With this configuration, would creds be sent in clear text?
Hi Justin,
RADIUS encrypts the password in access request packets but thatâs it. Other stuff like the username is left unencrypted.
TACACS+ does encrypt the entire packet (but not the header).
Rene
I have this configuration on my router please can you help to understand? my intial understanding as below:
! this is aaa Authentication password Prompt if the Tacacs Authentication if itâs failed (meaning with tacacs Authentication this is not showing)
aaa authentication password-prompt Backup_Authentication_Password:
! this is aaa Authentication user Prompt if the Tacacs Authentication if itâs failed (meaning with tacacs Authentication this is not showing)
aaa authentication username-prompt Backup_Authentication_Username:
! this is will let the switch first use an external aaa server with tacacs+ protocol then will use local
aaa authentication login default group tacacs+ local
! Enable authorization on the console through aaa server (itâs disabled by default on the console)
aaa authorization console
! Enabe Authorization through aaa server to configure mode on the router
aaa authorization config-commands
! All authorization VTY or Console or for configure mode will use local then aaa external server
aaa authorization exec default local group tacacs+
! All these levels below will use aaa external and also the commands will be defined in aaa server
aaa authorization commands 0 default local group tacacs+ if-authenticated
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+
Also I have question in authorization server configuration what need to be done for each Authorization line to be working as expected?
Thanks,
Samer Abbas
Hello Samer
Iâll try to respond to each of your comments:
Actually, the aaa authentication password-prompt
command simply changes the text of the prompt when the password is to be input by the user. In this case, the text string âBackup_Authentication_Passwordâ will be displayed for the user to enter the password. More info on this here: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1018042
This defines the text of the prompt for the username in a similar manner as that shown above for the password. You can find more info here: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1018209
For the rest of the commands you are essentially correct. Take a look at the following links for clarification:
aaa authorization console: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html#wp1024046
aaa authorization config-commands: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html#wp1021814
aaa authorization commands: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html#wp1017390
Concerning this question, Iâm not sure what you mean. Can you clarify?
I hope this has been helpful!
Laz
Thank you very much Laz for all the links.
To Clarify my question I have some doubts about how the authorization commands works with aaa server (like ACS)? is the ACS will look into the username or the level number? and do you have define the commands that you can run under each user or level number? in my configuration I donât really assign commands except for level 1 like below:
privilege exec level 1 ping
privilege exec level 1 show startup-config
privilege exec level 1 show running-config
privilege exec level 1 show configuration
privilege exec level 1 show
I hope this help to clarify my question.
Samer Abbas
Hello Samer
You can configure the privilege level that a user has via the AAA server. However, the actual privilege levels, that is what each level corresponds to as far as allowable commands, must be configured on the device itself.
More info as well as several examples using TACACS+ and RADIUS can be found here:
I hope this has been helpful!
Laz
login authenication AUTH_LIST
The syntax for login authenication what does the AUTH_LIST
do ? Is it an variable for the name of an access-list?
Or is login authenication AUTH_LIST
is an actual excutable command for VTY ports
Hello Alexander
The login authentication
enables AAA authentication for logins on the particular VTY port. The argument that follows is defined using the following command:
R1(config)#aaa authentication login { default | list-name } method1 [ method2 . . . ]
In the example you gave, AUTH_LIST can be a list-name that is defined by this command that includes the list of methods of authentication that follow. (AUTH-LIST is not an actual keyword, but is defined by the user).
So for example, we could use a command such as:
R1(config)#aaa authentication login MY_LIST radius, tacacs, local
In such a case, first the configured RADIUS server would be attempted, then the configured TACACS server, and if those failed, the local database would be used. We can then apply this in the VTY lines like so:
R1(config)#line vty 0 4
R1(config-line)#login authentication MY_LIST
I hope this has been helpful!
Laz
Hello.
I have a question about AAA with the local database. Does it support limited or unlimited (a lot of) number of username and passwords?
