AAA Authentication on Cisco IOS

This topic is to discuss the following lesson:

1 Like

Hello Laz,
Would you please explain the functionalities of the below commands at your convenient time? Thank you so much in advance.

aaa accounting exec default start-stop group tacacs+ 
aaa accounting commands 1 default stop-only group tacacs+ 
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+ 
aaa accounting system default start-stop group tacacs+ 

Best Regards,
Az

Hello Azm!

All of these commands involve the accounting of users connecting to the device as well as of events that occur on the device. Specifically, accounting management in this context is a mechanism that allows you to track individual and group usage of network resources. The different commands above configure what, how and when this information is recorded. Accounting information can be stored locally on the device, but more commonly is sent to an AAA (Authentication, Authorization and Accounting) server.

You can find detailed information about the aaa accounting commands and keywords here.

However, I will briefly explain the above commands:

First of all, the start-stop and stop-only keywords indicate to the device when to send accounting information to the AAA server, either at both the beginning and end of a process or command, or only at the end.

The group tacacs+ keywords indicate the list of TACACS+ servers
to be used for AAA which are those found in the aaa group server tacacs+ command.

The default keyword just states that the keywords that follow will be the default parameters used for the accounting mechanism.

Now for the commands themselves:

aaa accounting exec default start-stop group tacacs+
This command activates accounting on all EXEC shell sessions (any commands entered after the enable command) and sends accounting information at the beginning and end of each command/process to the server indicated by group tacacs+.

aaa accounting commands 1 default stop-only group tacacs+
This command activates accounting on all commands entered at privilege level 1 and sends accounting information at the end of each command/process to the server indicated by group tacacs+.

aaa accounting commands 15 default stop-only group tacacs+
This command activates accounting on all commands entered at privilege level 15 and sends accounting information at the end of each command/process to the server indicated by group tacacs+.

aaa accounting connection default start-stop group tacacs+
This command activates accounting on all outbound connections made from the device such as telnet and others and sends accounting information at the beginning and end of each command/process to the server indicated by group tacacs+.

aaa accounting system default start-stop group tacacs+
This command activates accounting for for all system-level events not associated with users, such as reloads. Accounting information is sent at the beginning and end of each process to the server indicated by group tacacs+.

I hope this has been helpful!

Laz

Hello Laz,
Thank you for your reply. However, still it’s little bit fuzzy to me. Would you please break it down once again with a real life example? Thank you again.

Best Regards,
Azm Uddin

Hello Azm

Let’s say I have a router on site and I want to keep track of all of the command line activity. Specifically, I want to monitor all of the commands that are entered in the executive mode command line and the processes they invoke. Since I have a TACACS+ server on site, I decide to use that as my accounting server. (I can use RADIUS as well). Lets say I have two TACACS+ servers at 10.10.10.31 and 10.10.10.32.

The first thing I would do is create an AAA group called my_server_group using the following commands:

aaa group server tacacs+ my_server_group 
  server 10.10.10.31
  server 10.10.10.32

Next, I would issue the following command to initiate accounting:

aaa accounting exec default start-stop group my_server_group

So, every time someone logs in to the command line and types enable every additional command is sent to the accounting server and is recorded. For example, if I entered the command line and entered:

show running-config

the router would send the following information to the configured TACACS+ server:

Time of command, issuer of command (user name), the command itself, time when the process has been completed.

Note that the start-stop keyword will send two times to the accounting server, the time the process was initiated, that is, when the command was entered, and the time when the process completed. The stop-only keyword can be used to give only the time of the ending of the process. Most processes are almost instantaneous, however, some may take seconds or even tens of seconds depending on the command.

So the TACACS+ server will accumulate a log of all of these events, their times and their details so that in the future, if the network goes down because of a mistake in command line commands, you can know who to blame :slight_smile:.

The other commands are just permutations of this command and just changes what is recorded and how it is recorded.

I hope this has been helpful!

Laz

1 Like

Hello Laz,
great explanation as usual. A few questions. If I use **aaa accounting exec default start-stop**command, **aaa accounting commands 1 default stop-only** and **aaa accounting commands 15 default stop-only** do not need to be used because the first one will cover everything. Correct? Would you also please explain the below commands:

aaa accounting connection default start-stop group....
aaa accounting system default start-stop group.....
aaa authorization exec default group.......

Thank you so much.

Best regards,
Azm Uddin

Hello Azm

Not quite. The first command (aaa accounting exec default start-stop) will record:

* ONLY commands that are initiated at the # prompt. This is the exec keyword.
* It will record both the moment when the processes is STARTED by these commands and when it STOPS.

The second (aaa accounting commands 1 default stop-only) will record:

* ONLY commands that are available at privilege level 1.
* it will record ONLY the moment when the processes initiated by these commands END.

