AAA Authentication on Cisco IOS

Hi Lazaros,
I have re-installed freeradius on Ubuntu 18.0.4 desktop VM on vmware workstation ( instead of GNS3 appliance) and it is working as demonstrated in the video.

R1#test aaa group radius REMOTE_ADMIN MY_PASSWORD new
R1#test aaa group radius REMOTE_ADMIN MY_PASSWORD new-code
User successfully authenticated

USER ATTRIBUTES

service-type         0   7 [NAS Prompt]
R1#

Hello Raghu

Perfect! Great to hear that it worked out! Thanks for keeping us updated…

Laz

Hi Lazaros,

I would like to suggest, if possible, to include in the ENARSI /ENCOR curriculum , a demo video or a procedure for basic configuration and installation of software (like freeradius, graylog-server, python, netmiko, ansible etc.) into Linux /Ubuntu docker containers or VMs interfacing with Cisco devices. This is time-consuming and involves lot of troubleshooting. Ignore my request if already provided in other sections.

1 Like

Hello Raghu

Thanks for your feedback, it’s much appreciated! I will let @ReneMolenaar know of your request and he’ll get back to you.

Thanks again!

Laz

Hi
I found this question on OCG book.

Your routers is configured as follows:

R1#show run | i aaa|username
aaa new-model
username ENARSI password 0 EXAM
R1# show run | s vty
line vty 0 4
password cisco
transport input all
R1#

Based on the configuration, what will occour when someone uses Telnet to reach the router?

  1. Authentication will fail because there is no AAA method list
  2. The user will be required to use line password cisco.
  3. The user will be required to use the username ENARSI with the password EXAM
  4. Something else…

The answer is the number 3.

Can you explain to me why 2 is not correct ? (Telnet not require username as I know)

Thanks

Hello Giovanni

It all has to do with the behavior of the device with and without the aaa new-model command.

Without aaa new-model, the VTY will behave as follows:

The login command is used to instruct the VTY to ask for credentials when an attempt to login is made. If the command is simply login then it uses the password configured with the password command under the VTY configuration. If the command is login local then it asks for a username and password based on the local user database regardless of whether or not the password was used. Note if login is used and no password is set, it will still prompt for a password, but access will never be granted.

The following configuration will ask for a password whenever connectivity via Telnet is attempted using the password cisco.

line vty 0 4
 password cisco
 login
 transport input all

The following configuration will give Telnet access immediately without asking for any credentials, even though a password is configured.

line vty 0 4
 password cisco
 transport input all

The following configuration will ask for a username and password whenever connectivity via Telnet is attempted. The password cisco is completely ignored, and the local database is used for authentication, using username and password.

line vty 0 4
 password cisco
 login local
 transport input all

With aaa new-model enabled, the VTY will behave as follows:

The VTY will always use the local database as the authentication source by default. The password configured within the VTY configuration is ignored. The login and login local commands are disabled and replaced with a login authentication command which specifies an authentication list (a list of acceptable sources for credentials).

So to answer your question, when you enable aaa new-model, the VTY will always use the local database as the source of credentials, thus it will use the username and password created using the username command in global configuration mode.

Note that Telnet can be configured to not require a password, but the aaa new-model mode of configuration does not allow this.

I hope this has been helpful!

Laz

1 Like

Agree with Raghu. Installation/Setup videos or a Lesson of topics like Free Radius etc will be very helpful!

Hello Rahul

Thanks for voicing your opinion about this, it’s always helpful to get such feedback. For a more immediate response from Rene, I suggest you go to the following Member Ideas page and make your suggestion there. YOu may find that others have made similar suggestions and if so, you can add your voice to theirs.

I hope this has been helpful!

Laz

Configured AAA but i am getting below error

Attempting authentication test to server-group tacacs+ using tacacs+
**No authoritative response from any server**.

Able to reach tacacs server

ping 172.16.21.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.102, timeout is 2 seconds:
!!!!!

Hello Pavanc

There are several things that may cause this behavior. One is if the IP address is incorrect, but I’m assuming that you’ve checked this already. :slight_smile:

Other issues may have to do with the actual AAA configuration. Take a look at the following Cisco community threads that may have some clues as to how you can proceed:

Also, try using the debug aaa authentication and debug aaa tacacs commands to check the AAA events and communication that takes place from your router. Also, if you can, check to see if your TACACS server actually receives packets when you try to authenticate. All of these should help in your troubleshooting process. Let us know how you get along!

I hope this has been helpful!

Laz

Once I configured “aaa authentication login default group radius local” and save the config, the local username and password is not able to login anymore. I assume it should fallback to the local user authentication if the connection to RADIUS server is not available. Could you please explain why the local account doesn’t work?

