Description: The following passage is talking about aaa login, which shows you how to configure authentication using AAA-TACACS server. The Cisco ASA provides support for TACACS attributes. TACACS attributes separate the functions of authentication, authorization and accounting.
In this passage we will configure AAA-TACACS, specifically the topology is fairly simple, router r1 is our triple-a client, all that’s configured on router r1 is a hostname and enable secret, the fastethernet interface has been configured with IP address 182 168 10.1. The interface is active.
The server that I’m currently on is this ACS server, it’s located at 182 168 10.50, before we begin the actual configuration, we should verify connectivity between this server and the triple-a client, for that I’ll open up a Doss window.
I will ping the server address or the triple-a client address, router r1 is responding, because I’m always a little bit paranoid about connectivity, I will establish a console connection with router r1 as well, I will ping the server at 192 168 10.50.
We have connectivity, at this point we’re ready to configure Cisco secure ACS, to do so I’ll open up the browser window and connect to cisco secure ACS, this is the trial version which I’ve downloaded from cisco.com, you remember that you need a valid cisco account to do so.
There are two basic tasks that we have to configure in cisco secure ACS, first we have to identify router r1 as a triple-a client and we do so under the network configuration menu, next we’ll have to configure a user, we will do that under the user setup menu.
Let’s start by configuring the triple-a client, I’ll go to network configuration, as you can see there are currently no triple-a clients, I want to add an entry, specifically I will add router r1 as our triple-a client, its IP address is 192 168 10.1.
The shared secret that I’m going to configure the router with or that I will establish a connection with the router with is going to be tacacspa55, I’ll submit and apply that, as confirmation we can see the router r1 has indeed been added as a triple-a client.
We will use tacacs between this server and that client, I’m ready for the second task, I need to add users, users can be added through a Windows database such as Active Directory or we can add users to the internal ACS database, currently if I say list all users, you can see that there are no users listed.
I will start by creating a user call admin one, select the Add button, there are a variety of options that I can fit that, I can configure for this user, but specifically at this time the only thing I need to configure is a password, the password will be admin 1 PA 55.
I’ll verify and confirm it by retyping admin 1 PA 55, I’ll submit that, we return to the initial screen, we don’t see that admin 1 has been added unless we click list all users again, now we can see that admin 1 has been added, this is all we’re going to do with cisco secured acs at this time.
We need to configure the triple-a client, I will open up my console connection with router r1, I’ll go into global configuration mode, as a backup I’m going to create a local database account, I’ll call it admin with the password admin PA five five.
This is as a fallback in case my tacacs server is not reachable, I’m going to enable Triple A, I do so with the triple a new model command, specifically I’m going to configure two ways of accessing the router, I’m going to configure a default authentication method which is going to refer to the tacacs server.
As a backup it would refer to the local database, then I’m going to configure a named authentication list specifically for the telnet connections, let’s start off by configuring the tacacs server information, the tacacs server information that I have to provide is its IP address and the shared secret.
I’ll use a tacacs server host command, it’s located at 192 168 10.1, this is the server that I’m identifying to the client, the server is located at 192 168 10 50, I’ll configure the shared secret, for that it’s tacacs server key, the key that we typed into Cisco secured ACS was tacacspa55.
It’s imperative that these two keys match, as an alternative I could have entered both options with one command, I could have simply said tacacs server host with its IP address, then add key tacacsPA55, I’m ready to enter the authentication methods.
I’ll use the Triple A authentication command, this is for login, our choice here is to use the default list or a named list, we’ll start with the default list, once the default list is configured, it is applied automatically to the console vty and ports.
I’ll specify default, as the first method list I want it to refer to the tacacs server,I’ll say group tacacs plus, as a fallback I wanted to refer to the local database, but I also want it to be case sensitive on the user name, by default if I say local, the username could be entered uppercase or lowercase, the password must be entered exactly as configured.
If I say local case, the username must also be entered exactly the way that it was configured, as you can see our username is configured with the capital a, in this case local case will have to match capital a admin, this is the default method.
The console line, the aux line and vty lines are automatically configured to use the tacacs server, I also want to configure a named list specifically for telnet, I will repeat the Triple A authentication command, we’re going to use login, but now we’re going to create a special named list.
I always use uppercase characters to identify any variables that we enter in an iOS configuration, make it easier to identify when you do a show run, I’m going to say vty login, it doesn’t have to be uppercase, but I’ve chosen to make it uppercase.
We will refer to the tacacs server, there will be no fallback method, this is what will make each authentication method different, a name is not applied anywhere until you go on the line and tell the line to use that authentication method.
For this reason I’m going to say line vty 0 4, make sure that you do all 4 or all 5 vty lines, I’ll say login authentication, I have to refer to my named list vty login, at this point we have configured the basics of the triple a client.
Let’s verify that it will refer to the triple a service, I will end this, I’ll also enable a debug command that allows the C which method list is using, the command for that will be debug Triple A authentication, debug is now active, what I’ll do at this point is that I’m going to tell net from a host to the Triple A client.
The host that I’m going to use on this server is for testing purposes, I’ll open my Doss window again, I’ll say telnet 192 168 10.1, I assume that I’m a regular user and administrative user trying to gain access to my router, it’s prompting me for a username.
The debug Triple A authentication command is letting me know that it’s using the vty-login authentication method, the name that we’ve configured on our Triple A server is admin one, its password is adminonepa55, we have now authenticated using Triple A.