00:00:00 - Using AAA, RADIUS, TACACS, our
objective this Nugget is
00:00:06 - really simple.
00:00:07 - We want to take the knowledge
we gain from the previous
00:00:10 - Nugget about the basics of how
AAA works and transfer it to a
00:00:13 - central AAA server using one
of two languages of love.
00:00:17 - Either RADIUS or TACACS+.
00:00:20 - Let's jump in.
00:00:24 - So here's the situation.
00:00:25 - At our company, we have R1.
00:00:28 - But we've just discovered that
it's not the only router or
00:00:31 - switch that we have to manage.
00:00:32 - There's actually a couple
hundred of them.
00:00:34 - So previously in a Nugget we
used the local database.
00:00:37 - The running config on a single
router because it was a small
00:00:40 - environment.
00:00:41 - We created a user name on the
router in the running config.
00:00:44 - And then we told AAA
that we wanted the
00:00:47 - default login method.
00:00:49 - Anybody trying to login into the
router for administration
00:00:52 - of that router to go ahead and
use a default method of the
00:00:54 - local database.
00:00:56 - And poof.
00:00:56 - All of a sudden, anybody that
tries to login via the VTY
00:00:59 - lines, the console, the
auxiliary port, or any other
00:01:03 - method they might use to get a
command line interface on that
00:01:06 - router, they would have to use
the local database, which
00:01:09 - means the router would prompt
them for a user.
00:01:11 - And prompt them for
00:01:13 - It's wonderful.
00:01:14 - Now, here's the problem
with 200 devices.
00:01:16 - With 200 devices, we don't want
to create the user admin,
00:01:20 - or Bob, or whatever user names
we're going to create, we
00:01:23 - don't want to create that on
200 different devices.
00:01:26 - Holy shnikers.
00:01:27 - Unless we're being
paid by the hour.
00:01:28 - And then it's great.
00:01:29 - However, because our lives are
already busy enough, we need
00:01:32 - some way to allow Bob to log
into these routers, assuming
00:01:36 - he's a manager or an
00:01:38 - But we don't want to have to
create the date user in the
00:01:40 - actual local database.
00:01:42 - So here is the game plan.
00:01:44 - What we're going to do is we're
going to play a game
00:01:46 - called centralized database.
00:01:49 - Ooh, it's a great game.
00:01:50 - Check it out.
00:01:51 - You'll love it.
00:01:51 - A centralized database is
where you have all the
00:01:53 - information in one place.
00:01:58 - When I talk about users, that
could mean end users sending
00:02:02 - traffic through the system.
00:02:03 - And it also could refer
00:02:05 - That's always been a
pet peeve of mine.
00:02:06 - It's like, they talk about users
and I'm thinking I'm
00:02:09 - never going to let a
user manage my box.
00:02:11 - So a user could represent
00:02:14 - So I'll be more clear.
00:02:15 - So let's say we have
Bob, who is an
00:02:17 - administrator, and we have Lois.
00:02:18 - And we have Jennifer.
00:02:21 - And we have some other people.
00:02:23 - They're all administrators.
00:02:24 - So what we could do is we
could use centralized
00:02:26 - database, and keep all of their
user names and their
00:02:29 - passwords on a centralized
00:02:32 - This guy's a mail server.
00:02:33 - So we'll just say, for a moment,
he's just going to be
00:02:35 - centralize server.
00:02:36 - So we keep Bob's user name,
Lois's username, and
00:02:38 - Jennifer's user name all there
along with their passwords.
00:02:42 - And here's the play by play.
00:02:44 - Now, we tell the router dear
Mr.Router, you have just lost
00:02:48 - some responsibility.
00:02:50 - What we want you to do now is
that if somebody tries to
00:02:53 - connect and login, whether it's
on the VTY lines, the
00:02:56 - console port, or the auxiliary
port, instead of using the
00:02:59 - default method of saying use
the local database, we want
00:03:03 - you to instead use
a AAA server.
00:03:06 - So this centralized database is
an example of a AAA server
00:03:10 - that has Bob, and Lois,
and Jennifer, all the
00:03:12 - administrators names, in that
database and their passwords.
00:03:15 - So Bob, Lois, or Jennifer
tries to login.
00:03:18 - The router says hold
on a nanosecond.
00:03:20 - It sends that request up to the
AAA server and says, hey,
00:03:23 - AAA server.
00:03:24 - I got somebody who
wants to login.
00:03:26 - I'm so excited.
00:03:27 - They're name is Bob.
00:03:28 - The password is Cisco.
00:03:30 - Is it right?
00:03:31 - Is it good?
00:03:32 - Is it accurate?
00:03:33 - And the AAA server is going to
send a message back saying
00:03:36 - pass or fail.
00:03:39 - That's if it's reachable.
00:03:40 - Now if the AAA server's not
reachable, the router has got
00:03:43 - to make another decision.
00:03:44 - But as ling as the server's
reachable, they'll get a pass
00:03:47 - or fail message.
00:03:48 - If it's a pass, the router
says, Bob, come on in and
00:03:51 - gives him the exec shell.
00:03:52 - Now, that's assuming that
we're not also doing
00:03:54 - authorization.
00:03:55 - So for just the authentication
piece, that's how we would do
00:03:58 - the authentication.
00:03:59 - Have a centralized server.
00:04:00 - And now, check this out.
00:04:02 - Now if we have 200 other routers
out here, we can all
00:04:06 - have them talking with that AAA
server, as well, so that
00:04:10 - we only have to manage Bob's
user name and password in one
00:04:13 - place on the centralized
00:04:16 - That's how it works.
00:04:16 - Now, for fault tolerance,
what are we going to
00:04:18 - do in the real world?
00:04:20 - For fault tolerance, we're
going to have a couple of
00:04:22 - these servers.
00:04:23 - And they're going to be
replicating so that if any
00:04:25 - single server fails we're not
going to be locked out of our
00:04:28 - entire network.
00:04:29 - But that's the concept of
extending our AAA beyond the
00:04:34 - single router.
00:04:35 - So let's you and I chat about
how this is going to happen.
00:04:38 - It's, actually, really
easy to set up.
00:04:41 - And it makes a lot of sense.
00:04:43 - And let me walk you through
the piece of doing it.
00:04:45 - If we want two devices to
communicate with each other,
00:04:48 - here is the laundry list of
stuff we would have to do.
00:04:51 - Number one, we need to
create some user
00:04:53 - accounts on this AAA server.
00:04:59 - And I'm calling it a AAA server,
and we should pause
00:05:01 - there for a moment.
