AAA Authentication on Cisco IOS

With this configuration, would creds be sent in clear text?

Hi Justin,

RADIUS encrypts the password in access request packets but that’s it. Other stuff like the username is left unencrypted.

TACACS+ does encrypt the entire packet (but not the header).

Rene

1 Like

I have this configuration on my router please can you help to understand? my intial understanding as below:
! this is aaa Authentication password Prompt if the Tacacs Authentication if it’s failed (meaning with tacacs Authentication this is not showing)
aaa authentication password-prompt Backup_Authentication_Password:
! this is aaa Authentication user Prompt if the Tacacs Authentication if it’s failed (meaning with tacacs Authentication this is not showing)
aaa authentication username-prompt Backup_Authentication_Username:
! this is will let the switch first use an external aaa server with tacacs+ protocol then will use local
aaa authentication login default group tacacs+ local
! Enable authorization on the console through aaa server (it’s disabled by default on the console)
aaa authorization console
! Enabe Authorization through aaa server to configure mode on the router
aaa authorization config-commands
! All authorization VTY or Console or for configure mode will use local then aaa external server
aaa authorization exec default local group tacacs+
! All these levels below will use aaa external and also the commands will be defined in aaa server
aaa authorization commands 0 default local group tacacs+ if-authenticated
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+

Also I have question in authorization server configuration what need to be done for each Authorization line to be working as expected?

Thanks,
Samer Abbas

Hello Samer

I’ll try to respond to each of your comments:

Actually, the aaa authentication password-prompt command simply changes the text of the prompt when the password is to be input by the user. In this case, the text string “Backup_Authentication_Password” will be displayed for the user to enter the password. More info on this here: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1018042

This defines the text of the prompt for the username in a similar manner as that shown above for the password. You can find more info here: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1018209

For the rest of the commands you are essentially correct. Take a look at the following links for clarification:

aaa authorization console: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html#wp1024046
aaa authorization config-commands: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html#wp1021814
aaa authorization commands: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfauth.html#wp1017390

Concerning this question, I’m not sure what you mean. Can you clarify?

I hope this has been helpful!

Laz

Thank you very much Laz for all the links.

To Clarify my question I have some doubts about how the authorization commands works with aaa server (like ACS)? is the ACS will look into the username or the level number? and do you have define the commands that you can run under each user or level number? in my configuration I don’t really assign commands except for level 1 like below:

privilege exec level 1 ping
privilege exec level 1 show startup-config
privilege exec level 1 show running-config
privilege exec level 1 show configuration
privilege exec level 1 show

I hope this help to clarify my question.

Samer Abbas

Hello Samer

You can configure the privilege level that a user has via the AAA server. However, the actual privilege levels, that is what each level corresponds to as far as allowable commands, must be configured on the device itself.

More info as well as several examples using TACACS+ and RADIUS can be found here:

I hope this has been helpful!

Laz

login authenication AUTH_LIST

The syntax for login authenication what does the AUTH_LIST do ? Is it an variable for the name of an access-list?

Or is login authenication AUTH_LIST is an actual excutable command for VTY ports

Hello Alexander

The login authentication enables AAA authentication for logins on the particular VTY port. The argument that follows is defined using the following command:

R1(config)#aaa authentication login { default | list-name } method1 [ method2 . . . ]

In the example you gave, AUTH_LIST can be a list-name that is defined by this command that includes the list of methods of authentication that follow. (AUTH-LIST is not an actual keyword, but is defined by the user).

So for example, we could use a command such as:

R1(config)#aaa authentication login MY_LIST radius, tacacs, local

In such a case, first the configured RADIUS server would be attempted, then the configured TACACS server, and if those failed, the local database would be used. We can then apply this in the VTY lines like so:

R1(config)#line vty 0 4
R1(config-line)#login authentication MY_LIST

I hope this has been helpful!

Laz

Hello.

I have a question about AAA with the local database. Does it support limited or unlimited (a lot of) number of username and passwords?

