|
0:00:13
|
In our next section we are going to start our discussions of the remote aaa configurations
|
|
0:00:18
|
thats is going to occur via tacacs and radius
|
|
0:00:22
|
through the cisco security acs server
|
|
0:00:25
|
now configuration wise in the wireless or in the
|
|
0:00:29
|
catalyst or the asa platforms
|
|
0:00:31
|
there is going to be 3 main steps that we need to go through
|
|
0:00:34
|
in order to get the aaa clients
|
|
0:00:36
|
which are the router switch or firewall
|
|
0:00:39
|
to talk to the aaa server
|
|
0:00:41
|
and the first of this is to define what are the server's credentials
|
|
0:00:45
|
so what is the ip address of the server what is the encryption key that we are using
|
|
0:00:50
|
and then when the
|
|
0:00:51
|
client is sourcing its packets to the server
|
|
0:00:54
|
is it going to send it from an alternate interface or is it going to send it
|
|
0:00:58
|
from the interface that is based on the routing table
|
|
0:01:02
|
now this third portion here this source interface this can be important
|
|
0:01:06
|
for any cases where we have multiple routes to the server
|
|
0:01:10
|
and if we take a look at our topology
|
|
0:01:13
|
and lets assume they were trying to configure router 1 as a aaa
|
|
0:01:16
|
client of the acs server
|
|
0:01:19
|
when router 1 is generating these packets whether they are radius or tacacs
|
|
0:01:24
|
its going to look at whatever its route in the routing table to the server is
|
|
0:01:28
|
which in this case the destination is 10.0.0.100
|
|
0:01:32
|
and when it finds its outgoing interface
|
|
0:01:35
|
just like in a telnet session or a ipsec tunnel or like a bgp pairing
|
|
0:01:42
|
the router is going to choose the address that is a sign to the outgoing interface
|
|
0:01:46
|
in order to originate the packet
|
|
0:01:48
|
so if router 1 was to send its tacacs packet this way
|
|
0:01:53
|
and it is going out interface serial 0/0/0.12
|
|
0:01:57
|
it means that whatever addresses is assigned on there
|
|
0:02:00
|
which in this is 200.0.12.1
|
|
0:02:05
|
and this is going to be the source address for the aaa packet
|
|
0:02:08
|
the reason that this is important
|
|
0:02:11
|
is that the aaa server generally is not going to accept traffic from anywhere
|
|
0:02:16
|
or from everywhere i should say
|
|
0:02:17
|
we have to mainly specify who the aaa clients are and what their source addresses are
|
|
0:02:23
|
so the acs server was configured to accept traffic from
|
|
0:02:27
|
or accept authentication request from
|
|
0:02:30
|
200.0.12.1
|
|
0:02:33
|
and for some reason router 1 was sourcing this from a different address
|
|
0:02:37
|
may be they have an alternate interface
|
|
0:02:39
|
to router 6 and we can route our traffic this way
|
|
0:02:42
|
we can run into designs where the aaa server is not going to accept
|
|
0:02:46
|
the packet from the client because its coming from the wrong source interface
|
|
0:02:51
|
so any case that we have multiple interfaces that we could possibly use
|
|
0:02:55
|
to routing it to the aaa server
|
|
0:02:57
|
typically this is where we would want to then define the source address
|
|
0:03:02
|
so just like in an crypto map or like in a bgp pairing
|
|
0:03:06
|
most of the time you would be using a loop back interface as the source
|
|
0:03:10
|
so then regard this is how the router or the switch is routing to get to the aaa server
|
|
0:03:14
|
or always going to be sourcing it from a one single address that is never going to change
|
|
0:03:21
|
now once we have the server credentials configured
|
|
0:03:24
|
then we are going to define what are the aaa lists
|
|
0:03:27
|
and this is going to actually define how we are doing our authentication
|
|
0:03:31
|
how we are doing our authorization
|
|
0:03:33
|
and how we are doing our accounting
|
|
0:03:37
|
now the definition and the final application of these lists
|
|
0:03:41
|
is going to be a very important point for the configuration of aaa
|
|
0:03:44
|
because its ultimately going to control when someone connects to the console
|
|
0:03:49
|
or the aux port or the vty lines
|
|
0:03:51
|
or they are doing may be dot1x authentication
|
|
0:03:54
|
its going to determine whether we are sending those requests
|
|
0:03:57
|
to a remote server
|
|
0:03:59
|
if we are sending them to a remote server what is the
|
|
0:04:02
|
protocol is it going to be tacacs or radius
|
|
0:04:05
|
and in the case that the server is unavailable
|
|
0:04:08
|
do we fall back some sort of default method
|
|
0:04:10
|
like the local database or to a secondary server
|
|
0:04:16
|
now in certain cases you can run into designs where if you misconfigure the lists or you misconfigure the application
|
|
0:04:23
|
then you can lock yourself out of the command line
|
|
0:04:26
|
or that the particular method you are trying to configure it
|
|
0:04:28
|
is not going to behave exactly the way that you had predicted it to
|
|
0:04:33
|
so we are going to spend a lot of time going through these different lists
|
|
0:04:36
|
definitions of the different list applications
|
|
0:04:38
|
and we will see how the syntax and the behaviour
|
|
0:04:41
|
of ios is going to change
|
|
0:04:43
|
from when we were doing our previous local
|
|
0:04:46
|
authentications and authorizations
|
|
0:04:48
|
versus once when we enable aaa
|
|
0:04:51
|
and how it is going to behave when we are sending them
|
|
0:04:53
|
to the sending the request to the remote servers
|
|
0:04:56
|
and then also we wanted to do any type of local
|
|
0:04:59
|
aaa as well
|
|
0:05:02
|
and also if we wanted to do any type to local aaa as well
|
|
0:05:07
|
so lets take a look at our diagram here
|
|
0:05:09
|
and what
|
|
0:05:10
|
i am going to be configuring
|
|
0:05:11
|
is aaa services on
|
|
0:05:14
|
3 different routers on router 1
|
|
0:05:15
|
router 2 and router 3
|
|
0:05:18
|
where router 1 we are going to use tacacs
|
|
0:05:21
|
as our
|
|
0:05:23
|
aaa protocol
|
|
0:05:25
|
on router 2 we are going to be using radius
|
|
0:05:28
|
and on router 3 we are going to be using both
|
|
0:05:31
|
we are going to run both radius and tacacs at the same time
|
|
0:05:36
|
now again the first step of this is going to be to define what are the server credentials
|
|
0:05:41
|
so if we go to the command line
|
|
0:05:42
|
on router 1
|
|
0:05:44
|
we need to start the aaa process so we will say aaa new model
|
|
0:05:50
|
then what is either the radius or the tacacs server's address
|
|
0:05:54
|
we would say the ip
|
|
0:05:56
|
tacacs
|
|
0:05:58