00:05:02 - Now, AAA from a previous Nugget,
or this one too, is
00:05:05 - authentication, authorization,
00:05:08 - So when we create users on
this server we could also
00:05:12 - create their passwords,
00:05:13 - But we could also specify what
they're authorized to do.
00:05:17 - So we could specify that they're
authorized to get an
00:05:19 - exec shell.
00:05:20 - They're authorized to be
at privilege level 15.
00:05:23 - They're authorized to go ahead
and issue the command
00:05:25 - configure space terminal.
00:05:27 - We can control all
of that up here.
00:05:29 - And what the router could do is
it can, simply, ask every
00:05:31 - time a customer makes a move--
a user like Bob--
00:05:35 - the router could say,
oh, he's logged in.
00:05:37 - And now he wants to type in
config T. Is that allowed?
00:05:40 - And the AAA server says yes or
no based on the policy that's
00:05:44 - all on this centralized
00:05:46 - Now, this AAA server could have
lots of different names.
00:05:49 - And then explain why that is.
00:05:51 - The communication.
00:05:53 - Right here.
00:05:53 - This communication between
this client because this
00:05:57 - router is acting as a client
to this AAA server.
00:06:00 - Are you with me?
00:06:02 - So we might think the user is
Bob out here trying to log in.
00:06:05 - But from a AAA perspective, the
client is the router who's
00:06:10 - making requests to
the AAA server.
00:06:12 - AAA server is responding back
to the client, the router,
00:06:15 - saying yes or no.
00:06:16 - We're getting passwords
and so forth.
00:06:18 - This language of love, right
here, can be done with a
00:06:21 - couple different protocols.
00:06:23 - The language of love.
00:06:24 - The protocols.
00:06:24 - The rules in place could be done
with a couple different
00:06:27 - sets of rules.
00:06:28 - One is called RADIUS.
00:06:30 - And the other is
00:06:33 - So whenever you see those terms,
I want you to think
00:06:36 - we're talking about the dialogue
and the conversation
00:06:40 - right here between the AAA
server and its' client, which,
00:06:44 - in this case, is R1.
00:06:45 - Which one's the best to use?
00:06:47 - Let's talk about that
for a moment.
00:06:49 - As far as which one we
00:06:52 - the actual acronyms too, which
is what both of these are, we
00:06:55 - should also possibly talk about
that for just a moment.
00:06:57 - Radius stands for the Remote
00:07:02 - Dial in Users Service.
00:07:05 - Effectively, what is it?
00:07:06 - It's a protocol to talk
between a AAA
00:07:08 - server and a client.
00:07:10 - In this case, a router.
00:07:11 - The TACACS, what that stands
for is the Terminal Access
00:07:16 - Controller Access
00:07:21 - No wonder they just
call it TACACS.
00:07:23 - Now, there's been several
flavors of TACACS.
00:07:26 - There was a X flavor, and there
was the normal TACACS.
00:07:29 - There's TACACS+.
00:07:31 - Today, the only current standard
is TACACS+, as far as
00:07:34 - that protocol goes.
00:07:35 - So we don't, usually, say
the plus at the end.
00:07:37 - We just call it by
00:07:39 - TACACS.
00:07:40 - So say it like this
00:07:46 - So that's how it's pronounced.
00:07:47 - TACACS.
00:07:48 - And then RADIUS, you pronounce
00:07:49 - I don't have a short was
of spelling that.
00:07:51 - But we call them by the acronyms
because it's too
00:07:53 - painful to spell out
the whole process.
00:07:55 - So which language of love are
we going to use between the
00:07:58 - two devices?
00:08:00 - Now, before we jump in and say,
let's use RADIUS or let's
00:08:03 - use TACACS.
00:08:04 - Let's take a look at the pros
and cons and how they operate.
00:08:07 - I put here for you what I think
are the most critical
00:08:11 - things that you deserve to know
about the differences
00:08:13 - between these two protocols,
which can both be used between
00:08:17 - the AAA server and the
00:08:19 - And let's take a look
at RADIUS first.
00:08:21 - RADIUS is an open standard.
00:08:23 - I'm going to start
with that one.
00:08:24 - It's open standard meaning that
any vendor can use it.
00:08:28 - Meaning it's open, it's public,
and there's lots of
00:08:31 - vendors who support it.
00:08:32 - So if we have a non Cisco
network and they're using
00:08:35 - centralized authentication
services for remote access
00:08:39 - users, and users going through
the network, and
00:08:41 - authenticating administrators,
it's very likely to be using
00:08:43 - RADIUS between the network
devices and the AAA server.
00:08:46 - In that case, it would
be RADIUS server.
00:08:48 - In fact, let's go ahead and
write out the names for this
00:08:51 - server right here.
00:08:52 - This is fun because this
device right here, this
00:08:54 - server, could be called
the AAA server.
00:08:57 - No problem.
00:08:58 - It could be called
a RADIUS server.
00:09:01 - Now, why would we call
it RADIUS server?
00:09:03 - It could be called a RADIUS
server because the way they
00:09:06 - have it set up, the customer,
is they have their routers
00:09:09 - communicating with the
00:09:11 - server using RADIUS.
00:09:13 - So they may call it
a RADIUS server.
00:09:15 - They also could call it and
00:09:19 - That's another option.
00:09:20 - That's quite valid.
00:09:21 - And that's perfectly OK.
00:09:23 - So RADIUS uses a
00:09:25 - Anybody can use it.
00:09:26 - Anybody can write to it,
program it, et cetera.
00:09:28 - It encrypts only the passwords,
which is a little
00:09:30 - bit of a bummer.
00:09:32 - So let's say that Bob is here,
and Bob wants to authenticate.
00:09:36 - The actual conversation between
R1 and the AAA server
00:09:40 - is going to be in plain
text, except for
00:09:43 - the passwords involved.
00:09:44 - So Bob's password
00:09:46 - The passwords that allow
these guys to
00:09:48 - communicate is protected.
00:09:50 - But everything else
is in clear text.
00:09:51 - So it's a little less secure.
00:09:53 - However, not a huge
deal because the
00:09:55 - passwords are encrypted.
00:09:56 - And then, finally, RADIUS uses
UDP as it's layer for a
00:10:00 - transport protocol.
00:10:01 - Now, why is that important?
00:10:02 - It's important because if you
have firewalls or other
00:10:04 - filtering devices in place,
you need to make sure you
00:10:07 - allow the correct layer four
transport protocol and the
00:10:10 - correct ports.
00:10:11 - So originality, a long, long
time ago in a galaxy far away,
00:10:16 - we used those ports.
00:10:17 - 1645 for the authentication
00:10:19 - And 1646 if R1 was going to send
accounting records up to
00:10:23 - that server.