Hello Boris
As far as I know, there is no limitation to the number of users on the local database except for physical memory. I have been unable to find any documentation that indicates that there is a limitation, so I believe itâs safe to say that there is none, beyond system resources.
I hope this has been helpful!
Laz
Hello Laz
Thank you very much
I looked through the past replies and google before asking this question:
Unable able to login to privilege mode as either user after getting access to enable mode
I can login with the configured local user LOCAL_ENABLE successfully when the radius server is
down but logging in as a configured radius user does not work
aaa new-model
aaa authentication login default group radius local
aaa authentication login VTY local
aaa authentication enable default group radius enable
aaa session-id common
enable password LOCAL_ENABLE
username LOCAL_ADMIN password 0 MY_PASSWORD
Hello Donald
There are a couple of things I can see here. First of all you have the following command:
aaa authentication enable default group radius enable
I assume this is a typo and you mean:
aaa authentication enable default group radius
Secondly, and more importantly, I donât see any RADIUS server configured in the above configuration. You need something like this, as shown in the lesson:
radius server MY_RADIUS
address ipv4 192.168.1.200 auth-port 1812 acct-port 1813
key MY_KEY
This will allow the router to query the specific radius server (once it is set up and configured) for authentication. Without this, the device will fail in any attempt to connect via the RADIUS server.
Now having said that, if you already have your RADIUS server set up, then the next step is to look at some of the logs of the RADIUS server to see why login is failing. If you look at those, it will give you a better understanding of where the problem lies. Are requests even reaching the server? If not connectivity must be troubleshot. If they are, then configuration of the server must be the next step.
Take a look at these and let us know your progress. If you have additional questions, weâre here to help you outâŚ
I hope this has been helpful!
Laz
Zone_Firewall#sh run | inc radius
aaa authentication login default group radius local
aaa authentication enable default group radius enable
radius-server host 193.168.1.47 auth-port 1812 acct-port 1813
radius-server key MY_KEY
Below is what is in the config tutorial on Network Lessons for - âAAA Authentication on Cisco IOSâ. I thought the second enable was fall back in case RADIUS was down?
Letâs also configure the router to use the RADIUS server when we want to enter enable (privileged) mode:
R1(config)#aaa authentication enable default group radius enable
The command above tells the router to use the default authentication list and all available RADIUS servers. When the RADIUS server is unavailable, we fall back to using a local enable password. Letâs make sure there is a local enable password:
I will check the logs and let you know what I find? Thanks
There was a syntax error in the users config file on the RADIUS server for the user below
enable15
instead of enab15
Works fine now. Thanks for your help
Hi Donald
Great to hear that it has been resolved, and thanks for sharing the information.
Laz
I do have a question? If I use the command below is it correct that RADIUS log
messages will contain the loopback interface IP address instead of the physical interface?
ip radius source-interface Loopback0
Thanks
Hello Donald
This command will force the RADIUS operation on the device to use the IP address of the loopback interface for all outgoing RADIUS packets. This means that all RADIUS communication will take place via this loopback interface. This results in all RADIUS log messages that reference the IP address of the RADIUS communication, this IP address should appear.
I hope this has been helpful!
Laz
Iâve got a strange TACACS issue. I have a working very basic TACACS config using the free version of tacacs.net running on a Windows 10 laptop. The issue is that when I telnet to a device configured to use TACACS, I get my custom username and password prompts that I set up on the server. When I use SSH however, it doensât query the server until AFTER I enter my username so, in effect, I get a local username prompt followed by a custom TACACS password prompt. Do you know why this would be?
Hello Aaron
Thatâs interesting. When first reading through this, my first instinct is that because of the way SSH sends credentials. Looking deeper into the issue, there are several reasons this may be happening. The most common is the use of the method of password authentication, where keyboard-interactive mode should be used. Otherwise, TACACS canât send anything to the client until authentication has been successfully performed.
I donât know the specific TACACS implementation, but depending on what parameters it has, you will have to change the authentication procedure.
I hope this has been helpful
Laz