AAA authentication configuration

AAA authentication method list

Examples of the method list

General process of AAA authentication configuration

Detailed description of AAA authentication method

Use AAA to configure login authentication

Use AAA to perform PPP authentication

Turn on password protection when entering into privilege level

Change the character string while prompted to input password

Establish local authentication database

Examples of AAA authentication configuration

Example of RADIUS authentication

Examples of TACACS+ authentication

 

Before users are allowed to access the network, it is necessary for us to authenticate their identification.

AAA authentication method list

To configure authentication, you should first define a named authentication method list and then apply this list to various interfaces. This method list defines the authentication types to be performed, and the order of their execution; any defined authentication method list, before performed, should be applied to a specific interface. The only exception is the default method list (default). The default method list will automatically be applied to all the interfaces except when the interface clearly quotes other method list. Then this method list will replace the default method list.

A method list is the list of the authentication methods orderly queried when identifying users. In the method list, you can designate one or more security protocols, thus guaranteeing that there is an authentication system as the backup in case the first method encounters failure. Our router software uses the first authentication method in the method list to identify the users; if this method receives no response, it will automatically use the next method in the list. This process will continue until one of the methods is successful in authentication, or all the methods are used up.

Notice this is vital, that is, our router software only tries the authentication method listed next when the pervious method receives no response. If the authentication fails in any point during this process, which is, the response of security server or local user database is the denial of the access of the user, then the authentication process stops, and will not try other authentication method.

Examples of the method list

Figure 1 shows a representative AAA network configuration, which includes four security servers, R1 and R2 are RADIUS servers, T1 and T2 are TACACS+ servers.

 Figure1

Suppose the system administrator decides to apply the same authentication method to all interfaces to identify the connections based on PPP protocol: first connects R1 to know about related authentication information, if R1 does not respond to that, connects R2, if R2 also does not respond, connects T1, if T1 also does not respond, connects T2, if all the designated servers do not respond, the authentication job is forwarded to the local username database of the access server itself. To realize that, the system administrator should input the following command to create a default method list: aaa authentication ppp default radius local.

In this example, default is the name of the method list. The protocols included in this method list are listed after the name, in the order they are to be queried. The default list is automatically applied to all the interfaces.

When the remote user tries to enter the network through the dial-up method, the network access server first queries related authentication information on R1. If the user is legal after authentication, R1 sends a PASS reply to the network access server, so as to permit the user to access the server. If R1 return a FAIL reply, this user is denied and the dialogue is ended. If R1 does not respond, the network access server will consider it as an error, and queries the related authentication information on R2. This mode continues to function in the following methods, until the user is accepted or denied or the dialogue is ended.

This item is quite important to remember, “FAIL” reply is totally different from “ERROR”. “FAIL” means the user does not meet the required standards included in the authentication database to be successfully authenticated. The authentication ends with a “FAIL” reply. “ERROR” means this security server does not give response to the authentication query. Only when AAA detects error will it select the next authentication method in the authentication method list.

Suppose the system administrator only wants to apply the method list to a specific interface or set of interfaces. In this case, the system administrator should create a non-default method list and apply this list to an applicable interface. The following example demonstrates the process of how the system administrator implements an authentication method to be applied only to asynchronous interfaces:

aaa authentication ppp default radius local

aaa authentication ppp async0 radius tacacs+ local none

interface async 0/0

ppp authentication chap async0

 In this example, async0 is the name of the method list. The authentication protocols included in this method list is orderly listed after it, and the protocols may be used in order. After the method list has been created, it is applied to an applicable interface. NOTICE, the method list name in the aaa authentication command and ppp authentication command should match.

 

General process of AAA authentication configuration

            To configure AAA authentication, it is required to complete the following configuration process:

If security server is used, configure security protocol parameters, such as RADIUS, TACACS+. For detailed configuration methods, please refer to the corresponding chapters.

Define authentication method list by using the aaa authentication command.

            If required, apply the method list to a specific interface or line.

