADD
Feb 18 14:27:37.184 CST: AAA/AUTHOR/EXEC: Authorization successful

[NAS = 172.22.255.3, Port = tty3, User = rtr_techie, Priv = 1]
Feb 18 14:27:36 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e3b70e55)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd*
output: ]
2. User rtr_techie enters enable mode.

Feb 18 14:27:39.776 CST: AAA/MEMORY: free_user (0x61F5DEC0) user='' ruser=''
service=CMD

C-15
3. User rtr_techie is denied the debug all command.

Feb 18 14:27:43.976 CST: AAA/AUTHOR/CMD: tty3 (438698848) user='rtr_techie'

Feb 18 14:27:43 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1a260360)
Feb 18 14:27:43 coachella CiscoSecure: DEBUG - Authorization - Failed command line;
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug
4. User rtr_techie is permitted debug ip packet command.

Feb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): Port='tty3'
list=''service=CMD
PASS_ADD

Feb 18 14:27:47 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ec2ab713)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug

C-16
5. User rtr_techie is permitted clear ip cache command.

service=CMD
Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd=clear
Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=cache
Feb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd=clear
Feb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=cache
PASS_ADD

Feb 18 14:27:51 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3c7067fe)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=clear
cmd-arg=ip cmd-arg=cache cmd-arg=<cr> output: ]
6. User rtr_techie is denied reload command.

service=CMD

Feb 18 14:27:54 coachella CiscoSecure: DEBUG - AUTHORIZATION request (9f4d7922)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=reload

C-17
7. User rtr_techie is permitted show running-config command.

service=CMD
PASS_ADD

Feb 18 14:27:57 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e999072a)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=show
cmd-arg=running-config cmd-arg=<cr> output: ]
8. User rtr_techie is permitted write terminal command.

service=CMD
PASS_ADD

Feb 18 14:28:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (540355c9)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write

C-18
9. User rtr_techie is permitted copy running-config starting config command.

service=CMD
PASS_ADD

Feb 18 14:28:05 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ff2bf207)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=copy
cmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ]
10. User rtr_techie is permitted write memory command.

service=CMD
Feb 18 14:28:08.325 CST: AAA/AUTHOR (192752980): Post authorization status = PASS_ADD

Feb 18 14:28:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b7d2d54)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write
cmd-arg=memory cmd-arg=<cr> output: ]

C-19
11. User rtr_techie is denied configure terminal command.

service=CMD

Feb 18 14:28:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b55b3b42)
[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell
cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ]
C.6.3 Test Results for rtr_super Group

Tests results follow for each of the Cisco IOS commands summarized in Table 4-1, including relevant
router output and AAA server log output:
1. User rtr_geek is authorized EXEC shell access.
2. User rtr_geek enters enable mode.
3. User rtr_geek is denied debug all command.
4. User rtr_geek is permitted debug ip packet command.
5. User rtr_geek is permitted reload command.
6. User rtr_geek is permitted show running-config command.
7. User rtr_geek is permitted write terminal command.
8. User rtr_geek is permitted copy running-config startup-config command.
9. User rtr_geek is permitted write memory command.
10. User rtr_geek is permitted configure terminal command.

C-20
1. User rtr_geek is authorized EXEC shell access.

Feb 22
15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): user=rtr_geek
Feb 22
15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): send AV service=shell
Feb 22
15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): send AV cmd*
Feb 22
15:26:16.822 CST: AAA/AUTHOR (424410682): Post authorization status = PASS_ADD
Feb 22
15:26:16.822 CST: AAA/AUTHOR/EXEC: Authorization successful
Feb 22
15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, port tty3
Feb 22
15:26:16.822 CST: AAA/ACCT/EXEC: Found list "default"
Feb 22
15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, Port tty3,
task_id=310 start_time=951254776 timezone=CST service=shell
Feb 22 15:26:16.822 CST: AAA/ACCT: user rtr_geek, acct type 0 (2751112696):
Feb 22 15:26:17.022 CST: TAC+: (2751112696): received acct response status = SUCCESS

[NAS = 172.22.255.3, Port = tty3, User = rtr_geek, Priv = 1]
Feb 22 15:26:16 coachella CiscoSecure: INFO - Profile: user = rtr_geek {
Feb 22 15:26:16 coachella set server current-failed-logins = 0
Feb 22 15:26:16 coachella profile_cycle = 2
Feb 22 15:26:16 coachella }
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd*output: ]
2. User rtr_geek enters enable mode.