|
source interface this again would be
|
|
0:06:00
|
whats the address that i am generating the packets from
|
|
0:06:03
|
then we would specify what is
|
|
0:06:05
|
the tacacs server's
|
|
0:06:06
|
host address
|
|
0:06:08
|
which in this case is 10.0.0.100
|
|
0:06:11
|
and then what is the encryption key
|
|
0:06:14
|
that we are using for in the server
|
|
0:06:17
|
so this is going to be whatever we configure
|
|
0:06:19
|
on the server for this individual client
|
|
0:06:22
|
this case i will say the authentication key
|
|
0:06:25
|
is cisco the encryption key is
|
|
0:06:27
|
cisco
|
|
0:06:29
|
now from the aaa server's point of view
|
|
0:06:32
|
here again if we look at the topology
|
|
0:06:35
|
the acs server is located here on vlan 10
|
|
0:06:38
|
behind the asa
|
|
0:06:42
|
now what this means is that when our tacacs or radius requests come in
|
|
0:06:46
|
if the asa is not allowing these to go from the outside to the dmz interface
|
|
0:06:51
|
then either our tcp traffic
|
|
0:06:53
|
or our udp traffic
|
|
0:06:55
|
is going to be dropped
|
|
0:06:56
|
as it is going to the server
|
|
0:06:59
|
now if you don't remember what are the individual
|
|
0:07:02
|
protocols and the individual
|
|
0:07:03
|
port numbers
|
|
0:07:04
|
for tacacs versus radius
|
|
0:07:07
|
and then for radius authentication versus accounting
|
|
0:07:10
|
we can simply use the access list login
|
|
0:07:12
|
on the asas or on the routers
|
|
0:07:15
|
to figure out exactly what we need to put through the firewall
|
|
0:07:18
|
so on the asa
|
|
0:07:21
|
if you look at the show run access list
|
|
0:07:25
|
right now we don't have any access lists
|
|
0:07:27
|
to configure the any access lists supplied
|
|
0:07:29
|
so it means that any traffic
|
|
0:07:30
|
from the outside to the dmz
|
|
0:07:33
|
is automatically going to be dropped
|
|
0:07:36
|
so lets try to logging on here we will say logging
|
|
0:07:38
|
console 7 and logging
|
|
0:07:40
|
is logging is on
|
|
0:07:43
|
then if anything comes from the outside to in
|
|
0:07:46
|
the asa is going to generate a log message for this
|
|
0:07:49
|
like on router 1 if we were to ping
|
|
0:07:54
|
to ping 10.0.0.100
|
|
0:07:57
|
the asa should tell us that it came from the outside interface
|
|
0:08:00
|
trying to go to the dmz
|
|
0:08:02
|
but this was denied
|
|
0:08:04
|
because we are going from the lower security level interface to the higher security
|
|
0:08:11
|
so next on router 1
|
|
0:08:15
|
we are going to use the aaa
|
|
0:08:18
|
test command
|
|
0:08:19
|
or the aaa
|
|
0:08:22
|
the test aaa command i should say
|
|
0:08:24
|
test aaa and this is going to
|
|
0:08:27
|
show us just do we have basic
|
|
0:08:28
|
connectivity to the server
|
|
0:08:30
|
so can we talk to them
|
|
0:08:32
|
from tacacs or can we talk to them from radius
|
|
0:08:37
|
so we will say for tacacs
|
|
0:08:39
|
i will say my username is cisco
|
|
0:08:43
|
my username is cisco my password is cisco
|
|
0:08:45
|
does not really matter what i put in here
|
|
0:08:48
|
because we don't have anything configured yet on the aaa server
|
|
0:08:52
|
then the
|
|
0:08:56
|
we need to specify either legacy or the
|
|
0:08:59
|
the new code
|
|
0:09:00
|
for our purposes it doesn't really matter now
|
|
0:09:03
|
what we were just doing is trying to talk to the tacacs server
|
|
0:09:06
|
we are not getting response
|
|
0:09:08
|
but the key is that if we look at the asa
|
|
0:09:10
|
its going to tell us exactly what
|
|
0:09:12
|
protocol and what port was being denied
|
|
0:09:16
|
so it shows us here that when we were trying to use tacacs
|
|
0:09:19
|
the protocol is tcp
|
|
0:09:22
|
and we are using tcp port 49
|
|
0:09:25
|
if we were to try to do the same
|
|
0:09:27
|
thing with radius
|
|
0:09:29
|
lets go to router 2
|
|
0:09:31
|
and we will turn aaa on so aaa new model
|
|
0:09:34
|
the radius server host is 10.0.0.100
|
|
0:09:38
|
and the radius server key
|
|
0:09:41
|
the encryption key is cisco
|
|
0:09:44
|
if we then say test
|
|
0:09:47
|
test aaa
|
|
0:09:48
|
the group is going to be for radius
|
|
0:09:55
|
the servers 10.0.0.100
|
|
0:10:00
|
we will say username cisco
|
|
0:10:03
|
password cisco
|
|
0:10:06
|
we look at the asa we should now see
|
|
0:10:09
|
we get the radius request coming in
|
|
0:10:11
|
and this is udp
|
|
0:10:14
|
this is going to udp port
|
|
0:10:16
|
port 1645
|
|
0:10:20
|
now notice on router 2 it also gave us the option
|
|
0:10:23
|
for accounting
|
|
0:10:25
|
because with radius we use
|
|
0:10:26
|
2 separate ports
|
|
0:10:28
|
we use 1645
|
|
0:10:31
|
for the authentication
|
|
0:10:34
|
and we use 1646 for the accounting
|
|
0:10:39
|
so if i were to specify
|
|
0:10:41
|
to use accounting as well
|
|
0:10:42
|
for the testing
|
|
0:10:44
|
then its going to show the asa would drop
|
|
0:10:47
|
that particular port as well so 1645 and 1646
|
|
0:10:52
|
now with radius you do need to be careful with this
|
|
0:10:55
|
because remember there are 2 separate
|
|
0:10:57
|
pairs of ports
|
|
0:10:59
|
the 1646
|
|
0:11:00
|
and the 1645 and 1646
|
|
0:11:04
|
then some of the devices may be using
|
|
0:11:06
|
the previous
|
|
0:11:08
|
port values
|
|
0:11:09
|
which are 1812 and 1813
|
|
0:11:13
|
really depends on just what particular
|
|
0:11:14
|
the platform that you are dealing with
|
|
0:11:17
|
in reality it doesn't matter what
|
|
0:11:18
|
port number you are using
|
|
0:11:20
|
as long as the aaa server and the aaa
|
|
0:11:23
|
clients agree on it
|
|
0:11:25
|
so if the acs server is configured to list
|
|
0:11:27
|
listen for both 1645 and 1812
|
|
0:11:30
|
it really not going to have any functional difference for us
|
|
0:11:33
|
as long as the server
|
|
0:11:35
|
we have proper transit to the server
|
|
0:11:37
|
using that particular port number
|
|
0:11:41
|
so now what i am going to do on the asa is simply allow those 2 types of traffic
|
|
0:11:45
|
in on the outside interface
|
|
0:11:47
|
we will say access list outside in
|
|
0:11:50
|
i need to permit tcp that is
|
|
0:11:52
|
is equal to tacacs
|
|
0:11:55
|
which again is port 49
|
|
0:11:59
|
then we could say
|
|
0:12:00
|
udp any any equal to radius
|
|
0:12:05
|
and then also equal to radius
|
|
0:12:08
|
- accounting
|
|
0:12:10
|
so it has entries for both of these port values
|
|
0:12:16
|
now we could also see this on the routers if we were go to global config
|
|
0:12:20
|
and create an access list if i say access list 100
|
|
0:12:23
|
permit udp any any
|
|
0:12:25
|
equal to ?