00:10:24 - Now, the current standard is
1812 for authentication of
00:10:28 - import and 1813 for
00:10:30 - Which one is yours
going to use?
00:10:32 - It depends on how it
00:10:34 - So I would just be aware that
those are both possibilities
00:10:37 - for UDP ports used by RADIUS.
00:10:39 - Now, on the other side
of the house, in this
00:10:41 - column, we have TACACS.
00:10:43 - And TACACS, first of all,
is proprietary to Cisco.
00:10:46 - They wrote it.
00:10:47 - And there are some open TACACS
services out there.
00:10:50 - I've seen them.
00:10:51 - You can download them, and
they're open source and free.
00:10:54 - But they're using a TACACS
proprietary protocol to do it.
00:10:57 - Most of the time, if people are
using TACACS, they've got
00:11:01 - a AAA server called
an ACS server.
00:11:05 - Wow.
00:11:06 - Another acronym for it.
00:11:07 - Now, what does ACS stand for?
00:11:09 - That's the Cisco secure ACS.
00:11:12 - Their Access Control Server.
00:11:14 - It's a product that
00:11:16 - And it comes in several
00:11:18 - So this box, this ACS server
from Cisco, it could be a
00:11:21 - physical box.
00:11:22 - And a long time ago, they used
to sell it where you could
00:11:25 - install it on top of Windows.
00:11:27 - So you have a Windows server.
00:11:28 - You install the ACS software
on top of it.
00:11:31 - They now sell it as
00:11:33 - So you can install it in a
virtualized environment, which
00:11:36 - is what I'm going to be
00:11:38 - So you can have, for example,
ESXI, VMware, and run it as an
00:11:42 - appliance virtually,
which is fantastic.
00:11:45 - And what are the
00:11:47 - There's also an engine,
which is an
00:11:49 - appliance that you plug-in.
00:11:50 - It's like a headless horseman.
00:11:52 - And there's also another guy
coming out, and that's ISE.
00:11:57 - And that's making a
lot of headway.
00:11:58 - ISE stands for the Identity
00:12:03 - And it has a lot of similar
functionalities to ACS.
00:12:06 - It does communicate
00:12:08 - And the purpose is for
00:12:10 - And it could do profiling of
the client and it supports
00:12:13 - 802.1X and a whole bunch of
other really cool features.
00:12:16 - ISE, if you see that, that's
how it's pronounced.
00:12:18 - I know it says ISE for Identity
00:12:21 - But if you ever hear about ISE,
it's, simply, another
00:12:23 - product that fits in that area
of a centralized server for
00:12:28 - controlling access
into the network.
00:12:30 - TACACS.
00:12:31 - If it's a Cisco implementation
we might go ahead.
00:12:34 - If you're using ACS, we
might use TACACS.
00:12:36 - And TACACS, one of the benefits
is it does encrypt
00:12:39 - the full payload.
00:12:40 - It doesn't encrypt the headers
because packets need to be
00:12:42 - forwarded on a network.
00:12:44 - But the actual payload, the
conversation of what's really
00:12:46 - happening between the AAA server
and the router, is all
00:12:49 - being encrypted,
which is cool.
00:12:51 - And it uses TCP port
49 at layer four.
00:12:55 - So that's what I would
00:12:57 - Maybe even take a moment, right
now, and I would have
00:13:00 - you write out this table just
so you know the differences
00:13:02 - and can see them.
00:13:03 - A while you're writing that
out-- getting a piece of paper
00:13:06 - or notepad.
00:13:07 - And don't just screen
00:13:10 - You can do a screen shot,
but that won't help
00:13:11 - you remember it.
00:13:12 - I want you to, actually,
write it down.
00:13:14 - You'll be gratefully you did.
00:13:15 - A couple of observations I also
wanted to point out with
00:13:18 - you is that RADIUS, kind
of, groups its' shots.
00:13:21 - What o you mean groups
00:13:22 - It's less granular for
00:13:26 - With RADIUS, let's say this is
a AAA server and the language
00:13:29 - of love that we've chosen to
use between our AAA client,
00:13:32 - right here, R1.
00:13:33 - And the AAA server is RADIUS.
00:13:35 - So we'll circle that column
for a moment.
00:13:37 - If we want to do authorization,
it's, kind of,
00:13:39 - bundled into the authentication
00:13:43 - So Bob is here.
00:13:44 - Bob says I want to authenticate
and get access to
00:13:47 - the network.
00:13:48 - The authentication request and
authorization request, if
00:13:51 - there is one, are bundled
together in the same session,
00:13:55 - if you will, up to
the AAA server.
00:13:57 - If the AAA service says,
yes, he can login.
00:13:59 - He's authorized.
00:14:00 - Access is granted
and it's done.
00:14:02 - As far as continued
authorization, it doesn't have
00:14:04 - a really granular control
ability to check.
00:14:07 - It does have granular
00:14:08 - It's amazing at accounting.
00:14:10 - So how does that compare
00:14:13 - Let's clear the screen.
00:14:14 - And let's give you a example
of the same user,
00:14:16 - Bob, logging in.
00:14:17 - This time, we'll go ahead and
we'll use TACACS as the
00:14:20 - language of love between our
AAA server and the actual
00:14:23 - client, R1.
00:14:24 - With TACACS, of course, the
entire session is encrypted.
00:14:27 - It's using TCP.
00:14:28 - And it has separate control
00:14:33 - It would go like this.
00:14:34 - Bob wants to login.
00:14:35 - He wants to authenticate.
00:14:36 - The routers been trained
to use a AAA server for
00:14:39 - authentication.
00:14:40 - So it says, can he
00:14:42 - Does he have the right user
name and password?
00:14:45 - And the AAA server, hopefully,
00:14:47 - So that's the first A of AAA.
00:14:50 - This is optional but if the
router has been configured to
00:14:53 - check for authorization
00:14:56 - What do you mean,
00:14:57 - Every time Bob, as an
administrator, if he's going
00:15:00 - into configuration mode, every
command he types, if you want
00:15:04 - the router to check with the
AAA server before allowing
00:15:07 - that to happen you
can do that.
00:15:09 - And that's where the granular
control comes in.
00:15:11 - So at TACACS we could
tell the router.
00:15:13 - We could do a default
authorization method list for
00:15:16 - all commands at level 15.
00:15:18 - And any level 15 command, like
router, would say, oh, before
00:15:21 - I let him execute this command,
I better check with
00:15:23 - the AAA server.
00:15:25 - And the reply comes
back yes or no.
00:15:27 - So it's this part right here,
this blue area, which is the
00:15:30 - separated authorization, which
gives very, very granular
00:15:34 - control that RADIUS doesn't
have built into it.