Feb 22 15:26:22.562 CST: AAA/MEMORY: free_user (0x61F55834) user='' ruser=''
service=CMD
3. User rtr_geek is denied debug all command.

service=CMD
Feb 22 15:26:46.502 CST: AAA/AUTHOR/CMD: tty3 (32101230) user='rtr_geek'
Feb 22 15:26:46.502 CST: AAA/AUTHOR/TAC+: (32101230): user=rtr_geek
service=CMD

C-21

Feb 22 15:26:46 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1e9d36e)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug
4. User rtr_geek is permitted debug ip packet command.

list=''service=CMD
PASS_ADD

Feb 22 15:26:53 coachella CiscoSecure: DEBUG - AUTHORIZATION request (61e8673b)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug
5. User rtr_geek is permitted reload command.
Note Be sure to save your running configuration by using the appropriate write or copy
running-config command before using the reload command.

list=''service=CMD
PASS_ADD

C-22

Feb 22 15:27:16 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ce542a7b)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=reload
6. User rtr_geek is permitted show running-config command.

service=CMD
Feb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): send AV cmd-arg=running-config
Feb 22 15:27:34.655 CST: AAA/AUTHOR (150984379): Post authorization status = PASS_ADD

Feb 22 15:27:34 coachella CiscoSecure: DEBUG - AUTHORIZATION request (8ffd6bb)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=show
cmd-arg=running-config cmd-arg=<cr> output: ]
7. User rtr_geek is permitted write terminal command.

service=CMD
PASS_ADD

Feb 22 15:27:39 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b398d061)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write

C-23
8. User rtr_geek is permitted copy running-config startup-config command.

list=''service=CMD
PASS_ADD

Feb 22 15:27:44 coachella CiscoSecure: DEBUG - AUTHORIZATION request (92cec67d)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=copy
cmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ]
9. User rtr_geek is permitted write memory command.

service=CMD
PASS_ADD

Feb 22 15:27:52 coachella CiscoSecure: DEBUG - AUTHORIZATION request (bd048283)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write
cmd-arg=memory cmd-arg=<cr> output: ]

C-24
10. User rtr_geek is permitted configure terminal command.

service=CMD
PASS_ADD

Feb 22 15:27:56 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f2feb350)
[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=configure

C-25

C-26
I N D E X
dialup PPP filtering 1-11

A
troubleshooting problems 6-14, 6-17
AAA verification, show caller user command
BootFlash considerations B-1 (server-based) 4-10, C6
case study overview (figure) 1-2 verification, show line command (local-based) 2-8
Cisco IOS 12.0(7)T command descriptions A-13 accounting
defined 1-1 configuring EXEC and command level