Hello Boris

As far as I know, there is no limitation to the number of users on the local database except for physical memory. I have been unable to find any documentation that indicates that there is a limitation, so I believe it’s safe to say that there is none, beyond system resources.

I hope this has been helpful!

Laz

Hello Laz
Thank you very much

1 Like

I looked through the past replies and google before asking this question:
Unable able to login to privilege mode as either user after getting access to enable mode
I can login with the configured local user LOCAL_ENABLE successfully when the radius server is
down but logging in as a configured radius user does not work

aaa new-model
aaa authentication login default group radius local
aaa authentication login VTY local
aaa authentication enable default group radius enable
aaa session-id common
enable password LOCAL_ENABLE
username LOCAL_ADMIN password 0 MY_PASSWORD

Hello Donald

There are a couple of things I can see here. First of all you have the following command:

aaa authentication enable default group radius enable

I assume this is a typo and you mean:

aaa authentication enable default group radius

Secondly, and more importantly, I don’t see any RADIUS server configured in the above configuration. You need something like this, as shown in the lesson:

radius server MY_RADIUS
 address ipv4 192.168.1.200 auth-port 1812 acct-port 1813
 key MY_KEY

This will allow the router to query the specific radius server (once it is set up and configured) for authentication. Without this, the device will fail in any attempt to connect via the RADIUS server.

Now having said that, if you already have your RADIUS server set up, then the next step is to look at some of the logs of the RADIUS server to see why login is failing. If you look at those, it will give you a better understanding of where the problem lies. Are requests even reaching the server? If not connectivity must be troubleshot. If they are, then configuration of the server must be the next step.

Take a look at these and let us know your progress. If you have additional questions, we’re here to help you out…

I hope this has been helpful!

Laz

Zone_Firewall#sh run | inc radius
aaa authentication login default group radius local
aaa authentication enable default group radius enable
radius-server host 193.168.1.47 auth-port 1812 acct-port 1813
radius-server key MY_KEY

Below is what is in the config tutorial on Network Lessons for - “AAA Authentication on Cisco IOS”. I thought the second enable was fall back in case RADIUS was down?

Let’s also configure the router to use the RADIUS server when we want to enter enable (privileged) mode:

R1(config)#aaa authentication enable default group radius enable

The command above tells the router to use the default authentication list and all available RADIUS servers. When the RADIUS server is unavailable, we fall back to using a local enable password. Let’s make sure there is a local enable password:

I will check the logs and let you know what I find? Thanks

There was a syntax error in the users config file on the RADIUS server for the user below
enable15 instead of enab15
Works fine now. Thanks for your help

Hi Donald

Great to hear that it has been resolved, and thanks for sharing the information.

Laz

I do have a question? If I use the command below is it correct that RADIUS log
messages will contain the loopback interface IP address instead of the physical interface?

ip radius source-interface Loopback0

Thanks

Hello Donald

This command will force the RADIUS operation on the device to use the IP address of the loopback interface for all outgoing RADIUS packets. This means that all RADIUS communication will take place via this loopback interface. This results in all RADIUS log messages that reference the IP address of the RADIUS communication, this IP address should appear.

I hope this has been helpful!

Laz

I’ve got a strange TACACS issue. I have a working very basic TACACS config using the free version of tacacs.net running on a Windows 10 laptop. The issue is that when I telnet to a device configured to use TACACS, I get my custom username and password prompts that I set up on the server. When I use SSH however, it doens’t query the server until AFTER I enter my username so, in effect, I get a local username prompt followed by a custom TACACS password prompt. Do you know why this would be?

Hello Aaron

That’s interesting. When first reading through this, my first instinct is that because of the way SSH sends credentials. Looking deeper into the issue, there are several reasons this may be happening. The most common is the use of the method of password authentication, where keyboard-interactive mode should be used. Otherwise, TACACS can’t send anything to the client until authentication has been successfully performed.

I don’t know the specific TACACS implementation, but depending on what parameters it has, you will have to change the authentication procedure.

I hope this has been helpful

Laz