00:15:37 - So RADIUS lumps the
00:15:38 - authorization together.
00:15:40 - And TACACS can let them
be very, very
00:15:43 - granular and separate.
00:15:44 - If we want to do accounting--
00:15:47 - let me get a different
00:15:48 - If you want to do accounting in
a different color, we can
00:15:50 - send accounting records up
saying Bob did this.
00:15:52 - Bob did that.
00:15:53 - So accounting, they can
both do a fine job.
00:15:55 - The opinion of the world is that
RADIUS, somehow, does a
00:15:58 - better job with accounting.
00:16:00 - More detailed so that's fine.
00:16:02 - We can believe that.
00:16:03 - And we can also answer that
way, if we're asked, in a
00:16:07 - small room.
00:16:08 - But for the purpose of actual
00:16:11 - command by command by
command is TACACS.
00:16:14 - So what does this all
boil down to.
00:16:16 - Let's take a look at
what it boils down.
00:16:17 - It boils down to the fact that
we can use TACACS or RADIUS
00:16:20 - between the router and
the AAA server.
00:16:23 - In most implementations,
it's going to go
00:16:25 - something like this.
00:16:26 - For end users, let's
say you have an
00:16:28 - end user on the internet.
00:16:30 - So here is Sally.
00:16:32 - She's at her home in some state,
some city, and some
00:16:35 - location in the world.
00:16:36 - And she wants to build a VPN
tunnel into corporate
00:16:39 - headquarters.
00:16:40 - So maybe her firewall is also
the VPN head end device for
00:16:44 - that VPN tunnel.
00:16:45 - And we'll have a whole Nugget
on that coming up.
00:16:47 - So that's part of this course.
00:16:48 - So Sally wants to build a
VPN tunnel coming in.
00:16:51 - And we want to validate, we want
to authenticate, Sally.
00:16:55 - So it's very likely that
we might use RADIUS.
00:16:58 - Make the firewall a RADIUS
client, and have him use
00:17:01 - RADIUS to authenticate Sally.
00:17:03 - And that's the normal
fair, by the way.
00:17:06 - RADIUS is, typically, used to
authenticate end users before
00:17:10 - allowing them access
in the network.
00:17:11 - However, let's take
00:17:13 - And let's take us.
00:17:14 - So you and I, we're sitting
at this PC, right here.
00:17:16 - And we want to SSH.
00:17:18 - We're not like Sally.
00:17:19 - We don't want network access
through the network.
00:17:21 - We want a command
00:17:23 - It's very likely for
00:17:26 - If we have an ACS server, we
are, very likely, using TACACS
00:17:30 - for that purpose.
00:17:31 - Why?
00:17:31 - Why TACACS here and
00:17:34 - Well, TACACS has that more
00:17:37 - So if you want to lock down
your network and make sure
00:17:40 - that every command that's
issued by us, as the
00:17:43 - administrators, is checked with
a AAA server, command by
00:17:46 - command, before those commands
are allowed to be executed on
00:17:48 - the router, the TACACS has
that granular control.
00:17:52 - So typically, you'll see TACACS
for authenticating and
00:17:55 - authorizing administrators.
00:17:57 - And RADIUS used for
authenticating and allowing
00:18:00 - access to end users who are
going through the network,
00:18:03 - like Sally, authenticating
00:18:06 - Now, can you use both?
00:18:06 - The answer is absolutely yes.
00:18:09 - So this router could be a--
00:18:11 - I'll put green here--
00:18:13 - TACACS client.
00:18:20 - I said that backwards.
00:18:22 - So it could be a RADIUS
client or a TACACS
00:18:24 - client at the same time.
00:18:25 - It could, actually,
have two sessions.
00:18:27 - And it can be trained with a
method list saying, I want to
00:18:31 - authenticate network access for
end users using RADIUS.
00:18:35 - And I want to authenticate login
access using TACACS.
00:18:40 - And that's perfectly agreeable
to the system.
00:18:43 - And you'll see that all the
time, as well, in practical
00:18:46 - applications.
00:18:47 - All right, so that's what we've
done as far as taking a
00:18:49 - look at extending our
authentication beyond a single
00:18:53 - local database on
a local router.
00:18:56 - We've also taken a look
at the comparison
00:18:58 - between TACACS and RADIUS.
00:19:02 - I don't know why I
say TACACS first.
00:19:04 - Just a Freudian slip there.
00:19:05 - But RADIUS is open standard.
00:19:07 - TACACS is proprietary.
00:19:08 - What is left for us to do?
00:19:10 - Well, be only thing left for us
to do is to implement this.
00:19:13 - So here's what we're going
to do together.
00:19:15 - You and I are going to take
this router, R1, and we're
00:19:18 - going to have it work in
combination with a AAA server.
00:19:22 - So what I've done is
I've neutered R1.
00:19:25 - That means I took all the
security off of him.
00:19:28 - Why?
00:19:28 - Here's what I want to do.
00:19:29 - I want to show you the commands,
step by step, that
00:19:32 - I'm going to do on this router
as if you're doing it from
00:19:35 - scratch yourself.
00:19:37 - And that way, you can take a
00:19:40 - basic IP addresses;
00:19:42 - implement these commands, and
get the same results.
00:19:45 - I also want to point
out there's a lot
00:19:47 - of open RADIUS servers.
00:19:51 - And there's also some
open TACACS servers.
00:19:55 - So if you want to get those and
install them on a Linux
00:19:58 - box, or a Unix box, or whatever
platform they're on,
00:20:02 - you don't have to
have an official
00:20:04 - ACS server from Cisco.
00:20:06 - You can still use RADIUS or
TACACS on an open source box
00:20:10 - and still practice the commands
00:20:11 - with your local router.
00:20:14 - Abraham Lincoln said--
00:20:15 - I believe it was Abraham
00:20:16 - that if we had eight hours to
cut down a tree, we should
00:20:19 - spend, at least, six hours
sharpening the axe to be more
00:20:23 - effective at it.
00:20:24 - Well, the same thing is true
with network and planning.
00:20:26 - If we're going to set up AAA
services, we want to do a
00:20:29 - couple of things, planning wise,
first before we start
00:20:32 - clicking on icons and putting
commands in the router.
00:20:35 - So the first thing we're going
to do as a safety net is we're
00:20:38 - going to create a local
user on R1.
00:20:46 - And we're going to give
that local user
00:20:47 - privilege level 15 access.
00:20:49 - Well, Keith, I thought we were
moving away from the whole
00:20:52 - local database.
00:20:53 - We're doing centralized now.