(TACACS+) 5-4
disabling B-1
configuring NAS (TACACS+) 5-2
example configuration (NAS) A-5, A-9
configuring router (TACACS+) 5-4
example configuration (router) A-2
defined 1-1
overview 1-1
dial-based accounting (server) 5-4
security checklist (table) 1-12
monitored dialup PPP events 1-11
task checklist (table) 1-14
monitored router administration events 1-11
aaa accounting command A-13, A-14
records policies 1-11
aaa authentication command A-13, A-14
server-based dial implementation 5-1
aaa authorization command A-13, A-14
server-based router implementation 5-4
aaa new-model key command A-13, A-14
session timeout output example 5-2
AAA server
SQL query 5-2, 5-5
creating a user profile (RADIUS authentication) 4-7
TACACS+ dial implementation 5-1
creating a user profile (RADIUS authorization) 4-9
TACACS+ implementation (local-based) 2-12
creating a user profile (TACACS+ authentication) 4-3
TACACS+ router implementation 5-4
creating a user profile (TACACS+ authorization) 4-5
TACACS+ verification tests (local-based) 2-13
negotiation process (flow diagram) 6-3
TACACS+ verification tests (server-based) 5-2
restarting 3-10
verifying from AAA server 5-2, 5-5
software version used in case study xii
acknowledgements xv
verifying user configuration (RADIUS
authentication) 4-8, 4-9 AddProfile command
verifying user configuration (TACACS+ adding basic user profile 3-11

authentication) 4-3 adding group profiles (TACACS+ authentication) 4-11
verifying user configuration (TACACS+ adding group profiles (TACACS+ authorization) 4-17,
authorization) 4-5 4-18
AAA servers adding user profiles (RADIUS authentication) 4-7
in network context 1-2 adding user profiles (RADIUS authorization) 4-9
access list adding user profiles (TACACS+ authentication) 4-3

1
Index
adding user profiles (TACACS+ authorization) 4-5 TACACS+ router, verifying by using csuslog 4-16,
4-18, 4-19
administrative control
authorization policy 1-11
TACACS+ verification tests (local-based) 2-6, 2-11
TACACS+ verification tests (server-based) C2, C9
creating, router example 4-13
privilege level 15 1-11
verifying access list 4-10
verifying PPP user authorization 4-5
attribute-value pair
See AVPs verifying RADIUS authorization 4-9
autocommand ppp negotiate command 1-11
audience
defined xi
AVPs
adding group profiles (TACACS+ authentication) 4-11
authentication
adding group profiles (TACACS+ authorization) 4-16,
configuring NAS (RADIUS) 4-7
4-17, 4-18
defined 1-6
general process (flow diagram) 6-3
dial access devices 1-11
RADIUS implementation 4-6
EXEC disabled implementation 6-6
RADIUS verification tests (server-based) C4
EXEC shell enabled (TACACS+) 6-5
RADIUS vs. TACACS+ 1-5
privilege level 15 enabled (TACACS+) 6-5
server-based implementation 4-2, 4-6, 4-10
RADIUS, user profile 4-7, 4-9
TACACS+ dialup, verifying by using csuslog 4-4
RADIUS examples (table) 1-6
TACACS+ implementation (local-based) 2-2, 2-8
TACACS+, user profile 4-3, 4-5
TACACS+ implementation (server-based) 4-2, 4-10
TACACS+ authentication, group profile 4-11
TACACS+ verification tests (local-based) 2-3, 2-9
TACACS+ authorization, group profile 4-16, 4-17, 4-18
TACACS+ verification tests (server-based) C1, C7
TACACS+ examples (table) 1-6
verifying PPP user authentication 4-4
authentication, authorization, and accounting
See AAA B
authorization
BootFlash images
configuring NAS (RADIUS) 4-9
AAA considerations B-1
configuring routers 4-13
defined 1-1 C
general process (flow diagram) 6-3
case study
RADIUS implementation 4-8
hardware xii
RADIUS verification tests (server-based) C5
objectives xi
RADIUS vs. TACACS+ 1-5
overview 1-1
server-based implementation 4-4, 4-8, 4-13
purpose xi
TACACS+ dialup, verifying by using csuslog 4-5
software xii
TACACS+ implementation (local-based) 2-5, 2-10
CCO
TACACS+ implementation (server-based) 4-4, 4-13
accessing xiii