This is my configuration for the local user:

username admin secret 5 $1$ZOZH$FDOAYVEquweBvlape9aL.0
line con 0
 exec-timeout 1 0
 password 7 0523130D6249561D4903111B08093B29242A
 logging synchronous
 login local
line vty 0 4
 exec-timeout 3 0
 password 7 013B1306180E1E1B714A48001A0028060E00
 logging synchronous
 login local
 transport input ssh
line vty 5 15
 login

Hello Siwen

Indeed the command aaa authentication login default group radius local will cause the router to fall back on the local user database for authentication if the RADIUS server is unavailable. To be clear, that means that to fall back to the local database, the RADIUS server must fail to respond to the request. If the RADIUS server responds and denies access, the authentication will not fall back to the local database. The user will simply be denied.

If that local username and password are not also configured in the RADIUS server, then the RADIUS server will simply deny access. So the behavior you see is expected. If you want the same credentials to operate when the RADIUS server is up and running, then you can add the same username and password as credentials in the RADIUS server as well.

I hope this has been helpful!

Laz

Hi @ReneMolenaar @lagapidis ,
I have a very simple query.
We are configuring fallback methods with aaa authentication cmds.does this fallback method work when we fail authentication with the primary one? or it is when we loose connectivity to primary server?

simply think that our primary method is RADIUS server and fallback is local database.
we have configured user ‘admin’ in local database only.
can we log in to the device with username as ‘admin’ when we have reachability to RADIUS server?

Hello Nipun

If authentication fails due to incorrect credentials with the primary method, the fallback method will NOT be tried. The fallback mechanism comes into effect only when the primary server is unreachable or unresponsive, not when authentication fails due to incorrect credentials.

This makes sense because if someone tries to log in using brute force and fail, you can consider them an illegitimate user. If you were legitimate, you would know the password. So you don’t want to give an illegitimate user that may continue their brute force attack a second chance to try to connect again. So when a user provides incorrect credentials for the primary method, the device will return an authentication failure and will not proceed to try the fallback method.

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

I hope this has been helpful!

Laz

1 Like

Hi Rene,

Our C9200 use mgmt port , and we would like to do TACACS authentication through the management interface. But not work.

If authenticate to tacacs through Vrf, what commands need to be added?

Hello Eric

What kind of error message are you getting? Can you also inform us about the VRF configuration you have?

In general, if you want to add a TACACS server from a particular VRF, you can do the following:

(config)# tacacs server TACACS-SERVER
(config-server-tacacs)# address ipv4 10.0.0.10 vrf MGMT
(config-server-tacacs)# key <shared-secret>
(config-server-tacacs)# exit

Here you can see that the particular VRF on which the server is can be indicated. Here it is indicated as MGMT.

If you need any more information, please feel free to let us know!

I hope this has been helpful!

Laz

Hello, everyone!

Please, are there any free RADIUS/TACACS+ softwares that I could use? I am running Windows for which I couldn’t install FreeRADIUS, the Elektron RADIUS link doesn’t do anything when I click “Download” and ClearBox felt a little complicated to set up when it came to RADIUS specifically.

Thank you in advance.

Hello David

What was the problem when you tried to install it? If you do a search online for “free radius server for windows” you should find quite a few resources to help you successfully install it.

The truth is that there aren’t that many free options for RADIUS servers for Windows. It’s even more difficult to find a free version of TACACS+ even on Linux. Even so, some RADIUS options that may be worth searching for include:

  • TekRADIUS: It’s a Windows-based RADIUS server that’s available in both free and paid versions. The free version has some limitations, but it might meet your needs.
  • Radiator: It’s a highly configurable and flexible RADIUS server that runs on Windows, Linux, MacOS, Solaris, and more. It’s not free, but they offer a 30-day trial.

Indeed Elektron RADIUS seems to be difficult to find these days. I’ll let Rene know to take a look and see if he can revise the content of this particular lesson which includes this software.

Let us know if you get any of the above working!

I hope this has been helpful!

Laz

Hello, everyone!

When it comes to RADIUS, authentication and authorization are combined.

In other words, if I was to access a Cisco device, the moment I would authenticate, I’d also be authorized, right? Basically, RADIUS passes all the authorization parameters the moment we are authenticated (pass on a priv level, and so on).

But why isn’t RADIUS capable of accounting for Cisco CLI commands? That function isn’t combined with the other two As and there is a specific port designated for it - 1813.

Thank you.

David

Hello David

You’re correct in saying that RADIUS combines authentication and authorization. When a user is authenticated, RADIUS does pass on the authorization parameters.

As for your question regarding RADIUS not being capable of accounting for Cisco CLI commands, it’s not exactly that RADIUS can’t do it, but rather that it’s not designed to do so. RADIUS was primarily designed to provide centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service, but, and this is key, it’s not specifically designed to log every single command that a user types into a Cisco device.

However, you can configure Cisco devices to send accounting information to a RADIUS server. This includes start-stop records, system events like reloads or reboots, and network service events like PPP or ARAP. But, it doesn’t include command-level accounting, which is where TACACS+ comes in.

TACACS+ is another AAA protocol that does support command accounting. This means that TACACS+ can log every command entered by a user, providing a higher level of detail than RADIUS. This is why many organizations choose to use TACACS+ for device administration and RADIUS for network access.

I hope this has been helpful!

Laz