00:20:54 - Well, as a fail safe, we want to
make sure that we have, at
00:20:57 - least, one account locally so
that if a AAA server is not
00:21:00 - reachable, or something bad
happens on the network, we can
00:21:03 - still login.
00:21:04 - Like, at the console, it might
be really important to do so.
00:21:07 - So we're going to create
a local user.
00:21:09 - And we're going to enable AAA,
if it hasn't been already.
00:21:16 - We're going to specify
our method lists.
00:21:21 - And for this example, let's
just do authentication.
00:21:29 - I'm going to ask
you a question.
00:21:30 - Do you remember the name of the
method list that, if we
00:21:33 - put it in place, it applies
to all the login.
00:21:36 - So what is the login method list
called that, once it's
00:21:40 - applied, applies to all the
points where we could login?
00:21:43 - VTY lines.
00:21:44 - Console.
00:21:45 - Auxiliary.
00:21:46 - Do you remember the name,
the special name,
00:21:48 - of the method list?
00:21:51 - It is default.
00:21:54 - So if we have an authentication
00:21:57 - named default, basically, all
the VTY lines, all the console
00:22:01 - ports, all the auxiliary ports,
and anywhere somebody
00:22:03 - could do a login, they would
follow the rules of that
00:22:07 - method list.
00:22:07 - So on our default method
list we're going
00:22:09 - to specify two methods.
00:22:11 - We're going to specify a TACACS
server or a group of
00:22:17 - TACACS servers.
00:22:18 - And then that will be
our first option.
00:22:20 - And then we'll specify
the local database.
00:22:23 - So here's what will happen.
00:22:26 - If Bob tries to authenticate
to the router, the routers
00:22:30 - going to go, oh, I need to check
with a TACACS server.
00:22:33 - Oh, there's not one
00:22:35 - Or if there is one configured,
he's not responding.
00:22:37 - And then it will fall back
to the local database.
00:22:40 - And if the user name, Bob, is
in the local database, or
00:22:43 - admin, or whoever he's logging
in as, he can authenticate.
00:22:46 - We could also do this.
00:22:47 - We can make a third option.
00:22:48 - And that third option
could be enable.
00:22:52 - Now, what does that mean?
00:22:53 - Well, that means that if
a TACACS server is not
00:22:56 - reachable, no response, and the
user logging in doesn't
00:23:00 - have an entry in the
00:23:03 - there's no user account.
00:23:04 - It's not that there is a user
account named Bob, and he has
00:23:06 - the wrong password.
00:23:07 - There's no Bob in the
00:23:09 - Then it will default to
the enable secret.
00:23:12 - At which point, it would prompt
you for the password.
00:23:14 - So Bob would connect,
00:23:16 - Bob would have a bogus
user name that wasn't
00:23:18 - in the local database.
00:23:20 - And then it would fail.
00:23:21 - And then it would just ask
us for a password.
00:23:24 - And that would be the
00:23:25 - So this could be our method
list as a fallback.
00:23:28 - Or we might want to say
even we could do four.
00:23:31 - I guess we'd say none.
00:23:33 - If there's no enable
secret, the default
00:23:35 - method would go to none.
00:23:36 - But that's not a good idea.
00:23:38 - Saying none for an
00:23:40 - isn't a good idea.
00:23:41 - So we'll do these steps.
00:23:43 - We'll create the local user,
enable AAA, separate method
00:23:46 - list, and we're also
going to specify at
00:23:48 - least one AAA server.
00:23:50 - So we will tell R1 about the IP
address of a AAA server so
00:23:55 - that when the AAA server is
configured, which is our next
00:23:57 - step, it'll be able to go ahead
and communicate and
00:24:00 - respond and do authentication
00:24:02 - So that's our plan.
00:24:03 - Step by step.
00:24:04 - Inch by inch.
00:24:05 - Life's a cinch.
00:24:06 - Let's go ahead and, first, take
a look at R1, create our
00:24:09 - local user, enable AAA, and
set up our method lists.
00:24:13 - So let's bring in our router.
00:24:14 - He's about to get a makeover
with security with AAA.
00:24:17 - What I did on this router is I
wiped it out as far as any of
00:24:21 - the previous security measures
we had taken with AAA because
00:24:24 - I wanted to give you the ability
to see it all step by
00:24:26 - step by step on a brand
00:24:28 - So on this device, the very
first thing we're going to go
00:24:30 - ahead and do is in privileged
mode, privilege level 15,
00:24:34 - we'll get into configuration
00:24:36 - And then we'll create a
local user account.
00:24:37 - Why?
00:24:38 - Because if all else fails,--
00:24:40 - we can't reach an external AAA
server, we have a password
00:24:43 - configured incorrectly, what
have you-- we want to have a
00:24:46 - method in our method list that
says use the local database.
00:24:50 - And we want to make sure we
have a local user that has
00:24:52 - privilege level 15 access.
00:24:54 - So it'll only create
00:24:55 - One for admin with privilege
00:24:58 - And one for Bob at privilege
00:25:01 - Because we use the secret key
word, both of those are stored
00:25:04 - as the MD5 digest and
00:25:07 - They're kept that way.
00:25:08 - Next, we want to make sure
we have an enable secret.
00:25:10 - And we also want
to enable AAA.
00:25:13 - Well, the next thing we want to
do is I want to tell this
00:25:15 - router, hey, guess what?
00:25:17 - Dear Mr. Router, there's a
TACACS server available.
00:25:20 - Let's take a look.
00:25:21 - So if this router's on the 192
168 zero network and the 10
00:25:25 - three and the 10 two and
the 10 one, I've
00:25:28 - also got another network.
00:25:29 - It's, actually, off
of this firewall.
00:25:32 - It's like on a little
00:25:33 - That's the 192 168
one sub net.
00:25:36 - And that happens to be where
the TACACS server is.
00:25:40 - So I'm going to tell this router
that if it ever needs
00:25:43 - to talk to TACACS server
for any reason,--
00:25:45 - he doesn't have any good
reasons yet to do it--
00:25:48 - I want to give him the IP
address of that tactic server.
00:25:51 - So that's our next task.
00:25:53 - It is to say, for a TACACS
server, there's a host at 192
00:25:57 - 168 one dot 252.
00:25:59 - What we also might want to do
is verify that we can ping
00:26:03 - that host just to make
sure we have basic
00:26:05 - connectivity in place.
00:26:07 - So let's do a do ping of 192
dot 168 dot one dot 252.
00:26:14 - And hopefully, we have
00:26:16 - Good.
00:26:17 - We do.
00:26:17 - So one of those got eaten
by ARP, which is normal.
00:26:20 - And then the rest
of them made it.