2
Index
definition xiii Cisco IOS 12.0(7)T (AAA) A-13

CD-ROM configurations
documentation xiv Cisco IOS 12.0(7)T, NAS example A-5, A-9
Challenge Handshake Authentication Protocol Cisco IOS 12.0(7)T, router example A-2
See CHAP CSU example A-15
CHAP example CSConfig.ini listing A-19
ISDN authentication 1-10 example CSU.cfg listing A-16
checklists examples, Cisco IOS 12.0(7)T A-1
AAA implementation tasks (table) 1-14 local router A-2
AAA security (table) 1-12 RADIUS A-9
AAA service definition (table) 1-10 TACACS+ A-5
general service definition (table) 1-9 conventions
network services 1-9 command syntax xiii
Cisco 7206 VXR xii document xiii
Cisco AS5300 xii CSConfig.ini
Cisco AS5800 xii example file listing A-19
Cisco Connection Online CSU
See CCO configuring CSU logging 3-9
Cisco IOS 12.0(7)T xii configuring debugging level 3-10
aaa accounting command A-13, A-14 creating csuslog file 3-9
aaa authentication command A-13, A-14 example configuration listings A-15
aaa authorization command A-13, A-14 example CSConfig.ini listing A-19
AAA command descriptions (NAS) A-13 example CSU.cfg listing A-16
AAA command descriptions (router) A-13 installation process 3-2
aaa new-model command A-13, A-14 installing 3-5
autocommand ppp negotiate command 1-11 log files listed A-25
disabling AAA B-1 minimum system specifications xii
example configurations A-1 pkgadd command 3-6
ip http command A-13 restarting AAA server 3-10
ip tacacs command A-13 restarting syslog daemon 3-10
local-based router example A-2 software version used in case study xii
radius-server host command A-15 verifying Oracle account information 3-4
server-based NAS example A-5, A-9 version 2.3(3) xii
tacacs-server host command A-13, A-15 CSU.cfg
tacacs-server key command A-13 example file listing A-16
version used in case study xii csuslog
CiscoSecure for UNIX configuring logging 3-9
See CSU creating file 3-9
commands TACACS+ dialup authentication 4-4

3
Index
TACACS+ dialup authorization 4-5

E
TACACS+ router authorization 4-16, 4-18, 4-19
using tail command (TACACS+ dialup encryption
authentication) 4-4 RADIUS 1-4
using tail command (TACACS+ PPP TACACS+ 1-5
authorization) 4-5
using tail command (TACACS+ router
authorization) 4-16, 4-18, 4-19
F
using the tail command C1
flow diagram
general authentication and authorization 6-3
D TACACS+, authentication and authorization 4-14
database
verifying instance 3-3
G
Data Encryption Standard
See DES groups
debug command defining administrative control 4-13
summary of relevant commands 6-7

using to troubleshoot AAA problems 6-7
H
debug output
accounting (server-based) 5-3, 5-5 hardware
accounting, TACACS+ (local-based) 2-13 case study xii
authentication, RADIUS (server-based) C4 Cisco 7206 VXR xii
authentication, TACACS+ (local-based) 2-3, 2-10 Cisco AS5300 xii
authentication, TACACS+ (server-based) C1, C7 Cisco AS5800 xii
authorization, RADIUS (server-based) C5 Sun UltraSPARC xii
authorization, TACACS+ (local-based) 2-6, 2-11
authorization, TACACS+ (server-based) C3, C9
I
DES
password support policy 1-13 implementation
router policy 1-10 AAA task checklist (table) 1-14
diagnostics interoperability
using debug command output C1 RADIUS attribute support 1-6
directory environment variable IP addresses
verifying 3-3 static address policy 1-13
disconnect cause codes ip http command A-13
idle timeouts 5-2, 5-3 ip tacacs command A-13
listed (table) 5-6 ISDN
CHAP authentication 1-10