The third command (aaa accounting commands 15 default stop-only) will record:

* ONLY commands that are available at privilege level 15.
* it will record ONLY the moment when the processes initiated by these commands END.

So for example,

* if I enter the “show version” command at the > prompt (non-privileged executive mode) only the second command will record this and it will only record the end of the process.
* If I enter the “ip address 10.10.10.10 255.255.255.0” command at an interface, the first command will have recorded the beginning and the end of it. In this case the third command would be obsolete.

I hope this has been helpful!

Laz

Hello Laz,
As far as my understanding goes you are saying aaa accounting exec default start-stop tracks all the commands entered in privileged mode and global config mode. On the other hand, aaa accounting commands 1 default stop-only and aaa accounting commands 15 default stop-only work in any mode regardless if a command is executable(I know most of the level 15 commands don’t work in user exec mode.)… Is that correct?

Best Regards,
Azm Uddin

Hello Azm

Yes, that is essentially correct. The first one uses the mode as the criterion for recording the commands while the other two use the criterion of the privilege level of specific commands for recording.

Note also that the first command records both the beginning and the end of the process that is initiated by the commands (start-stop) while the other two record only the termination of the process (stop-only).

I hope this has been helpful!

Laz

Hello Laz,
Excellent explanation once again. Would you please explain the below commands as well?

aaa accounting connection default start-stop group....
aaa accounting system default start-stop group.....
aaa authorization exec default group.......

Thanks a lot.

Best Regards,
Azm Uddin

Hello Azm

All of these commands indicate to the device when and under what circumstances accounting notices will be sent to an accounting server. The keywords used indicate this information as follows:

* connection - indicates that all outbound connections made from the network access server such as TELNET will be recorded
* default - Uses the listed accounting methods that follow this argument as the default list of methods for accounting services
* start-stop - sends a “start” and a “stop” accounting notice to the accounting server at the beginning AND at the end of a process initiated by CLI commands
* exec - Creates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times.
* group group-name - The group or list of servers (Radius or TACACS) that will be used as accounting servers.

You can find much more detail within Cisco’s documentation for accounting.

I hope this has been helpful!

Laz

Great !!! Thanks a lot again.

Azm

1 Like

If I put Radius before Local, then IOS will try to use Radius first. Radius MUST not be reachable to use Local, right?
If I try to use Radius with ID xyz123 which it does not exist Radius but in Local, this will never work, right?
Because Radius is reachable…and there is not ID that matches in Radius server that xyz123.

But, what if I put Local before Radius?
Local database must not be reachable to use radius???
How can local database not reachable?

Hello Hong

It is possible to place the local before the radius database. Remember that when a device attempts to connect to any database, it will attempt to authenticate. This is also the case for the local database. If it is unable to authenticate using the configured credentials, it will then go on to the next choice which can be radius.

So it is not only reachability that is being tested, but also authentication.

I hope this has been helpful!

Laz

What if I wanted to move a subset of the enable commands down to a lower privilege level for some basic commands that could be used by a system administrator. I have an account enable 10 and have assigned commands to that privilege level so a system administrator can login with enable 10 and not have access to full list of enable commands. How would the configuration of the switch and the freeradius differ from what was shown in the video?

Thanks,

Michael

Freeradius is a software and performs on workstation that runs against this (am i right ?)
and workstation has to physically link to devices to perform Freeradius, right?
and devices that can be authenticated are whatever like host, switch, router etc., right?

just want to explicitly connect each other.

thank you

Hello Michael,

With freeradius, you can include a privilege level. If you have assigned commands to different privilege levels on your switch/router then you could use that.

Here’s an example:

https://wiki.freeradius.org/vendor/Cisco

Where they add a user like this:

youruser   Cleartext-Password := "somepass"
           Service-Type = NAS-Prompt-User,
           cisco-avpair = "shell:priv-lvl=15"

With TACACS+, I think you can do full command authorization where you add the commands on the TACACS+ server.

Rene

Hello Pipat,

For a more detailed explanation, take a look here:

RADIUS itself is a protocol. Freeradius is an open-source application that users RADIUS. It runs on Linux (I think there’s also a Windows version somewhere). You can run it on your computer but typically you install it on some server. It’s popular since it’s open-source, simple, and light-weight.

It’s typically used for user authentication, network admins that want to access a router or switch or users that want access to the network.

Rene

Hi Rene, thanks for the reply. I had used that document to send our software guy that exact setup and he had some spaces in the shell command, which then wasn’t assigning the privilege level correctly. We got that fixed all is well.

Thanks for taking the time to reply!!!

Michael

Hi Michael,

Very nice, good to hear you have it working. If you ever want to manage everything from the server side, you can always try TACACS+.

Rene