|
|
0:12:27
|
its going to tell me
|
|
0:12:29
|
what are the
|
|
0:12:33
|
tacacs ports
|
|
0:12:35
|
in this case its udp but it actually
|
|
0:12:37
|
should be tcp for this
|
|
0:12:40
|
and it looks like this version doesn't have
|
|
0:12:47
|
an option for radius
|
|
0:12:49
|
so its going to depend on an individual
|
|
0:12:51
|
platform in the version whether theres the shortcut there
|
|
0:12:54
|
but again we can still use the login on the access list
|
|
0:12:57
|
to figure out which is
|
|
0:12:58
|
now which it is using
|
|
0:13:00
|
so if we were to run this test again from router 1
|
|
0:13:03
|
test the
|
|
0:13:05
|
the aaa group tacacs this is our login and password
|
|
0:13:08
|
we should see that it gets to the asa
|
|
0:13:11
|
and that its going to be permitted
|
|
0:13:14
|
once i actually apply the access list so
|
|
0:13:16
|
access group
|
|
0:13:20
|
access group
|
|
0:13:22
|
outside in in interface outside
|
|
0:13:31
|
so if we try this again notice there was a difference in these 2 outputs
|
|
0:13:34
|
the first one when the packet was getting denied
|
|
0:13:37
|
this was hanging
|
|
0:13:38
|
until the timer occurred
|
|
0:13:41
|
now that the packet is being allowed
|
|
0:13:43
|
port is being allowed
|
|
0:13:44
|
it immediately replies back
|
|
0:13:45
|
that i don't have a response
|
|
0:13:47
|
this is because the server
|
|
0:13:49
|
is basically refusing the connection
|
|
0:13:52
|
so its sending back a tcp resending i am not listening for the connection
|
|
0:13:56
|
form this particular host
|
|
0:13:58
|
if we were to look at the debug ip packet detail
|
|
0:14:02
|
we should see that router 1 generates the tcp packet
|
|
0:14:06
|
but then the server
|
|
0:14:07
|
is going to reply back with a reset
|
|
0:14:10
|
essentially saying that i am not listening
|
|
0:14:12
|
for that particular socket
|
|
0:14:15
|
so we have router 1
|
|
0:14:17
|
from
|
|
0:14:19
|
myself sending to 10.0.0.100
|
|
0:14:22
|
i am sending the packet to destination
|
|
0:14:24
|
port 49 this is tcp
|
|
0:14:26
|
i should then get a response back in from them
|
|
0:14:29
|
they are replying back with
|
|
0:14:31
|
an acknowledgement and the sin
|
|
0:14:34
|
so we are starting the handshake
|
|
0:14:36
|
but then eventually we will see that the
|
|
0:14:39
|
the server replies back with the FIN
|
|
0:14:41
|
which is closing the session
|
|
0:14:43
|
this is because the server is actually configured
|
|
0:14:46
|
to accept the request in from router 1
|
|
0:14:51
|
but atleast we know based on this that we are getting the ACK SYN
|
|
0:14:54
|
back in this is the second portion of the handshake
|
|
0:14:57
|
then we have the acknowledgement going back
|
|
0:14:59
|
back from 1 to the server
|
|
0:15:01
|
this tells us at a minimum we have basic transport
|
|
0:15:05
|
so i have routes to them they have routes to me
|
|
0:15:08
|
we don't have any filtering going on that
|
|
0:15:09
|
could potentially break the application
|
|
0:15:13
|
now from the radius server
|
|
0:15:16
|
we would have the same type of
|
|
0:15:18
|
type of output if we debug ip packet detail
|
|
0:15:22
|
on router 2
|
|
0:15:26
|
and then test the aaa group for radius
|
|
0:15:32
|
says we are sending it
|
|
0:15:33
|
from 1645 going to 1645
|
|
0:15:38
|
this gets to the asa
|
|
0:15:41
|
the asa says that we are building an all bound connection
|
|
0:15:46
|
from router 2
|
|
0:15:49
|
to the dmz or actually an inbound connection
|
|
0:15:52
|
so we can see now this is allowed from the access list
|
|
0:15:56
|
then router 2 is going to get the response from the server basically saying that they are not listening
|
|
0:16:02
|
so router is sending the packets to them
|
|
0:16:06
|
and actually we have no response back in here
|
|
0:16:10
|
so its the radius servers that cases does not respond
|
|
0:16:13
|
but we can atleast see now on the asa that we are not dropping the packets on transit
|
|
0:16:18
|
so always take this into account first
|
|
0:16:21
|
you don't want to be troubleshooting something on the acs server or
|
|
0:16:24
|
or troubleshooting something with the
|
|
0:16:25
|
aaa list or the aaa list application
|
|
0:16:28
|
if you don't even have basic transport to the server
|
|
0:16:32
|
now another basic way we can test this for tacacs
|
|
0:16:36
|
would be to telnet to the server's address
|
|
0:16:39
|
so telnet to 10.0.0.100
|
|
0:16:41
|
at port 49
|
|
0:16:43
|
and we should see the tcp handshake complete
|
|
0:16:47
|
so the session is open it means that i sent on the syn
|
|
0:16:50
|
they send you the syn ack and the i send the ack back
|
|
0:16:53
|
connection is complete here
|
|
0:16:55
|
if i saw that the connection was refused or the connection times out
|
|
0:16:58
|
that could be an indication that there is some sort of routing problem
|
|
0:17:02
|
there is some sort of filtering problem
|
|
0:17:03
|
or may be the server is not even running the process
|
|
0:17:07
|
like if the aaa service is stopped
|
|
0:17:10
|
under the window services
|
|
0:17:11
|
then it is not going to be listening for tcp
|
|
0:17:13
|
port 49 or for the udp packets
|
|
0:17:18
|
so next lets go to the acs server itself and look at the basic configuration
|
|
0:17:23
|
of how we actually enable
|
|
0:17:26
|
the aaa process
|
|
0:17:34
|
so on the server we are going to go to the acs administration
|
|
0:17:39
|
so we are assuming that the server
|
|
0:17:40
|
software is already installed here
|
|
0:17:43
|
now a lot of this
|
|
0:17:44
|
you don't necessarily need to read through the
|
|
0:17:46
|
installation guide and the all the documentation for the acs server
|
|
0:17:50
|
if you simply spend some time going through these different screens
|
|
0:17:54
|
most of it is self explanatory exactly what you need to do
|
|
0:17:57
|
in order to get the basic
|
|
0:17:59
|
functionality working
|
|
0:18:01
|
now what can be kind of confusing
|
|
0:18:04
|
is that depending on if the acs server
|
|
0:18:07
|
already has tacacs or radius clients configured
|
|
0:18:11
|
or it does not
|
|
0:18:13
|
under the interface
|
|
0:18:14
|
configuration here
|
|
0:18:16
|
we may see specific options for radius
|
|
0:18:19
|
or for tacacs or not
|
|
0:18:22
|
which in this case is an indication that i don't have any
|
|
0:18:24
|
clients
|
|
0:18:26
|
configured that are actually using those protocols
|
|
0:18:30
|
so you can see here up the help on the right
|
|
0:18:32
|
if you need the documentation its actually built in already that you can use this as a reference
|
|
0:18:37
|
but normally under the interface here
|
|
0:18:39
|
this is where i would say what are the tacacs settings
|
|
0:18:42
|
what are the ietf radius settings what are the cisco ios
|
|
0:18:46
|
radius settings
|
|