4
Index
authorization policy 1-11

L
checklist 1-9
listener.ora definitions and policies 1-10
configuration listing A-24 dialup/shell AAA policy 1-10
local-based access general checklist (table) 1-9
compared with server-based access 1-6
defined 1-6
local-based configuration
O
implementation overview 2-1 objectives
TACACS+, accounting 2-12 case study xi
TACACS+, authentication 2-2, 2-8 online documentation
TACACS+, authorization 2-5, 2-10 See CCO
verification test results (TACACS+ accounting) 2-13 Oracle
verification test results (TACACS+ accounting records policy 1-11
authentication) 2-3, 2-9
confirming tnsnames service 3-4
verification test results (TACACS+ authorization) 2-6,
2-11 creating tablespace 3-2
DB Client 7.3(4) xii
DB Server 7.3(4) xii
M installation reference 3-2
listener (lsnrctl) 3-3
management policy
listener.ora listing A-24
TACACS+ vs. RADIUS comparison 1-5
Server Manager (svrmgrl) 3-3
MD5
software version used in case study xii
RFC link 1-2
user environment variable A-23
multiprotocol support
verifying account information 3-4
TACACS+ vs. RADIUS comparison 1-5
verifying database instance 3-3
verifying SMON operation 3-3
N verifying software directory environment variable 3-3
OS Solaris 2.5(1) xii
NAS
overview
versions used in case study xii
AAA case study 1-1
NAS profile
RADIUS 4-7
network environment P
equipment summary 1-13
PAP
network services
PPP authentication 1-10
AAA checklist (table) 1-10
Password Authentication Protocol
accounting policy 1-11
See PAP
authentication policy 1-10

5
Index
passwords connection between NAS and AAA server down 6-12

authentication policies 1-13 connection between router and AAA server
authentication policy 1-10
down 6-23
group profile password type does not match type in
authorization policies 1-13
NAS 6-13
local access policy 1-10
incorrect AAA configuration in router 6-21, 6-24
planning
maximum number of users exceeded 6-12, 6-23
pre-deployment summary 1-9
shell initiated PPP session fails 6-9, 6-13
site preparation xi
TACACS+ key incorrect in router or AAA
Point-to-Point Protocol server 6-23
See PPP TACACS+ or RADIUS key incorrect in NAS or AAA
policies server 6-12
accounting 1-11 user account disabled due to too many failed

logins 6-10, 6-22
accounting, PPP 1-11
user account password or profile expired 6-11, 6-22
accounting, router administration 1-11
user enters invalid username or password 6-9, 6-20
authentication 1-10
user enters password incorrectly 6-10, 6-22
authorization 1-11
user exceeds the maximum number of concurrent
dialup/shell AAA 1-10 sessions 6-11, 6-22
privilege level 15 authorization 1-13 user name not in server database 6-10, 6-22
router, administrative control 1-11 user profile configured incorrectly 6-10, 6-22
router management 1-5 user workstation configured incorrectly 6-11
security considerations 1-12 authorization
PPP AAA authorization configured incorrectly in
PAP authentication 1-10 NAS 6-16
verifying TACACS+ authorization 4-5 AAA behavior incorrectly configured 6-26, 6-28
verifying TACACS+ user authentication 4-4 AAA configuration error 6-25, 6-27
privilege level access list assigned to user 6-14, 6-17
TACACS+ support 1-2 authorization failed service 6-25, 6-27
privilege level 15 autocommand ppp negotiate assigned to user 6-26,

6-28
accounting 1-11, 1-12
AVPs not assigned 6-14, 6-17
command authorization policy 1-13
does not have PPP service assigned 6-16
local administration 1-12
feature is not supported on console ports 6-28
router authorization policy 1-11
group lacks shell service assigned 6-16
router command authorization A-13
Idle-Timeout RADIUS AVP not configured on group
privilege level 15 commands 4-13
profile 6-18
configuring accounting 5-4 idletime TACACS+ AVP not configured on group
problems profile 6-18
authentication Lack of service=shell AVP 6-28
AAA behavior configured incorrectly in NAS 6-9 user client configuration error 6-13
AAA behavior configured incorrectly in router 6-20