 

Detailed description of AAA authentication method

Use AAA to configure login authentication

AAA security service makes the use of various authentication methods easier. Whatever login method used, the aaa authentication command is used to enable AAA authentication. With the aaa authentication login command, you create one or several authentication method lists that are used at login. Use line configuration command “login authentication” to apply these lists. To configure, use the following commands beginning in global configuration mode:

 

Step

Command

Objective

1

aaa authentication login {default | list-name}method1 [method2...]

Create a global authentication list

2

line [aux | console | tty | vty] line-number [ending-line-number]

Enter line configuration mode

3

login authentication {default | list-name}

Apply the authentication list to a line or set of lines

 

Key word “list-name” is a character string used to name the list you are creating. Key word “method” designates the actual method adopted in the designated authentication process. Only when the previous method returns with ERROR will it start to use other authentication method. If the previous method returns with FAIL, no other methods will be used. To specify that even if all methods return with ERROR, the user still can successfully login, define “none” as the last authentication method in the command line. For example: even if TACACS+ server returns ERROR, login can still be successful, please use the following command:

aaa authentication login default tacacs+ none

A default list can be created by using default parameter. The default list is automatically applied to all the interfaces. For example: To designate RADIUS as the default method for user authentication at login, use the following command:

aaa authentication login default radius

 NOTE: as key word “none” enables all users logging in to successfully authenticate, it should be used only as a backup authentication method.

 The following table listed all the currently supported login authentication methods

Key word

Description

enable

Use enable password to authenticate 

group

Use server group to authenticate

group-restrict

Use server group to authenticate, but when the user designates a certain server, this server group is invalid.

line

Use line password to authenticate

local

Use local database to authenticate

local-case

Use local username database to authenticate (case sensitive for the username)

none

Unconditionally pass the authentication

radius

Use RADIUS authentication

tacacs+

Use TACACS+ authentication

 

l        Login authentication using enable password

Use the “enable” key word in the “aaa authentication login” command to designate “enable” password as the method of login authentication. For example: to specify “enable” password as the user authentication method at login, use the following command:

aaa authentication login default enable

 

l        Login authentication using line password

Use the “line” method keyword in “aaa authentication login” command to designate line password as the login authentication method. For example, to specify line password as the user authentication method at login, but do not define any other methods, input the following command line:

aaa authentication login default line

Before being able to use line password as the login authentication method, you need define a line password.

 

l        Login authentication using local password

Use the “local” method key word in the “aaa authentication login” command to designate local username database as the login authentication method. For example, to specify local username database as the method of user authentication at login when no other methods are defined, input the following command line:

aaa authentication login default local

For detailed information about adding users to the local username database, please refer to “establishing local authentication database”.

l       Login authentication using RADIUS

Use the “radius” method key word in the “aaa authentication login” command to designate RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other methods are defined, you can input the following command:

aaa authentication login default radius

Before being able to use RADIUS as the login authentication method, you should first configure RADIUS service. For detailed information, please refer to “configure RADIUS”.

 

l      Login authentication using TACACS+

Use the “TACACS+” method key word in the “aaa authentication login” command to designate TACACS+ as the login authentication method. For example, to specify TACACS+ as the  method of user authentication at login when no other methods are defined, you can input the following command:

aaa authentication login default tacacs+

Before being able to use TACACS+ as the authentication method, you should first configure TACACS+ service. For detailed information, please refer to “configure TACACS+”.

 

Use AAA to perform PPP authentication

Many users access the network access servers through dialup via asynchronous or ISDN. AAA security service makes the authentication while running mass PPP on serial interface easier. Whatever PPP authentication method you decide to use, you can use the aaa authentication ppp command to turn on AAA authentication. When configuring, use the following commands in global configuration mode:

Step

comman

Objective

1

aaa authentication ppp {default | list-name} method1 [method2...]

Create a local authentication list

2

interface interface-type number

Enter interface configuration mode for the interface to which authentication list will be applied.