00:26:21 - That's fantastic.
00:26:22 - We also need to tell the router
what the password is
00:26:26 - that it should use to encrypt
the entire session with that
00:26:30 - TACACS server.
00:26:31 - So we're going to specify
TACACS server key.
00:26:34 - I'm going to use a key
of Cisco 1, 2, 3.
00:26:37 - When we configure the TACACS
server to respond to this
00:26:40 - router, we'll have to configure
the same keys so
00:26:42 - they can successfully
communicate with each other.
00:26:45 - So far we've enabled AAA.
00:26:47 - But we haven't done is we
haven't specified a default
00:26:51 - method yet.
00:26:53 - So if we want to specify default
method, let's do this.
00:26:55 - Let's tell this router that
the default authentication
00:26:59 - method for character
00:27:02 - we want it to be, first,
one of the
00:27:04 - group of TACACS servers.
00:27:06 - Currently, we have
a group of one.
00:27:07 - That's OK.
00:27:08 - And if we can't reach a TACACS
server successfully, go ahead
00:27:12 - and use the local database.
00:27:13 - Because the TACACS server is
not online yet and it's not
00:27:16 - fully configured yet, we
definitely want to have that
00:27:19 - fall back to the local database
in our default method
00:27:22 - list so that we can still
log on as a local user
00:27:25 - administrator.
00:27:27 - So we'll do that right now.
00:27:28 - And you might also notice that,
as I do this, there's no
00:27:32 - clicking of the keyboard.
00:27:33 - I have a lot of this pre done
because I want to make it
00:27:35 - available for you in the
Nugget lab area.
00:27:38 - So for this video, for video
three, using AAA with radius,
00:27:44 - there's a Nugget lab file that
is going to contain all the
00:27:49 - commands that I'm implementing
00:27:50 - So you can download that,
review it, and make sure
00:27:53 - you're comfortable with them.
00:27:55 - Because that applies to the VTY
lines, the console, the
00:27:59 - auxiliary port and anywhere that
we can get a login access
00:28:02 - for authentication that's
going to apply.
00:28:04 - Let's create a custom method
list that we can create and
00:28:07 - apply, if we want to, to an
individual console or
00:28:11 - individual VTY line just
so you get a feel
00:28:14 - for the whole picture.
00:28:15 - So we'll create a custom
authentication method list for
00:28:19 - character mode login.
00:28:21 - And I'm going to call
it free bird.
00:28:23 - My good friend Kevin Wallace did
a quality of service and
00:28:28 - he used the term free bird in it
regarding how long it would
00:28:31 - take with or without
00:28:33 - And I still think of him,
to this day, whenever I
00:28:34 - think of free bird.
00:28:35 - But this method list called free
bird says, if this method
00:28:39 - list is used, no authentication
00:28:43 - So I'll tell you why we're
going to use that.
00:28:45 - Let's use that on line
00:28:48 - Why?
00:28:49 - Because if we apply that to
line console zero, then I
00:28:53 - won't have to go ahead and
authenticate when I connect to
00:28:56 - the console.
00:28:57 - It will make it a lot
easier for me.
00:28:58 - For security, not that great.
00:29:00 - We might want to leave
the default in place.
00:29:02 - But to demonstrate applying a
specific method list, we're
00:29:06 - going to line console zero.
00:29:08 - We're saying login
authentication free bird.
00:29:10 - And guess what?
00:29:11 - Now, as we connect to the
console, it will look for the
00:29:14 - method list and say, oh, no
00:29:17 - Just come in because the
method list is there.
00:29:20 - In fact, we could demonstrate
that and we will.
00:29:23 - Let me finish the config,
and we'll demonstrate
00:29:25 - all of these together.
00:29:26 - All right.
00:29:27 - Next, just for fun, let's go
ahead and set up a couple of
00:29:31 - authorization method lists
just for grins.
00:29:35 - Now, authorization
00:29:38 - So once you've authenticated
somebody, if you want to
00:29:40 - additionally ask the router to
perform authorization for that
00:29:43 - individual, we can authorize
lots of different things.
00:29:46 - We can authorize exec shells.
00:29:49 - We could authorize people who
are trying to go into
00:29:51 - privilege mode.
00:29:52 - We could authorize commands
at privilege level one or
00:29:56 - privilege level 15.
00:29:57 - You can authorize, virtually,
00:30:00 - And authorization means this.
00:30:01 - If you're telling the router
authorization is required, the
00:30:05 - router won't let that happen
until the authorization gets
00:30:09 - the two thumbs up saying, yes,
that's OK to happen.
00:30:12 - So this first authorization
method list says any commands
00:30:16 - at privilege level one,
use a TACACS server.
00:30:19 - And if your TACACS server is not
reachable, check with the
00:30:21 - local database for
a valid user.
00:30:23 - And the second method says any
commands at level 15 should be
00:30:28 - checked against a
00:30:30 - And if one can't be reached,
check the local database.
00:30:32 - So these names right here--
00:30:34 - instead of using the keyword
default, I use this name.
00:30:37 - And that's what makes this
a custom method list.
00:30:40 - What are the two methods
in this list?
00:30:42 - It says use a group
of TACACS server.
00:30:44 - That's the first method.
00:30:45 - And if that's not reachable,
go ahead and
00:30:47 - use the local database.
00:30:48 - And there's a similar
functionality for the commands
00:30:50 - at level 15.
00:30:51 - It's amazing.
00:30:52 - Behind the scenes, the routers
keeping track of all the
00:30:54 - commands that are being issued
and what level they're at.
00:30:56 - And this, these authorization
lists, they are
00:30:59 - not in place yet.
00:31:00 - They're not enforced yet.
00:31:02 - They're, simply, authorization
lists that are sitting in
00:31:04 - global config.
00:31:05 - But they would need to be
applied to be worth
00:31:08 - something and used.
00:31:09 - Actually, before we apply them,
let's create a couple of
00:31:12 - accounting method
lists as well.
00:31:14 - It's the same exact concept.
00:31:16 - We're going to create a method
list for accounting records.
00:31:20 - We're going to specify what
should be accounted for.
00:31:24 - And then we'll specify where
to go ahead and send them.
00:31:27 - For accounting, it doesn't make
sense to send it to the
00:31:29 - local database because there's
no accounting server there.
00:31:32 - However, if you do have a TACACS
server or a RADIUS
00:31:35 - server, you could, certainly,
send your accounting records
00:31:37 - up to the TACACS or RADIUS
server that you had already
00:31:40 - gotten defined.