0:18:48
|
but right now none of those appear
|
|
0:18:51
|
and this what you would see what the default installation
|
|
0:18:53
|
so i haven't changed anything other than just
|
|
0:18:55
|
i have done the basic install i don't have any users or anything setup yet
|
|
0:19:00
|
so the next thing that we need to do
|
|
0:19:03
|
is under the network configuration
|
|
0:19:05
|
is to define
|
|
0:19:06
|
who are the aaa clients
|
|
0:19:09
|
so it already knows that itself is a aaa server
|
|
0:19:12
|
we need to figure out
|
|
0:19:14
|
who are the clients that are going to be talking to the server
|
|
0:19:17
|
so here i am going to add an entry
|
|
0:19:19
|
this host name here is going to be arbitrary lets say that this is router 1
|
|
0:19:24
|
router 1 -tacacs
|
|
0:19:28
|
or the client's address is 200.0.12.1
|
|
0:19:33
|
the shared secret thats the encryption key
|
|
0:19:36
|
i specify that it is cisco on router 1 so i need to do the same thing
|
|
0:19:39
|
on the server
|
|
0:19:42
|
i then choose
|
|
0:19:43
|
what is the protocol
|
|
0:19:45
|
that this particular client is going to be using
|
|
0:19:49
|
now i can choose either
|
|
0:19:51
|
radius or tacacs but not both
|
|
0:19:55
|
so we will see in the case where we want to run both
|
|
0:19:57
|
protocols on one of the devices like on router 3
|
|
0:20:00
|
i am going to have to have 2 separate
|
|
0:20:02
|
client entries
|
|
0:20:04
|
one that is for the tacacs configuration
|
|
0:20:06
|
and then one that is for the radius configuration
|
|
0:20:10
|
for the radius configuration
|
|
0:20:12
|
we would also want to specify what
|
|
0:20:14
|
type of device is it
|
|
0:20:16
|
so is it the normal standardised iptf radius
|
|
0:20:20
|
or is it an ios router or is it an asa
|
|
0:20:24
|
because this is going to give us access
|
|
0:20:26
|
to specific attribute value or
|
|
0:20:29
|
av pairs
|
|
0:20:31
|
that are specific to that individual platform
|
|
0:20:35
|
now we will see for example the iptf radius
|
|
0:20:38
|
this would give us options to things or access to options such as
|
|
0:20:41
|
802.1x authentication
|
|
0:20:44
|
because this is an iptf standard
|
|
0:20:47
|
whereas in the case of
|
|
0:20:48
|
the cisco ios version for radius
|
|
0:20:51
|
we may have the
|
|
0:20:52
|
the cisco specific av pair
|
|
0:20:55
|
where we can do things like authentication proxy
|
|
0:20:58
|
or in the case of the asa we can do the cut through proxy
|
|
0:21:02
|
thats going to be options that are specific to that individual platform
|
|
0:21:07
|
now for tacacs this is much more straight forward
|
|
0:21:09
|
because tacacs is always for ios
|
|
0:21:12
|
whether its the asa or the
|
|
0:21:15
|
the catalyst ios or the regular ios
|
|
0:21:17
|
tacacs is cisco proprietary
|
|
0:21:19
|
so there is only one type of platform that is going to support
|
|
0:21:21
|
have to be something that is cisco
|
|
0:21:25
|
so here we are going to choose
|
|
0:21:26
|
tacacs
|
|
0:21:28
|
and then submit and apply
|
|
0:21:32
|
now on any of these screens that you see
|
|
0:21:34
|
that gives you the option to submit
|
|
0:21:37
|
and to submit and apply
|
|
0:21:39
|
you always do want to do the one that is
|
|
0:21:42
|
submitting it plus applying
|
|
0:21:44
|
because you can make multiple changes
|
|
0:21:46
|
before you actually apply them to the server
|
|
0:21:48
|
and you will see that there is some cases where actually
|
|
0:21:50
|
requires to stop and start the service
|
|
0:21:53
|
we can either do that under
|
|
0:21:55
|
the administration control
|
|
0:21:58
|
or lets see here the
|
|
0:22:07
|
excuse me the system configuration
|
|
0:22:09
|
so under system configuration we have the service control
|
|
0:22:13
|
this is where we could start
|
|
0:22:15
|
and stop the individual services
|
|
0:22:19
|
now if you look at the services if you go to
|
|
0:22:22
|
the windows command line
|
|
0:22:24
|
and you run the services
|
|
0:22:27
|
.msc
|
|
0:22:29
|
this would be the same as going to like the administrator
|
|
0:22:31
|
207 going to the services
|
|
0:22:33
|
you should ideally see here
|
|
0:22:36
|
that the cisco secure
|
|
0:22:39
|
authentication
|
|
0:22:41
|
the cisco secure administration
|
|
0:22:44
|
cisco secure radius cisco secure tacacs
|
|
0:22:46
|
you want to make sure that all of these are started
|
|
0:22:50
|
there can be cases where may be one of the services crashes
|
|
0:22:54
|
and if tacacs is stopped
|
|
0:22:56
|
then obviously you are not going to be able to use that protocol
|
|
0:22:59
|
so normally these should be started
|
|
0:23:02
|
you can control them here under the windows services or you can control them
|
|
0:23:05
|
from the server administration itself
|
|
0:23:08
|
again under system config and then under the service control
|
|
0:23:12
|
but the best majority of the time you don't necessarily need to do that
|
|
0:23:16
|
should up automatically
|
|
0:23:20
|
so again now under the network configuration i have the client setup
|
|
0:23:23
|
for router 1
|
|
0:23:25
|
next thing i am going to do is go under the interface configuration
|
|
0:23:29
|
and notice now that i have the option for tacacs
|
|
0:23:34
|
where previously since i did not have any aaa
|
|
0:23:36
|
clients configured
|
|
0:23:38
|
the only thing it said here was the advanced options
|
|
0:23:41
|
the user data configuration
|
|
0:23:43
|
didn't show this individual interface
|
|
0:23:48
|
now if i were to go back to network configuration
|
|
0:23:51
|
add a new entry for router 2
|
|
0:23:54
|
i will say this r2 -radius
|
|
0:23:58
|
the address of router 2 is
|
|
0:24:00
|
200.0.122.2
|
|
0:24:07
|
the key that i configured on router 2 was cisco this is case sensitive
|
|
0:24:11
|
and i am going to specify that there are various client
|
|
0:24:15
|
but specifically for cisco ios
|
|
0:24:20
|
then submit and apply
|
|
0:24:24
|
we now go back to the interface configuration
|
|
0:24:27
|
now notice that there is multiple options for radius
|
|
0:24:31
|
because in the case that you are running a router thats a ports radius
|
|
0:24:35
|
the routers also
|
|
0:24:36
|
going to support the iptf radius attributes
|
|
0:24:39
|
it may also
|
|
0:24:41
|
it may also support some micro soft specific ones
|
|
0:24:44
|
that would be for
|
|
0:24:46
|
things like ms chap
|
|
0:24:48
|
authentication
|
|
0:24:49
|
which is the Microsoft
|
|
0:24:51
|
proprietary version of the challenge handshake authentication protocol for PPP
|
|
0:24:56
|
or different types of vendors like i send here
|
|
0:24:59
|
but the key is that you don't see these interface configurations
|
|
0:25:02
|
until you actually have the clients created
|
|
0:25:05
|
that are using those protocols
|
|
0:25:09
|