6
Index
user exceeds the maximum number of concurrent

sessions 6-19 R
user or group does not have User-Service-Type AVP RADIUS
assigned 6-19
authentication tests (server-based) C4
user or group profile lacks proper AVP 6-18
authorization tests (server-based) C5
user or group profile restricted 6-18
AVP examples (table) 1-6
user or lacks service=shell AVP assigned 6-19
compared with TACACS+ 1-4
user profile configured incorrectly 6-28
compared with TACACS+ (table) 1-4
user profile lacks appropriate enable level to perform
command 6-25 configuring authentication (server-based) 4-6
user profile lacks appropriate enable privilege level to configuring authorization (server-based) 4-8
perform command 6-27 creating user profiles (authentication) 4-7
user profile lacks appropriate privilege level to debug output, server-based authentication C4
perform command 6-25, 6-27
debug output, server-based authorization C5
user profile restricted 6-14
encryption 1-4
profiles
example configuration (NAS) A-9
assigning user to group profile (TACACS+
authentication) 4-11 interoperability 1-6
assigning user to group profile (TACACS+ NAS profile, creating 4-7

authorization) 4-16, 4-17, 4-18 negotiation process (flow diagram) 6-4
creating basic user 3-11 RFC link 1-2
group, configuring router access 4-13 See also AVPs
group, verifying (TACACS+ authentication) 4-11 See also troubleshooting
group, verifying (TACACS+ authorization) 4-16, 4-17, technology overview 1-3
4-18
troubleshooting scenario, authorization 6-36
group configuration, TACACS+ 4-14
troubleshooting symptom list, authentication 6-10
group permissions (table) 4-13
troubleshooting symptom list, authorization 6-15
user, defining access privileges 6-5
verifying access list assignment 4-10
user, RADIUS 4-7, 4-9
radius-server host command A-15
user, TACACS+ 4-3, 4-5
Remote Authentication Dial-in User Service
user, verifying (TACACS+ authentication) 4-12
See RADIUS
user, verifying (TACACS+ authorization) 4-16, 4-17,
Requests for Comments
4-18
See RFCs
user, verifying basic 3-11
RFCs
user configuration (RADIUS authentication) 4-7
reference links 1-2
user configuration (RADIUS authorization) 4-9
router
user configuration (TACACS+ authentication) 4-3
administration, command and control policy 1-11
user configuration (TACACS+ authorization) 4-5
administrative control, creating 4-13
purpose
authorization, controlling 4-13
case study xi
management, RADIUS vs. TACACS+ 1-5

7
Index
SQL*Plus
S
Release 3.3.4.0.1 xii
scenario sqlplus
case study description 1-8 verifying account information 3-4
case study overview (figure) 1-2 symptom list, troubleshooting AAA
scenarios dial-based local authentication 6-9
troubleshooting examples 6-29 dial-based local authorization 6-13
security dial-based server authentication 6-10
policy considerations 1-12 dial-based server authorization 6-15
server-based access router-based local authentication 6-19
compared with local-based access 1-7 router-based local authorization 6-24
defined 1-7 router-based server authentication 6-21
server-based configuration router-based server authorization 6-26
implementation overview (authentication and syslog daemon
authorization) 4-1
restarting 3-10
verification test results (RADIUS authentication) C4
verification test results (RADIUS authorization) C5
verification test results (TACACS+ authentication) C1, T
C7
verification test results (TACACS+ authorization) C2, tablespace
C9 installing (Oracle) 3-2
verifying user (RADIUS authentication) 4-8, 4-9 size requirements 3-2
verifying user (TACACS+ authentication) 4-3 TAC
verifying user (TACACS+ authorization) 4-5 contacting xiv
show caller user command TACACS
access list verification output (server-based) 4-10, C6 RFC link 1-2
session timeout disconnect example 5-3 TACACS+
show line command accounting tests (local-based) 2-13
verification output (local-based) 2-8 assigning user to group profile (authentication) 4-11
site preparation xi assigning user to group profile (authorization) 4-16,
SMON 4-17, 4-18
verifying operation on Oracle server 3-3 authentication and authorization (figure) 4-14
software authentication tests (local-based) 2-3, 2-9
case study listing xii authentication tests (server-based) C1, C7
software components authorization tests (local-based) 2-6, 2-11
Cisco IOS 12.0(7)T xii authorization tests (server-based) C2, C9
Oracle DB Client 7.3(4) xii AVP examples (table) 1-6
Oracle DB Server 7.3(4) xii compared with RADIUS 1-4
OS Solaris 2.5(1) xii compared with RADIUS (table) 1-4
SQL*Plus Release 3.3.4.0.1 xii configuring accounting (local-based) 2-12