3

ppp authentication {chap | pap | chap pap | pap chap} {default | list-name}

Apply the authentication list on a line or set of lines

 

With the “aaa authentication” command, you can create one or several lists of authentication method. These lists are used when the user begins to run PPP. These lists are applied using the “ppp authentication” configuration command. To create a default list, you may use the “default” key word followed by the method to be used in default situations. For example, to designate local username database as the default authentication method, input the following command line:

aaa authentication ppp default local

The “list-name” key word is any character strings used to name the created list. The “method” key word designates the actual method the authentication uses. Only when the previous method returns with “ERROR” will it use other authentication methods. If the previous method returns with “FAIL”, it will not use other authentication methods. If you want to designate that, even if all methods return with “ERROR”, the user could still be successfully authenticated, you can simply designate “none” as the last authentication method. In the following example, even if TACACS+ server returns with “ERROR”, authentication will succeed; just input the following command line:

aaa authentication ppp default tacacs+ none

 NOTE: As the “none” key word enables all users logging in to successfully authenticate, this key word should be used as a backup authentication method.

 The following table listed the usable authentication methods for PPP:

Key word

Desription

group

Use server group to authenticate

group-restrict

Use server group to authenticate, but when user designate to use a certain server, this server group becomes invalid

local

Use local username database to authenticate

local-case

Use local username database to authenticate (case sensitive)

none

Unconditional pass

radius

Use RADIUS to authenticate

tacacs+

Use TACACS+ to authenticate

l        PPP authentication using local password

In the “aaa authentication ppp” command, use the “local” key word to designate local username database for authentication. For example, to designate local username database as the authentication method on lines running PPP when no other methods are needed, you can input the following command line:

aaa authentication ppp default local

For more information about adding users to local username database, please refer to “establish local authentication database”.

 

l        PPP authentication using RADIUS

In the “aaa authentication ppp” command, use the “RADIUS” key word as the authentication method while running PPP. For example, to designate RADIUS as the user authentication method when no other methods are defined, you can input the following command line:

aaa authentication ppp default radius

While using RADIUS as the PPP authentication method, it is required to configure RADIUS service. For detailed related information, please refer to “configure RADIUS”.

 

l        PPP authentication using TACACS+

In the “aaa authentication ppp” command, use the “TACACS+” key word to designate TACACS+ as the authentication method for interfaces running PPP. For example, to designate TACACS+ as the user authentication method when no other methods are defined; you can input the following command line:

aaa authentication ppp default tacacs+

Before using TACACS+ as the PPP authentication method, it is required to configure TACACS+ service first. For detailed related information, please refer to “ configure TACACS+”.

Turn on password protection when entering into privilege level

Use the “aaa authentication enable default” command to create an authentication method list.These methods decide whether a user could execute the commands in privilege EXEC level. Four authentication methods can be designated at most. Only when the previous method returns with “ERROR”, will it use other authentication methods. If the previous method returns with “FAIL”, then it will not use other authentication methods. If you want to designate that, even if all methods return with “ERROR”, the user could still be successfully authenticated, you can simply designate “none” as the last authentication method. When configuring, use the following command in global configuration mode:

 

Command

Objective

aaa authentication enable default method1 [method2...]

Enable password authentication when the user enters privileged EXEC level

 

The ”method” key word designates the actual method used during the authentication process. Use it according to the order of input while authenticating.

The following table lists the supported password protection authentication method:

Key word

Explanation

enable

Use password “enable” to authenticate

group

Use server group to authenticate

group-restrict

Use server group to authenticate, but when user designate to use certain server, this server group becomes invalid

line

Use line password to authenticate

none

Unconditional pass

radius

Use RADIUS to authenticate

tacacs+

Use TACACS+ to authenticate

While authentication method “enable” is configured to provide remote authentication (that is, when the “group, group-restrict, radius or tacacs+” key words are configured), the username of using RADIUS to authentication is different from the one using TACACS+, and will be separately introduced below:

Enable authentication using RADIUS:

The username to be authenticated is $D-Linklevel$. “level” indicates the privilege level the user wants to enter, which is the number of the privilege level after the command “enable”. For example, if certain user wants to enter privilege level 7, he/she enters the command “enable7”. If currently RADIUS is configured to authenticate, then the username handed to Radius Server is $D-Link7$. By default, the privilege level that “enable” can enter is 15, which indicates that while using RADIUS to authenticate, the username handed to Radius Server is $D-Link15$. This requires configuring username and password in advance on Radius Server. The thing to be pointed out is that: in the Radius Server user database, the service-type used for privilege authentication user is 6, which is Admin-User.

