AAA on Cisco IOS Routers
Note |
From version 4.17, though Cisco Security Manager continues to support IOS features/functionality, it does not support any bug fixes or enhancements. |
Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your Cisco IOS router. Use the AAA policy in Security Manager to enable AAA functionality on Cisco IOS routers and to configure default AAA settings. The default settings that you define in this policy can be used in other policies, such as HTTP and line access (console and VTY) policies. Enabling AAA functionality is a prerequisite for any device policy that makes use of AAA, including NAC, SDP, and 802.1x.
For more information about AAA, see:
To configure a AAA policy, see:
Related Topics
Supported Authorization Types
AAA authorization enables you to limit the services available to an authenticated user. Security Manager supports the following types of authorization:
-
Network—Authorizes various types of network connections, such as PPP, SLIP, and ARAP.
-
EXEC—Authorizes the launching of EXEC (CLI) sessions.
-
Command—Authorizes the use of all EXEC mode commands that are associated with specific privilege levels.
When authorization is enabled, the router uses information retrieved from the user’s profile to configure the user session. The profiles are located either in the local user database or on a security server. Users are granted access to a requested service only if the profile allows it.
Related Topics
Supported Accounting Types
AAA accounting enables you to track the services the users are accessing and the amount of network resources that they are consuming. Security Manager supports the following accounting types:
-
Connection—Records information about all outbound connections made from this device, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin connections.
For example, a RADIUS connection accounting record for an outbound Telnet connection includes such information as the port and IP address of the network access server (NAS), the start and end times of the connection, the identity of the user, and the number of packets that were transmitted during the session.
-
EXEC—Records information about user EXEC (CLI) sessions on the devices, including the username, date, start and stop times, and the IP address of the NAS. For dial-in users, the record includes the telephone number from which the call originated.
-
Command—Records information about the EXEC commands executed on the device by users with specific privilege levels. Each command accounting record includes a list of the commands executed for that privilege level, the date and time each command was executed, and the name of the user who executed it.
For each accounting type, you can choose whether you want to generate an accounting record at the start and end of each user session or only at the end.
When AAA accounting is enabled, the router sends accounting records of user activity to the TACACS+ or RADIUS security server. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can later be analyzed for network management, client billing, and auditing purposes.
Related Topics
Understanding Method Lists
A method list is a sequential list describing the methods to use to perform a particular AAA function. In Security Manager, you define method lists by selecting AAA server groups, which are reusable objects that typically contain one or more AAA servers running the same protocol, such as RADIUS or TACACS+. Method lists enable you to designate one or more security protocols to be used for each AAA function, thus ensuring a backup system if the initial method fails.
Note |
Security Manager also contains predefined AAA server group objects for using the enable password or a local database. See Predefined AAA Authentication Server Groups. |
For each AAA function, the device initially uses the first method defined in the list. If that method fails to respond, the device selects the next method in the list. This process continues until there is successful communication with a listed method, or all methods defined in the method list are exhausted.
Note |
The device attempts to communicate with the next listed method only when there is no response from the previous method. If the AAA service fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access or services—the process stops and no other methods are attempted. |
Related Topics
Defining AAA Services
To define AAA services on a Cisco IOS router, you must first enable AAA functionality on the router. After you do this, you can define the kind of functionality (authentication, authorization, and accounting) that you want the device to implement. You must define a method list for each function, including lists for each type of authorization and accounting that you enable.
For example, if you want to configure EXEC authorization and command authorization, you must define one method list for EXEC authorization and other method lists for each privilege level on which command authorization is performed.
Note |
If you use RADIUS for authentication, you must use the same RADIUS server group for authorization as well. |
Related Topics
Procedure
Step 1 |
Do one of the following:
The AAA page is displayed. See AAA Policy Page for a description of the fields on this page. |
Step 2 |
Define which login authentication methods to use on users who access the device: |
Step 3 |
(Optional) In the Maximum Number of Attempts field, define the maximum number of unsuccessful authentication attempts to allow before a user is locked out. |
Step 4 |
(Optional) Define which authorization methods to use on users who have been successfully authenticated: |
Step 5 |
(Optional) Define which accounting methods to use on the activities performed by users: |