Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

AAA – Radius and Tacacs+ – Authentication servers and not only with examples of use

aaa small draw11When we think AAA server we think about Radius and TACACS+ servers. The servers that are responsible for authentication, authorization and accounting. What is, what we may get of AAA server and how to use its, let’s check it on real examples.

If you administrate a few network devices using local AAA server may be a good idea, but if you have to deal with dozens of routers, switches and servers local AAA turns out not being efficient. Let’s consider an example. It is well to change password on a regular  basis, so imagine how much effort you will have to put in to change password on 50  devices. With centralized database like external AAA server you may do that by changing one single entry.

The main role of the AAA server in short is keeping user accounts with theirs rights. What about accounting? Accounting may be used to account the users for using of our resources like access to the Internet, issuing the billing etc but also to monitoring what users and how  use the resources.
There are two protocols that support AAA: Radius and TACACS+ namely, they do actually the same, but conversly to Radius, TACACS+ encrypts entire packet, while Radius encrypts only the password. Radius also combines authentication and authorization, TACACS+ keeps everything separately. Radius works on UDP standard ports 1812/1813 or legacy ports  1645/1646, TACACS+ works on TCP port 49. TACACS+ supports authentication, Exec Authorization, Command Authorization, Exec Accounting and Command Accounting, Radius doesn’t support Command Authorization and  Command Accounting what means Radius allows to set up an access to Exec mode but won’t allow us specify which commands we may run. From above statement we see that TACACS+ is better and more granular. Yes it is, but is only supported on Cisco devices. This is why we use TACACS+, if want to manage the access of users based on Role Based Access Control and to  assign a user not only particular level of previlage but also what commands he may run. Radius we will be using for authentication of VPN users, EAP authentication in case of wireless network or 802.1x if we are going to use authentication on the switchport.

The “Triple A” server as I mentioned is responsible for :
authentication – validates who you are
authorization – what you are allowed to do
accounting – tracks what you have done

There are many AAA Radius server, one of the most popular for free is freeRadius in below labs I will be using daloRadius that is actually freeRadius with GUI. TACACS+ servers are ACE or ISE very robust Cisco softwares that supports Radius as well.

Let me show you 2 examples of using the Radius server, firstly we configure SSH in conjuction with Radius, next we will configure 802.1x

I used Cisco c7200 routers with 15.2 IOS, I mentioned about that, because the syntax of radius commands have been changed in the course of time, so may be a little different on different IOS versions.

Firstly let’s configure daloRAdius what is pretty simple. I’ve configured NAS – as a router R1 with IP address, user ‘marcin’. We have a  preview on logged  on users as well.

1dalo nas

1dalo creat usermar

3dalo lasconnattempts


I assume you have configured interfaces according to the diagram :

aaa config diagram daloradius

No, let’s configre router R1:

1. Firstly we have to create domain and generate public/private keypair

2. Then we have to point out radius server that we will be connecting to in order to authenticate users

3. now we may test connectivity with daloRadius server

4. We create new list SSH-LIST instead of using default list and attach its to the line vty, we also change default Telnet on terminal to SSH 


Now, let’s try connect with R1 from R2:

5 aaa veryfication r1 ssh

and some veryfication on R1 with ‘WHO’ command:

6 aa veryfication ssh conn r1

dot1x – Port Based Authentication and AAA

This lab will be little bit more complicated. I removed daloRadius and used Windows 2012r2 Network Acces Policy server with deployed Radius server. I assume you know how to deploy NAP server, otherwise this article would be TL;TR. So network diagram looks like this:

22 aaa nap server diagram network win

I’ve decided to use PEAP as EAP protocol and MSCHAPv2 as authentication protocol. This requires deployment of Certificate Authority on Windows 2012 server, because NAP server is authenticated via certificate, the host is authenticated via login/password from Active Directory that has to be also run on the server. Authenticated host doesn’t have to be in Domain that NAP belongs to. NAP bookmark with authentication methods looks:

1 aaa lab network policieswin 2012

On windows 7 machine don’t forget turn on ‘wired auto-config’ in services and set up appropriately ‘Authentication’ bookmark in Network card Properties.

Now let’s go over the switch configuration:

aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control

interface g0/0
dot1x pae authenticator
authentication port-control auto

If you want to find out more about dot1x authentication I recommend reading this article http://itbundle.net/archives/2466 

, ,

Onlain bookmaker bet365.com - the best bokie