now if we look at the details under these if we were to go to tacacs here
|
|
0:25:14
|
it gives you the options of what particular services do you want to turn on
|
|
0:25:18
|
and lets assume that we are just going to run all of these
|
|
0:25:23
|
and we will give advanced tacacs feature
|
|
0:25:26
|
we will give the time of the day
|
|
0:25:29
|
display a window for each service
|
|
0:25:31
|
select it in which you can inter-customize tech attributes so lets
|
|
0:25:34
|
do that then
|
|
0:25:36
|
display enable default
|
|
0:25:38
|
undefined service configuration we will check that as well
|
|
0:25:41
|
so basically what i am doing here
|
|
0:25:43
|
is turning everything on for tacacs
|
|
0:25:46
|
so then when i go under
|
|
0:25:47
|
a particular user
|
|
0:25:49
|
or i go under a particular group
|
|
0:25:52
|
its going to show me those options that i can customize
|
|
0:25:56
|
otherwise previously it wasn't going to give me the options to do
|
|
0:25:59
|
ipx
|
|
0:26:00
|
authentication with ppp
|
|
0:26:02
|
now whether i really need to do that in this case i don't
|
|
0:26:05
|
but the key is that
|
|
0:26:07
|
not all of these services are automatically enabled
|
|
0:26:11
|
now if we go back to the
|
|
0:26:13
|
the interface configuration then go under the advanced options
|
|
0:26:18
|
this one is important here where it says
|
|
0:26:20
|
per user
|
|
0:26:22
|
tacacs and radius attributes
|
|
0:26:25
|
now by default
|
|
0:26:27
|
the idea behind the server is that you are not going to have
|
|
0:26:30
|
an individual user who has tonnes of customization
|
|
0:26:34
|
generally you have a group
|
|
0:26:36
|
that has the customizations
|
|
0:26:38
|
and then the different users are going to be assigned to the groups
|
|
0:26:41
|
where for example i have a group that is administrative
|
|
0:26:45
|
and the group authentication
|
|
0:26:48
|
is going to or excuse me the group authorization is going to say
|
|
0:26:51
|
my administrators can get into the show the exact process
|
|
0:26:55
|
and they get privilege level 50
|
|
0:26:58
|
and they have a command authorization set thats going to allow them to do everything
|
|
0:27:02
|
then if i wanted to add or remove an administrator
|
|
0:27:05
|
the only thing that i would need to do is go to the user setup
|
|
0:27:08
|
either add them to the group or remove them from the group
|
|
0:27:12
|
but if i were to do this on a
|
|
0:27:14
|
per user basis
|
|
0:27:15
|
i need to make sure that this one is checked
|
|
0:27:17
|
that i wanted to allow the per user attributes
|
|
0:27:21
|
so essentially i am going to allow all of these
|
|
0:27:24
|
so the per user and the per
|
|
0:27:27
|
group levels
|
|
0:27:29
|
so if i check all of these its basically going to give me the maximum
|
|
0:27:32
|
possible customization
|
|
0:27:33
|
for those individual users and groups
|
|
0:27:37
|
if we now go back to tacacs
|
|
0:27:40
|
notice now that it is now separated
|
|
0:27:42
|
where i have options for the
|
|
0:27:43
|
per user and the
|
|
0:27:45
|
per group settings of all of these
|
|
0:27:49
|
now i don't necessarily mean all of these the ones that i am going to add are the show
|
|
0:27:52
|
and the pix show
|
|
0:27:57
|
for tacacs
|
|
0:28:00
|
then under radius if we were to go under cisco ios
|
|
0:28:03
|
i want to make sure that all the users have access to the cisco
|
|
0:28:06
|
av pair
|
|
0:28:10
|
then you could see some of these
|
|
0:28:12
|
other ones you may not know
|
|
0:28:13
|
exactly what they are
|
|
0:28:15
|
but just based on the scripts the description its kind of
|
|
0:28:18
|
self explanatory what the general goal of this is
|
|
0:28:21
|
like the
|
|
0:28:23
|
the cisco h323
|
|
0:28:26
|
billing or the
|
|
0:28:28
|
credit time or the credit amount
|
|
0:28:30
|
this would be for types of
|
|
0:28:33
|
billing accounting basically for that individual protocol
|
|
0:28:37
|
if we were to go under the ietf radius
|
|
0:28:41
|
we would see things like the
|
|
0:28:46
|
and some of these these ones here actually are not very self explanatory
|
|
0:28:49
|
but things like the tunnel medium type
|
|
0:28:53
|
the tunnel private group id
|
|
0:28:59
|
these ones are for
|
|
0:29:01
|
802.1x authentication
|
|
0:29:05
|
where these are going to used if we wanted to assign a vlan
|
|
0:29:08
|
to a particular user once their authentication occurs
|
|
0:29:13
|
now we will also see that once we configure the asa
|
|
0:29:17
|
that for the asa attributes
|
|
0:29:19
|
we are going to have tonnes of other radius options
|
|
0:29:22
|
that are related to vpn
|
|
0:29:24
|
tunnel groups and vpn group
|
|
0:29:26
|
policy options
|
|
0:29:28
|
and then we would see these here under the
|
|
0:29:32
|
the radius category but then its going to say
|
|
0:29:34
|
it for the asa
|
|
0:29:35
|
not for ios or not under the ietf
|
|
0:29:41
|
so once you have your basic
|
|
0:29:43
|
network configuration done which is excuse me yes network configuration under the
|
|
0:29:52
|
the aaa clients
|
|
0:29:54
|
so once the clients are defined
|
|
0:29:56
|
then you go to the interface
|
|
0:29:57
|
and set whatever options you want
|
|
0:29:59
|
for tacacs or radius
|
|
0:30:02
|
is it going to be the per group attributes or is it going to be
|
|
0:30:04
|
for the individual users
|
|
0:30:07
|
so next i am going to add a user
|
|
0:30:09
|
so under user setup
|
|
0:30:11
|
now click add
|
|
0:30:13
|
and we need to type in the name here so lets say that this is the user cisco
|
|
0:30:19
|
actually lets make something unique that we don't already have under local database lets say
|
|
0:30:28
|
we will say tacacs user
|
|
0:30:31
|
or more then I'll say a aaa user
|
|
0:30:35
|
so aaa user
|
|
0:30:36
|
their password
|
|
0:30:38
|
this is the first thing i am going to find their password is cisco
|
|
0:30:44
|
if you click on find now
|
|
0:30:47
|
its then gonna list all the users that are at the database so right now i have the aaa user
|
|
0:30:52
|
if we scroll down we can see what are the individual customizations that we can do for
|
|
0:30:57
|
the user
|
|
0:30:59
|
we could have separate passwords for
|
|
0:31:01
|
the pap authentication
|
|
0:31:05
|
versus chap authentication
|
|
0:31:07
|
says right now the user is not
|
|
0:31:09
|
assigned to any group
|
|
0:31:15
|
the client doesn't have an ip address assignment
|
|
0:31:18
|
this is would be lets say like for our vpn
|
|
0:31:21
|
configurations
|
|
0:31:22
|
that when the user comes in with any connect
|
|
0:31:25
|
or it comes in with easy vpn client
|
|
0:31:28
|
if we have afford this to the RADIUS server
|
|
0:31:30
|
we could then say that this particular user gets this address
|
|
0:31:34
|
10.1.2.3
|
|
0:31:36
|
or whatever we want to define
|
|
0:31:38
|