Enable authentication using TACACS+:

The username used for “enable” authentication is the one used to log in the router. For example, if the username that a certain user inputted to log in the router is “chen”, then the username used to making “enable” authentication is also “chen”. If the user is not requested to be authenticated or to input the username while logging in the router, the username is “DEFAULT” after successfully logged in, which requires the corresponding configuration in the TACACS+ Server user database.

Change the character string while prompted to input password

Use the “aaa authentication password-prompt” command can change the displayed default text while the user is prompted to input password. This command can not only change the password prompt of “enable” password, but also change the password prompt while making remote logging in at mean time. The “no” form of this command returns the password prompt to the default value shown in the following format:

Password

The “aaa authentication password-prompt” command does not change any prompt information provided by remote TACACS+ or RADIUS server. While configuring, use the following command in global configuration mode:

command

Objectivespan

aaa authentication password-prompt text-string

Change the default text displayed while prompting the user to input the password

Establish local authentication database

You may create local authentication system based on username, which is applicable to the following situation:

l        Provide the username or encrypted password authentication system like TACACS+ for networks which cannot support TACACS+.

l        Provide a flexible login environment; for example, accessing list verification, autocommand at login and etc.

In order to establish local username authentication, you can use the following command to configure in global configuration mode:

command

Objective

username name password { password | [encryption-type] encrypted-password } 

Create username and the corresponding password

 

Examples of AAA authentication configuration

Example of RADIUS authentication

This section provides a configuration example of using RADIUS to authenticate, illustrating how to configure router to authenticate and authorize using RADIUS:

aaa authentication login radius-login radius local

aaa authentication ppp radius-ppp radius

aaa authorization network radius-network radius

line tty/vty

login authentication radius-login

interface serial 1/0

In this example, the meaning of each command line is:

1. The “aaa authentication login radius-login radius local” command configures the router to use RADIUS as the authentication method while authenticating logging users. If RADIUS returns “ERROR”, then use the local database to authenticate the users.

2. The “aaa authentication ppp radius-ppp radius” command configures the router to use ppp authentication method like chap or pap if the user has not already logged in. But if exec has already authenticated the user, there is no need to execute that again.

3. The “aaa authorization network radius-network radius” command requests RADIUS for the authorization of NETWORK service, such as address allocation and other access control items.

4. The “login authentication radius-login” command enables the “radius-login” method list for line 3.

 

Examples of TACACS+ authentication

The following example shows how to configure TACACS+ as the security protocol to be used for PPP authentication:

aaa authentication ppp test tacacs+ local

interface serial1\0

ppp authentication chap pap test

tacacs server 1.2.3.4

tacacs key testkey

 

In this authentication configuration of TACACS+, the meaning of each command line is:

l       The “aaa authentication ppp test tacacs+ local” command defines the “test” method list, which is applied to the serial interfaces running ppp. The tacacs+ key word means the authentication will be done through TACACS+. If TACACS+ returns a certain kind of error while authenticating, the “local” key word indicates that it will be using the local database on the network access server to try authentication.

l        The “interface” command selects the interface.

l        The “ppp authentication” command applies the method list on this interface.

l        The “tacacs server” command specifies the IP address of TACACS+ server as 1.2.3.4.

l        The “tacacs key” command defines the shared secret “testkey”

 

The following example shows how to configure AAA authentication for PPP:

aaa authentication ppp default if-needed tacacs+ local

In this example, the “default” key word indicates the default ppp authentication method list. Key word “if-needed” means: if the user has passed the authentication at login, this authentication can be omitted. If authentication is still required, the “tacacs+” key word means to authenticate with TACACS+ server. If TACACS+ returns a certain kind of error while authenticating, the “local” key word means to use the local database on the router to authenticate.

The following example shows how to create the same authentication process for PAP. The thing different from the above is that this example uses the test-list method list rather than “default” method list:

aaa authentication pap test-list if-needed tacacs+ local

interface serial1/0

ppp authentication pap test-list

In this example, because no method list is applied to any interface, the administrator should use the “interface” command to select interface, so as to apply this authentication method to this interface. Then, the administrator should use the “ppp authentication” command to apply the method list to a specific interface.