00:31:41 - So this one right here also,
this command in the middle, is
00:31:45 - an interesting one that, by
default, even if you're doing
00:31:48 - command authorization,
if somebody goes into
00:31:51 - configuration mode, by default,
the router stops
00:31:54 - checking for authorization.
00:31:56 - By issuing that highlighted
command, it also
00:31:59 - says, oh, by the way.
00:32:00 - Even though this user is in
configuration mode, still keep
00:32:03 - checking to see if router rip
is OK, or OSPF is OK, or
00:32:06 - anything else they might issue
in configuration mode.
00:32:09 - So that one in yellow is, kind
of, like a little gotcha.
00:32:12 - A lot of times people say, I
want to authorize every single
00:32:15 - command everywhere
on the router.
00:32:17 - And then they don't
00:32:19 - And once the guy gets into
configuration mode, they
00:32:21 - wonder why their accounting
records stop or their
00:32:23 - authorization records stop.
00:32:24 - And that command needs to
be there for the tap in.
00:32:27 - So the accounting records, the
accounting method list, says I
00:32:31 - want to do accounting
on commands at
00:32:33 - privilege level one.
00:32:34 - And here's this method
list called TACACT1.
00:32:37 - I just made it.
00:32:38 - I want to account for when
they started, when they
00:32:40 - stopped, and I want to
go ahead and send
00:32:42 - it to a TACACS server.
00:32:44 - So if there's a TACACS server
configured and working, it'll
00:32:47 - send all the commands that are
being issued at privilege
00:32:50 - level one and privilege
level 15 if this
00:32:54 - method list is applied.
00:32:56 - So any customer method list
is not applied by default.
00:32:59 - So we're going to fix
that right now.
00:33:01 - We're going to take our method
list, our custom ones for
00:33:04 - authorization and our method
list for accounting, and let's
00:33:08 - go ahead and apply them to
actually put them to work.
00:33:10 - To apply them means to apply
them to a logical place we're
00:33:14 - somebody would try
00:33:16 - So we're going to apply
these, as an
00:33:18 - example, to the VTY lines.
00:33:20 - So we'll go to VTY lines
zero through four.
00:33:23 - And we'll say authorization
for commands at level one.
00:33:27 - Authorization for commands
at level 15.
00:33:30 - Use your respective
00:33:33 - For you who are brand new to
AAA, in this video Nugget that
00:33:39 - we're doing together, right now,
I'm showing you a large
00:33:43 - portion of all the pieces.
00:33:44 - How they fit together.
00:33:45 - The basic concepts are, however,
that AAA new model
00:33:49 - says I have a new paradigm of
how to control authentication,
00:33:54 - authorization, and accounting.
00:33:56 - We can use default method lists
00:33:59 - authorization, and accounting,
which apply everywhere.
00:34:02 - Or we can create custom method
lists and apply them, as we
00:34:06 - are, right here for various
aspects to control
00:34:09 - access on that line.
00:34:11 - Case in point.
00:34:12 - Somebody tries to tunnel it in
right now on a VTY line.
00:34:16 - Because they're coming in on the
VTY line, they're going to
00:34:19 - subject to the default
authentication method list,
00:34:21 - which applies everywhere.
00:34:22 - And they're going to be subject
to this custom method
00:34:26 - list for authorization at
commands at level fifth one
00:34:30 - and commands at level 15.
00:34:31 - As well as, accounting for
commands at level one and 15.
00:34:34 - On the console we have a custom
00:34:37 - method list saying none.
00:34:39 - So no authentication and no
00:34:42 - there, whatsoever.
00:34:43 - And let's demonstrate this.
00:34:44 - In fact, let's do this.
00:34:49 - Now, a trick here is I'm not
going to leave the router.
00:34:51 - I'm going to tunnel that in to
myself because if something
00:34:54 - goes terribly bad I don't want
to completely lock myself out.
00:34:58 - So instead of logging all
the way out, let's
00:34:59 - do a telnet to 10.1.0.1.
00:35:02 - That's my own address.
00:35:03 - And let's also do
00:35:05 - That'll be fun too.
00:35:06 - We'll do the AAA
00:35:11 - That'll be enough for now.
00:35:12 - And lets do a telnet
00:35:16 - Now, what I would expect to
happen is, because they're
00:35:18 - going to be coming in on one of
these four VTY lines, the
00:35:21 - authentication is going to use
the default method list if we
00:35:24 - go up to here and take
a look at it.
00:35:27 - And here's our default
authentication method list
00:35:32 - right here.
00:35:35 - And this default authentication
00:35:36 - says, go ahead and try a group
of TACACS servers first.
00:35:40 - If you can't find them, use
the local database.
00:35:43 - If we try to go in the console
because it has the free bird
00:35:47 - method list we should
00:35:48 - In fact, this let's
go to the console.
00:35:50 - Let's demonstrate that first
because that way you can see
00:35:52 - the actual free bird
00:35:56 - So back on the console,
debugging is still active.
00:36:00 - Take a look at that.
00:36:00 - It said, oh, you're coming on
the council, which method list
00:36:03 - should I use?
00:36:04 - Free bird.
00:36:05 - And free bird said no
00:36:07 - And poof.
00:36:08 - It didn't prompt me
for a user name.
00:36:09 - It didn't prompt me
for a password.
00:36:11 - It just let me in.
00:36:13 - So let's go ahead
and tell that.
00:36:19 - I need to put the right password
in for going into
00:36:21 - privilege mode.
00:36:22 - So let's go ahead and tell that
to ourselves with the
00:36:25 - debug still running.
00:36:28 - And now we're coming
in a VTY line.
00:36:30 - And now look at what method
list it chose for
00:36:33 - authentication.
00:36:34 - It shows the default
00:36:36 - And that default method
list said use a
00:36:38 - TACACS server first.
00:36:40 - Timed out.
00:36:40 - Couldn't find one.
00:36:41 - And then it's going
to local database.
00:36:43 - So we can type in the
local user admin.
00:36:46 - And a password of Cisco.
00:36:48 - And we're in.
00:36:48 - Now, if we wanted to see that,
as well, check this out.
00:36:51 - We could do a debug of TACACS.
00:36:55 - And we could see the router
trying to talk to the TACACS
00:36:57 - server saying, hey,
are you there?
00:36:59 - I got a user.
00:37:00 - Oh, I'm timing out.
00:37:01 - OK, I'll use the
00:37:03 - So let's try that telnet,
again, to the TY lines.
00:37:09 - So here's our TACACS+ request.
00:37:11 - It started a five
second time out.
00:37:13 - So it sent out a
request on TCP.
00:37:17 - And the TCP port is 49,
as we have right here.
00:37:22 - So they sent out a TCP request
to the TACACS server saying,
00:37:24 - hey, I've got somebody
trying to login.
