When we think AAA server we think about Radius and TACACS+ servers. The servers that are responsible for authentication, authorization and accounting. What is, what we may get of AAA server and how to use its, let’s check it on real examples.
If you administrate a few network devices using local AAA server may be a good idea, but if you have to deal with dozens of routers, switches and servers local AAA turns out not being efficient. Let’s consider an example. It is well to change password on a regular basis, so imagine how much effort you will have to put in to change password on 50 devices. With centralized database like external AAA server you may do that by changing one single entry.
The main role of the AAA server in short is keeping user accounts with theirs rights. What about accounting? Accounting may be used to account the users for using of our resources like access to the Internet, issuing the billing etc but also to monitoring what users and how use the resources.
There are two protocols that support AAA: Radius and TACACS+ namely, they do actually the same, but conversly to Radius, TACACS+ encrypts entire packet, while Radius encrypts only the password. Radius also combines authentication and authorization, TACACS+ keeps everything separately. Radius works on UDP standard ports 1812/1813 or legacy ports 1645/1646, TACACS+ works on TCP port 49. TACACS+ supports authentication, Exec Authorization, Command Authorization, Exec Accounting and Command Accounting, Radius doesn’t support Command Authorization and Command Accounting what means Radius allows to set up an access to Exec mode but won’t allow us specify which commands we may run. From above statement we see that TACACS+ is better and more granular. Yes it is, but is only supported on Cisco devices. This is why we use TACACS+, if want to manage the access of users based on Role Based Access Control and to assign a user not only particular level of previlage but also what commands he may run. Radius we will be using for authentication of VPN users, EAP authentication in case of wireless network or 802.1x if we are going to use authentication on the switchport.
The “Triple A” server as I mentioned is responsible for :
authentication – validates who you are
authorization – what you are allowed to do
accounting – tracks what you have done
There are many AAA Radius server, one of the most popular for free is freeRadius in below labs I will be using daloRadius that is actually freeRadius with GUI. TACACS+ servers are ACE or ISE very robust Cisco softwares that supports Radius as well.
Let me show you 2 examples of using the Radius server, firstly we configure SSH in conjuction with Radius, next we will configure 802.1x
I used Cisco c7200 routers with 15.2 IOS, I mentioned about that, because the syntax of radius commands have been changed in the course of time, so may be a little different on different IOS versions.
Firstly let’s configure daloRAdius what is pretty simple. I’ve configured NAS – as a router R1 with IP address 192.168.1.1, user ‘marcin’. We have a preview on logged on users as well.
SSH and AAA
I assume you have configured interfaces according to the diagram :
No, let’s configre router R1:
1. Firstly we have to create domain and generate public/private keypair
2. Then we have to point out radius server that we will be connecting to in order to authenticate users
3. now we may test connectivity with daloRadius server
4. We create new list SSH-LIST instead of using default list and attach its to the line vty, we also change default Telnet on terminal to SSH
Now, let’s try connect with R1 from R2:
and some veryfication on R1 with ‘WHO’ command:
dot1x – Port Based Authentication and AAA
This lab will be little bit more complicated. I removed daloRadius and used Windows 2012r2 Network Acces Policy server with deployed Radius server. I assume you know how to deploy NAP server, otherwise this article would be TL;TR. So network diagram looks like this:
I’ve decided to use PEAP as EAP protocol and MSCHAPv2 as authentication protocol. This requires deployment of Certificate Authority on Windows 2012 server, because NAP server is authenticated via certificate, the host is authenticated via login/password from Active Directory that has to be also run on the server. Authenticated host doesn’t have to be in Domain that NAP belongs to. NAP bookmark with authentication methods looks:
On windows 7 machine don’t forget turn on ‘wired auto-config’ in services and set up appropriately ‘Authentication’ bookmark in Network card Properties.
Now let’s go over the switch configuration:
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x pae authenticator
authentication port-control auto
If you want to find out more about dot1x authentication I recommend reading this article http://itbundle.net/archives/2466