okay we leave this as the default
|
|
0:31:41
|
then under advanced settings
|
|
0:31:48
|
we could say when is the user is allowed to login
|
|
0:31:55
|
says you could ever, limit to number of hours that you are able to login
|
|
0:32:01
|
I could disable the account
|
|
0:32:03
|
says if I fail more than five authentication
|
|
0:32:05
|
attempts that I can disable the account
|
|
0:32:10
|
we can do downloadable access lists
|
|
0:32:12
|
so when the user
|
|
0:32:15
|
connects to the VPN client
|
|
0:32:17
|
we could assign them an individual access list
|
|
0:32:20
|
based on their authentication
|
|
0:32:23
|
but for TACACS
|
|
0:32:25
|
most of what we want is going to be here
|
|
0:32:27
|
under the advanced TACACS settings
|
|
0:32:29
|
where remember as I mentioned before
|
|
0:32:31
|
what are the main functional differences
|
|
0:32:34
|
between TACACS and RADIUS
|
|
0:32:37
|
is the TACACS is generally used of the administration of the network
|
|
0:32:41
|
So to track who is logging into your routers and switches, firewalls
|
|
0:32:45
|
what are the commands that they are allowed to issue
|
|
0:32:48
|
and then to do accounting to figure out
|
|
0:32:50
|
are they logging in and logging out
|
|
0:32:52
|
and then what are they actually doing once they are logged in
|
|
0:32:54
|
So what are the commands that they are issuing
|
|
0:32:58
|
So a lot of the TACACS attributes here
|
|
0:33:00
|
we will see our specific to the exec process
|
|
0:33:04
|
like in the case of an enable privilege level
|
|
0:33:08
|
I could say that at a maximum
|
|
0:33:10
|
they can go to level 14
|
|
0:33:12
|
but they are not going to get the level 15
|
|
0:33:14
|
which is going to be
|
|
0:33:15
|
full enable mode access
|
|
0:33:18
|
or I could say that on a
|
|
0:33:19
|
per device basis
|
|
0:33:22
|
so I could specify, may be I have a device
|
|
0:33:24
|
group for switches
|
|
0:33:26
|
where some group of users
|
|
0:33:28
|
or specific users is authorized only
|
|
0:33:30
|
up to a certain privilege level but never above that
|
|
0:33:34
|
thats how we can control here under the
|
|
0:33:36
|
the enable settings
|
|
0:33:38
|
Now we could also
|
|
0:33:40
|
configure this just
|
|
0:33:42
|
overall for the user
|
|
0:33:44
|
this is what the shell process is
|
|
0:33:47
|
and then what the privilege level is
|
|
0:33:51
|
Now the difference between these two
|
|
0:33:55
|
is that the shell process
|
|
0:33:57
|
if this service is off
|
|
0:34:00
|
it means that they are not authorized
|
|
0:34:02
|
to start the exec process at all
|
|
0:34:05
|
means that they are not able to log in to the router's
|
|
0:34:07
|
command line
|
|
0:34:08
|
or the switches command line or the Asa's command line
|
|
0:34:12
|
So if you are doing exec
|
|
0:34:14
|
authorization
|
|
0:34:17
|
it means that you always have to check this box
|
|
0:34:22
|
if we wanted to do the exec
|
|
0:34:23
|
authorization to a specific privilege level
|
|
0:34:26
|
we would check the shell box
|
|
0:34:28
|
but then also the privilege
|
|
0:34:30
|
and then specify the number
|
|
0:34:32
|
like if I were to say privilege level 15
|
|
0:34:36
|
for custom attributes if I were doing lets say the Role Based Access Control
|
|
0:34:41
|
I could specify what the particular view is
|
|
0:34:44
|
this is going to be for anything
|
|
0:34:46
|
its not officially supported in this version of AC'S
|
|
0:34:49
|
but its still a custom attribute that
|
|
0:34:51
|
TACACS could request and then
|
|
0:34:53
|
TACACS could receive back
|
|
0:34:58
|
next we have the command authorization set
|
|
0:35:02
|
this is going to control what can the user actually do once they are logged in
|
|
0:35:06
|
right now it says
|
|
0:35:08
|
check this as a group
|
|
0:35:10
|
which right now the part of the default group
|
|
0:35:12
|
and the default group does not have
|
|
0:35:14
|
command authorization set enabled
|
|
0:35:17
|
So if we were to enable
|
|
0:35:19
|
command authorization
|
|
0:35:21
|
which again is different than the exec authorization
|
|
0:35:24
|
for command authorization
|
|
0:35:26
|
right now when the users login they wouldn't
|
|
0:35:28
|
be able to do anything
|
|
0:35:32
|
so lets start with just doing basic authentication
|
|
0:35:36
|
then we will come back and do the
|
|
0:35:38
|
the authorization
|
|
0:35:39
|
for the exec process and the authorization for the commands
|
|
0:35:44
|
so lets cancel it here, the only thing that I really need now
|
|
0:35:47
|
is just the user name and the password
|
|
0:35:50
|
which I have defined, its the AAA user
|
|
0:35:53
|
and then the password is cisco
|
|
0:35:57
|
So now lets go back to the command line of router1
|
|
0:35:59
|
and look at its current
|
|
0:36:00
|
configuration for AAA
|
|
0:36:02
|
if we look at the show run include AAA
|
|
0:36:05
|
the only thing we basically have configured now
|
|
0:36:07
|
is that AAA is on
|
|
0:36:10
|
and if we say show run include AAA
|
|
0:36:12
|
or RADIUS or TACACS
|
|
0:36:15
|
we have AAA on, we have the TACACS server defined
|
|
0:36:19
|
we do not have any AAA list
|
|
0:36:21
|
defined and we do not have any other list applied
|
|
0:36:25
|
the list is sometimes also called the AAA methods
|
|
0:36:28
|
this is where in global config we would say
|
|
0:36:31
|
AAA authentication
|
|
0:36:33
|
AAA authorization
|
|
0:36:35
|
AAA accounting
|
|
0:36:37
|
and then specify exactly how we are going to do this
|
|
0:36:40
|
Now as it stands now
|
|
0:36:42
|
with AAA on
|
|
0:36:45
|
but nothing actually defined
|
|
0:36:47
|
if we were to go
|
|
0:36:50
|
back to the ACS server
|
|
0:36:52
|
and from here lets open a telnet session to router1
|
|
0:36:55
|
which is
|
|
0:36:57
|
200.0.0.1
|
|
0:37:01
|
it does ask us for login credentials
|
|
0:37:04
|
in this we can see its checking the local database
|
|
0:37:08
|
for the exec authentication
|
|
0:37:12
|
then for the auth
|
|
0:37:13
|
authorization if we show privilege
|
|
0:37:15
|
we see we are privilege level 1
|
|
0:37:18
|
if we were to then try to authorize
|
|
0:37:20
|
further with the enable command
|
|
0:37:23
|
this is all happening via the local database
|
|
0:37:27
|
So I have AAA configured, but I haven't
|
|
0:37:29
|
specified any of the methods
|
|
0:37:31
|
means that its still going to be checking the local database
|
|
0:37:33
|
because it assumes thats where your user names are
|
|
0:37:36
|
and thats what your passwords and privilege are
|
|
0:37:40
|
Now if I were to configure AAA
|
|
0:37:42
|
but didn't actually have a username configured
|
|
0:37:45
|
then I could potentially lock myself out of the command line
|
|
0:37:49
|
So in general you normally want to have a last resort
|
|
0:37:54
|
local username and password or local credentials
|
|
0:37:57
|