8
Index
configuring authentication (local-based) 2-2, 2-8 AAA overview 1-1

configuring authentication (server-based) 4-2, 4-10 Terminal Access Controller Access Control System Plus
configuring authorization (local-based) 2-5, 2-10 See TACACS+
configuring authorization (server-based) 4-4, 4-13 tnsnames service
configuring dial accounting (server-based) 5-1, 5-2 verifying with tnsping utility 3-4
configuring router accounting (server-based) 5-4 tnsping
creating user profiles (authentication) 4-3 using to verify tnsnames service 3-4
debug output, server-based authentication C1, C7 troubleshooting
debug output, server-based authorization C3, C9 diagnostic overview 6-1
encryption 1-5 example scenarios 6-29
example configuration (NAS) A-5 methodology overview 6-7
multiprotocol support 1-5 RADIUS authorization scenario 6-36
negotiation process, EXEC disabled (flow See also problems
diagram) 6-6
See also RADIUS
negotiation process, EXEC enabled (flow diagram) 6-5
See also symptom list, troubleshooting AAA
privilege level support 1-2
See also TACACS+
RFC link 1-2
TACACS+ authentication scenario 6-29, 6-30, 6-31
router management 1-5
TACACS+ authorization scenario 6-33, 6-34, 6-35
See also AVPs
See also troubleshooting
service control 1-3 U
technology overview 1-2
UNIX
troubleshooting scenario, authentication 6-29, 6-30, 6-31
version used in case study xii
troubleshooting scenario, authorization 6-33, 6-34, 6-35
user
troubleshooting symptom list, authentication 6-10, 6-21
creating profiles (RADIUS authentication) 4-7
troubleshooting symptom list, authorization 6-15, 6-24,
creating profiles (RADIUS authorization) 4-9
6-26
creating profiles (TACACS+ authentication) 4-3
tacacs-server host command A-13, A-15
creating profiles (TACACS+ authorization) 4-5
tacacs-server key command A-13
user environment variable
tail command
Oracle, listed A-23
reading the csuslog file C1
verifying dialup authentication with csuslog
(TACACS+) 4-4
V
verifying PPP authorization with csuslog
(TACACS+) 4-5
verification
verifying router authorization with csuslog
accounting, TACACS+ (local-based) 2-13
(TACACS+) 4-16, 4-18, 4-19
accounting, TACACS+ (server-based) 5-2
Technical Assistance Center
authentication, RADIUS (server-based) C4
See TAC
authentication, TACACS+ (local-based) 2-3, 2-9
technology

9
Index
authentication, TACACS+ (server-based) C1, C7

authorization, RADIUS (server-based) C5
authorization, TACACS+ (local-based) 2-6, 2-11
authorization, TACACS+ (server-based) C2, C9
verification tests
debug output, RADIUS authentication
(server-based) C4
debug output, RADIUS authorization
(server-based) C5
debug output, TACACS+ (local-based) 2-6, 2-11, 2-13
debug output, TACACS+ (server-based
accounting) 5-3, 5-5
debug output, TACACS+ authentication
(server-based) C1, C7
debug output, TACACS+ authorization
(server-based) C3, C9
SQL query (accounting) 5-2, 5-5
ViewProfile command
verifying basic user configuration 3-11
verifying user configuration (RADIUS
authentication) 4-8, 4-9
verifying user configuration (TACACS+
authentication) 4-3
verifying user configuration (TACACS+
authorization) 4-5

10

AAA Implementation CStudy

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AAA Implementation CStudy

Uploaded by

Copyright:

Available Formats

Cisco AAA Implementation Case

Text Part Number: OL-0397-01

Cisco AAA Implementation Case Study

Related Documentation and Sites xii

Software Used in This Case Study xii

Hardware Used in This Case Study xii

Document Conventions xiii

Command Syntax Conventions xiii

Cisco Connection Online xiii

Documentation CD-ROM xiv

Providing Documentation Feedback xiv

CHAPTER 1 Cisco AAA Case Study Overview 1-1

1.1 AAA Technology Summary 1-1

1.1.1 AAA RFC References 1-2

1.2 TACACS+ Overview 1-2

1.3 RADIUS Overview 1-3

1.4 Comparison of TACACS+ and RADIUS 1-4

1.4.1 UDP and TCP 1-4

1.4.3 Authentication and Authorization 1-5

1.4.4 Multiprotocol Support 1-5

1.4.5 Router Management 1-5

1.4.6 Interoperability 1-6

1.4.7 Attribute-Value Pairs (AVPs) 1-6

1.5 Differences in Implementing Local and Server AAA 1-6

1.6 Scenario Description 1-8

1.7 Planning Your Network 1-9

1.8 Network Service Definitions 1-10

1.8.1 Authentication Policy 1-10

Cisco AAA Implementation Case Study

1.8.2 Authorization Policy 1-11

1.8.3 Accounting Policy 1-11

1.9 Security Implementation Policy Considerations 1-12

1.10 Network Equipment Selection 1-13

1.11 Task Check List 1-14

CHAPTER 2 Implementing the Local AAA Subsystem 2-1

2.1 Implementing Local Dialup Authentication 2-2

2.2 Implementing Local Dialup Authorization 2-5

2.3 Implementing Local Router Authentication 2-8

2.4 Implementing Local Router Authorization 2-10

2.5 Implementing Local Router Accounting 2-12

CHAPTER 3 Implementing Cisco AAA Servers 3-1

3.1 Installing CiscoSecure for UNIX with Oracle 3-2

3.1.1 Creating Oracle Tablespace 3-2

3.1.2 Verifying the Oracle Database Instance 3-3

3.1.3 Installing CiscoSecure for UNIX 3-5

3.1.4 Creating and Verifying Basic User Profile 3-10

CHAPTER 4 Implementing the Server-Based AAA Subsystem 4-1

4.1 Implementing Server-Based TACACS+ Dialup Authentication 4-2

4.2 Implementing Server-Based TACACS+ Dialup Authorization 4-4

4.3 Implementing Server-Based RADIUS Dialup Authentication 4-6

4.4 Implementing Server-Based RADIUS Dialup Authorization 4-8

4.6 Implementing Server-Based TACACS+ Router Authorization 4-13

CHAPTER 5 Implementing Server-Based AAA Accounting 5-1

5.1 Implementing Server-Based RADIUS Dial Accounting 5-1

5.2 Implementing Server-Based TACACS+ Router Accounting 5-4

5.3 AAA Disconnect Cause Code Descriptions 5-6

CHAPTER 6 Diagnosing and Troubleshooting AAA Operations 6-1

6.1 Overview of Authentication and Authorization Processes 6-2

6.2 Troubleshooting AAA Implementation 6-7

Cisco AAA Implementation Case Study

6.2.1 Troubleshooting Methodology Overview 6-7

6.2.2 Cisco IOS Debug Command Summary 6-7

6.3 AAA Troubleshooting Basics 6-8