that you can use if there is something wrong with
|
|
0:38:02
|
if TACACS server crashes
|
|
0:38:05
|
or is unavailable, you want to make sure that your network devices are available
|
|
0:38:09
|
So this is going to be our last resort user
|
|
0:38:12
|
that we have cisco and password cisco
|
|
0:38:17
|
So next on router1
|
|
0:38:19
|
I am going to specify that we want to do our basic
|
|
0:38:21
|
authentication with the TACAC server
|
|
0:38:24
|
this is would then be defined with AAA authentication
|
|
0:38:29
|
this is going to be for login authentication
|
|
0:38:34
|
Now there is two different ways that we can define this
|
|
0:38:37
|
we have the default authentication list
|
|
0:38:39
|
and we have the named authentication list
|
|
0:38:43
|
where the default authentication list
|
|
0:38:45
|
as you can probably guess is by default applied to everything
|
|
0:38:49
|
where the name authentication list
|
|
0:38:51
|
this is where we would go under the vty lines or the aux
|
|
0:38:54
|
port or the console
|
|
0:38:55
|
and say I want one particular list
|
|
0:38:57
|
applied here
|
|
0:38:58
|
and then a different particular list applied somewhere else
|
|
0:39:02
|
usually what you would want to do with this syntax for
|
|
0:39:06
|
best practice and make sure you don't lock yourself out
|
|
0:39:10
|
is that you would have some sort of default method
|
|
0:39:14
|
that either checks the local database
|
|
0:39:17
|
that checks the password assigned to the line
|
|
0:39:19
|
that does no authentication
|
|
0:39:22
|
we could do case sensitive authentication to the local database
|
|
0:39:25
|
but the key is that the default one
|
|
0:39:28
|
normally we wouldn't send this RADIUS or TACACS
|
|
0:39:31
|
because we want to make sure we know exactly what
|
|
0:39:34
|
features are sent to the remote server
|
|
0:39:36
|
as opposed to local
|
|
0:39:38
|
So we will say here that for default
|
|
0:39:41
|
login authentication
|
|
0:39:43
|
we are going to check the local database
|
|
0:39:46
|
but then I want a separate named list
|
|
0:39:49
|
I will say that this is TACACS
|
|
0:39:54
|
auth for authentication
|
|
0:39:56
|
this is going to go to the group
|
|
0:39:59
|
and the server group is the TACACS group
|
|
0:40:03
|
Now if I were to hit return here
|
|
0:40:06
|
this means that when someone comes in on
|
|
0:40:09
|
some sort of login whether this is for the line
|
|
0:40:12
|
whether this is for the easy VPN login
|
|
0:40:15
|
says we are going to check the TACACS server
|
|
0:40:18
|
However if the TACACS server is down
|
|
0:40:22
|
I do not have a last resort method
|
|
0:40:25
|
which is what we would specify after this
|
|
0:40:29
|
So you can specify multiple methods at the same time
|
|
0:40:32
|
and they are going to be checked sequentially
|
|
0:40:35
|
So if I were to say TACACS
|
|
0:40:37
|
and then local
|
|
0:40:40
|
it means that I am going to check the TACACS server first locally
|
|
0:40:43
|
but if for some reason it is unavailable
|
|
0:40:46
|
then I will check the local database
|
|
0:40:49
|
Now what this does not mean
|
|
0:40:52
|
is that if authentication via TACACS fail
|
|
0:40:55
|
we will then not
|
|
0:40:57
|
check the local database
|
|
0:41:00
|
So we are only falling back to local if we cannot reach TACACS
|
|
0:41:04
|
but if we talk to TACACS and they say authentication fail
|
|
0:41:07
|
then authentication is failed, I am not going to then check the local database
|
|
0:41:11
|
but again here its always a good idea to have a last resort method
|
|
0:41:14
|
that points to local or
|
|
0:41:17
|
you could point to none but you probably don't want to do that
|
|
0:41:20
|
that then means that anyone can login to your devices
|
|
0:41:24
|
So now lets go to the application of this
|
|
0:41:27
|
under the line
|
|
0:41:28
|
this case I will say vty which is going to be for telnet
|
|
0:41:32
|
I will say that for whatever
|
|
0:41:33
|
telnet lines, in this case the platform has 988
|
|
0:41:37
|
I want my login authentication
|
|
0:41:41
|
to go to the group that is called
|
|
0:41:42
|
TACACS_AUTH
|
|
0:41:46
|
where without AAA
|
|
0:41:49
|
you would normally say login local
|
|
0:41:52
|
or no login
|
|
0:41:55
|
but as soon as the AAA new model command is issued
|
|
0:41:58
|
you don't have this options anymore, we always have to manually defined the methods
|
|
0:42:03
|
otherwise we are going to fall back to the default
|
|
0:42:05
|
authentication list
|
|
0:42:09
|
So on router1, we are going to look at two different debugs
|
|
0:42:13
|
the debug AAA authentication
|
|
0:42:17
|
and the debug TACACS authentication
|
|
0:42:22
|
ideally what we would now see
|
|
0:42:24
|
is that if we telnet into router1
|
|
0:42:29
|
and we will use same username as before cisco and cisco
|
|
0:42:34
|
in this case the credentials should fail
|
|
0:42:37
|
because router1 is now picking that method
|
|
0:42:41
|
which is TACACS_AUTH
|
|
0:42:45
|
says I found the server, the server is 1000100
|
|
0:42:49
|
I am going to send the request back to them
|
|
0:42:52
|
and I should get a response from them that says
|
|
0:42:55
|
they have failed authentication
|
|
0:42:59
|
Now if we started the top of this debug here
|
|
0:43:02
|
it says that first were
|
|
0:43:04
|
we are picking the methods so the method list is correct
|
|
0:43:07
|
we found the server
|
|
0:43:11
|
here we found the server
|
|
0:43:13
|
if there were some communication problem with the server
|
|
0:43:15
|
we would see here before we get the user
|
|
0:43:19
|
that it says, the connection fail
|
|
0:43:22
|
So may TACACS is getting filtered out, or there is something wrong with the routing
|
|
0:43:26
|
there is something wrong with the server
|
|
0:43:28
|
if we get to the portion where it says that
|
|
0:43:30
|
the TACACS server is asking for the username
|
|
0:43:34
|
then I know that the basic transport is correct
|
|
0:43:39
|
So for example if we were to go back to the ASA
|
|
0:43:42
|
and if we show run access group
|
|
0:43:45
|
lets remove this access group from being applied
|
|
0:43:49
|
which this what is allowing the TACACS to come in
|
|
0:43:54
|
So now TACACS is being denied
|
|
0:43:56
|
in on the outside interface
|
|
0:43:59
|
and if we do that same telnet
|
|
0:44:03
|
notice now that we don't even get a login prompt
|
|
0:44:09
|
router1 said
|
|
0:44:12
|
that we are
|
|
0:44:15
|
trying to go to
|
|
0:44:18
|
TACACS, actually let me clear this screen, so makes a little bit
|
|
0:44:21
|
clear us to exactly what happened
|
|
0:44:24
|
So lets try this again
|
|
0:44:29
|
we will telnet to 1
|
|
0:44:32
|
router1 says its found the list
|
|
0:44:35
|
its TACACS_AUTH
|
|
0:44:37
|
trying to talk to the server 10.0.0.100
|
|
0:44:41
|
but the response timed out
|
|
0:44:45
|
So now we are going to fall back to our
|
|
0:44:47
|
last resort method, which is the local database
|
|
0:44:51
|
I login as cisco cisco
|
|
0:44:53
|
I can see, I can get into the command line of router1
|
|
0:44:57
|
because now the TACACS server is unavailable
|
|
0:45:01
|
where previously when I login with this username
|
|
0:45:04
|
it have me authentication failed
|
|
0:45:06
|
because the TACACS server was available
|
|
0:45:09
|
but just my password was wrong
|
|
0:45:11
|
because under the server, I didn't configured my user name, I only configured the AAA user
|
|
0:45:18
|
So we can see this from troubleshooting a couple of different ways
|
|
0:45:21
|
when we do the test AAA command
|
|
0:45:25
|
thats going to tell us whether the server is alive
|
|
0:45:27
|
if we were to telnet to them at port 49 for TACACS
|
|
0:45:31
|
or if we were to look at this debug of the
|
|
0:45:33
|
the debug AAA authentication
|
|
0:45:35
|
and the debug TACACS authentication
|
|
0:45:37
|
its going to tell us if there is a problem with the particular method
|
|
0:45:40
|
or with the connection to the server
|
|
0:45:44
|
So ideally what all we see is that
|
|
0:45:46
|
you have chosen the correct method list
|
|
0:45:49
|
if for some reason it doesn't show you what you have predicted here
|
|
0:45:52
|
like if it says pick method list default
|
|
0:45:55
|
it means that you don't have specific named list that is being
|
|
0:45:58
|
applied to that individual line
|
|
0:46:03
|
Now once we actually go through
|
|
0:46:06
|
the exchange of the user
|
|
0:46:09
|
the exchange of the
|
|
0:46:11
|
the particular options like the exec authorization
|
|
0:46:14
|
and the privilege level, the command authorization
|
|
0:46:17
|
we will see the vast majority of this information
|
|
0:46:21
|
inside the debug output
|
|
0:46:24
|
So we would be able to use this to see
|
|
0:46:27
|
what is the user name that was sent to the server
|
|
0:46:30
|
what is the privilege level
|
|
0:46:32
|
that the TACACS server replying with
|
|
0:46:34
|
then if we are doing per command authorization
|
|
0:46:38
|
we are going to see the individual commands were sent to the server
|
|
0:46:41
|
and then the response whether the user is
|
|
0:46:43
|
allowed or disallowed to do this
|
|
0:46:49
|
So debug TACACS authentication, debug AAA authentication
|
|
0:46:53
|
we would also have equivalence for debug TACACS
|
|
0:46:56
|
authorization, debug AAA authorization
|
|
0:46:59
|
debug TACACS accounting
|
|
0:47:01
|
debug AAA accounting and then debug RADIUS
|
|
0:47:04
|
authentication, authorization and accounting
|
|
0:47:08
|
So now on the ASA lets put that access list back, this is going to allow
|
|
0:47:12
|
are connection now to the TACAC server
|
|
0:47:16
|
if we now telnet back in to router1
|
|
0:47:22
|
we should be able to login as AAA user
|
|
0:47:25
|
password cisco
|
|
0:47:27
|
and if we now look at what router1 says
|
|
0:47:31
|
says we pick the methods list TACACS under
|
|
0:47:33
|
score AUTH with the server
|
|
0:47:38
|
we got the reply packet
|
|
0:47:41
|
which is what we are looking for
|
|
0:47:42
|
we should now see the TACACS server saying, okay the connection is up
|
|
0:47:46
|
up three way handshake is there, so now send me the user name
|
|
0:47:50
|
I am going to send them the user name, which in this case
|
|
0:47:56
|
we don't actually see them in the debug output, its says
|
|
0:48:00
|
then its asking us for the password
|
|
0:48:04
|
the authentication response status is pass
|
|
0:48:08
|
this means that the authentication is successful
|
|
0:48:12
|
if we were to try a different user name
|
|
0:48:17
|
So lets say anything else
|
|
0:48:19
|
something we don't have configured
|
|
0:48:21
|
we should see authentication failed
|
|
0:48:24
|
then on router1
|
|
0:48:26
|
the response is going to be failed
|
|
0:48:31
|
So ideally we would see this not as
|
|
0:48:32
|
failed, we would see this as passed
|
|
0:48:37
|
So pass means authentication was successful
|
|
0:48:40
|
failed obviously means that authentication has failed
|
|
0:48:45
|
Now once I am into router1's command line
|
|
0:48:48
|
So log in as AAA user password cisco
|
|
0:48:52
|
drops me out of the command line, and if we look at the show privilege
|
|
0:48:57
|
I am at privilege level one
|
|
0:49:00
|
from here and out, anything else that is happening in this telnet session
|
|
0:49:04
|
we are not going to need to consult the TACAC server
|
|
0:49:08
|
and the reason why is that I have not configured
|
|
0:49:11
|
any type of exec authorization
|
|
0:49:14
|
any type of command authorization
|
|
0:49:16
|
or any type of command accounting
|
|
0:49:19
|
or exec accounting
|
|
0:49:24
|
next lets go to the reports and activity on the server
|
|
0:49:28
|
if we look at the past
|
|
0:49:30
|
authentications
|
|
0:49:32
|
and the failed attempts
|
|
0:49:35
|
we should be able to see this specific users
|
|
0:49:38
|
like in this case we has ASDF
|
|
0:49:40
|
that came in from router1's address
|
|
0:49:45
|
it was talking to us, who is 10.0.0.100
|
|
0:49:48
|
?? authentication has failed
|
|
0:49:52
|
then the same thing was with the user cisco
|
|
0:49:56
|
if we see this error message here, it says
|
|
0:49:59
|
unknown NAS
|
|
0:50:02
|
this means that there is a AAA client
|
|
0:50:05
|
that the server is not configured to accept
|
|
0:50:11
|
So again under the network configuration
|
|
0:50:14
|
then the, under the network devices
|
|
0:50:16
|
right now the ACS servers is configured to accept the connections from router1 and router2
|
|
0:50:21
|
before I configured this
|
|
0:50:23
|
we were running that test AAA command
|
|
0:50:26
|
thats why under the reports and activity
|
|
0:50:28
|
the failed attempts
|
|
0:50:30
|
thats why showing this message, the unknown NAS
|
|
0:50:34
|
Now you could potentially see this, if either you don't have
|
|
0:50:37
|
correctly configured on the server
|
|
0:50:40
|
or on the AAA client
|
|
0:50:42
|
you don't have the correct address configured
|
|
0:50:44
|
or if you are sourcing it from the wrong interface
|
|
0:50:49
|
where may be the ACS server is pointing at router1's loopback
|
|
0:50:52
|
router1 is sourcing the traffic is from its ethernet
|
|
0:50:55
|
then its going to be denied, its going to say unknown NAS here
|
|
0:51:00
|
then we can see other
|
|
0:51:02
|
types of reports here, we would have the per command accounting
|
|
0:51:06
|
we would have the RADIUS accounting
|
|
0:51:10
|
we could see the currently logged in users
|
|
0:51:15
|
but mainly what you would want to see here is the failed attempts
|
|
0:51:19
|
this is going to show you if there is a particular problem
|
|
0:51:22
|
with the configuration of someone
|