00:37:26 - Are you there?
00:37:27 - Are you there?
00:37:28 - It wasn't there after
00:37:30 - It timed out and went to
the local database.
00:37:32 - Still asking me for a user
but now it's off
00:37:34 - to the local database.
00:37:37 - And now I'm in.
00:37:39 - So there's the authentication.
00:37:41 - Again, it' just based on
where we connect to.
00:37:43 - So I would encourage you, for
this, to, maybe, download the
00:37:47 - file from the Nugget lab site.
00:37:50 - And go through the commands and
practice with this on a
00:37:53 - non-production router because
the first couple of times you
00:37:57 - do this, you're very likely to
unauthorized yourself right
00:38:02 - out of the router.
00:38:03 - We have to physically
turn it off and
00:38:04 - physically power it on.
00:38:05 - Let me tell you a quick
00:38:07 - In 2003, I went to go get
my CCIA in security.
00:38:11 - And I had a great time.
00:38:12 - Lots of fun as those
labs always are.
00:38:15 - And I, absolutely,
locked myself out
00:38:17 - of one of my devices.
00:38:18 - So I had been saving
as I went.
00:38:20 - I got to a AAA task.
00:38:22 - I was in a hurry.
00:38:23 - I put a default method list
00:38:27 - I pressed enter and it was done
because no longer did I
00:38:31 - have the authorization
to access my gear.
00:38:34 - So to fix it I had to power
off the router that I was
00:38:38 - working on.
00:38:39 - Power it back on.
00:38:40 - It came back right to
where we left it.
00:38:42 - We put in the correct commands,
00:38:44 - continued, and passed.
00:38:45 - However, it happens
to the best of us.
00:38:48 - Where do we go from here?
00:38:49 - Now that we have this
functioning, we have the basic
00:38:52 - configuration set up on the
router, let's go ahead and
00:38:55 - take a look at setting up the
AAA server to support it.
00:38:59 - And our AAA server
is right here.
00:39:01 - He's out on this network.
00:39:04 - And he's off of the firewall.
00:39:06 - And he's at 192.168.1.252.
00:39:13 - So setting up the AAA server,
the big concept here is that
00:39:17 - we have a centralized server
that is willing and able to
00:39:19 - take the request of these AAA
clients, the routers.
00:39:22 - And verify user's credentials,
verify whether authorization
00:39:27 - should be permitted or not,
and, essentially, keep
00:39:29 - accounting records.
00:39:30 - So let's bring over
00:39:33 - And the actual configuration
of ACS, it's a big animal.
00:39:38 - It's got lots of bells
00:39:40 - And I'll tell you why.
00:39:42 - It's possible that in an
organization with hundreds of
00:39:45 - devices, or thousands of
devices, and dozens of
00:39:48 - administrators, you might want
certain users to have certain
00:39:52 - rights on certain devices.
00:39:53 - So we have network device groups
that we can set up.
00:39:56 - We have user groups that
we can set up.
00:39:58 - We can give different
permissions to the groups.
00:40:00 - And then we can put users in
those groups to get access to
00:40:02 - certain devices.
00:40:03 - So it's mix and match.
00:40:05 - Very modular.
00:40:06 - Let's take a look, first of all,
at our network devices
00:40:08 - and AAA clients.
00:40:09 - Here's R1.
00:40:10 - Let's go take a look at him
by clicking on him.
00:40:12 - It says this is R1.
00:40:14 - His location is here.
00:40:16 - His device type is a group
of routers device type.
00:40:19 - Again, we can categorize that
as west coast routers, east
00:40:22 - coast routers, and so forth.
00:40:23 - And here's the IP address.
00:40:25 - Now, this IP address, 192 168
1.125, doesn't look right.
00:40:30 - So let's take a peek
00:40:33 - Oh, I see what's happening.
00:40:34 - So there's some network address
00:40:36 - happening between the AAA server
that's off of here as
00:40:39 - it goes through this firewall.
00:40:41 - So the AAA server is actually
seeing the router.
00:40:44 - Even though its' address is 192
168 0.1, it's seeing it as
00:40:48 - 192 168 1.25 as goes
00:40:51 - Network Address Translation.
00:40:52 - All right.
00:40:53 - So that works.
00:40:54 - And then, here, we
00:40:56 - So for TACACS, we want to
put the correct secret,
00:40:59 - which is 1, 2, 3.
00:41:01 - If you don't have the right
secret, they won't be able to
00:41:02 - successfully communicate.
00:41:04 - And I'll submit that.
00:41:06 - And then we'll go take
a look at users.
00:41:08 - Here's our internal users.
00:41:11 - I've got Admin, Bob,
King Kong, Sally.
00:41:14 - We could make a new one.
00:41:15 - So I'll click on create.
00:41:16 - Let's call it Test Admin.
00:41:19 - And his password, we'll make
the password Cisco.
00:41:23 - It's not very secure but very
easy for me to remember.
00:41:26 - Now, this is the magic.
00:41:27 - If we already have groups
set up, we could
00:41:29 - say, you know what?
00:41:30 - I want to put this user as
part of the admin group.
00:41:34 - And by that association, he'll
get all the rights that the
00:41:37 - admin group has to a
certain group of
00:41:39 - routers in a device group.
00:41:41 - So that's the mixing pot of
how certain rights get
00:41:45 - associated with individuals.
00:41:46 - So we'll click on OK.
00:41:48 - And I need to confirm the
password of Cisco here.
00:41:52 - And submit it.
00:41:53 - And now I've got this user
called Test Admin who's a
00:41:56 - member of the admin group.
00:41:58 - I've also got a user called
Sally who's a member of the
00:42:00 - help desk who, of course, won't
have the same rights as
00:42:03 - Test Admin.
00:42:03 - And I've got Bob, King
00:42:07 - So how do we test something
00:42:09 - So the AAA server knows
about the router.
00:42:12 - The router knows about
the AAA server.
00:42:14 - It is so easy to test this.
00:42:16 - Check this out.
00:42:17 - From the router, let me bring
him back over here.
00:42:20 - Let's do a debug of
00:42:26 - And let's just do a test.
00:42:27 - This is a fantastic
troubleshooting tool because a
00:42:30 - lot of times there's so
many moving parts.
00:42:31 - Like, how do we verify that this
user connecting from that
00:42:34 - place is using the AAA server
in the back end?
00:42:37 - This is a great test between the
client and the AAA server
00:42:40 - just to make sure that piece
is working correctly.
00:42:42 - Let's do a AAA.
00:42:44 - And we'll specify a group
TACACS, which represents a
00:42:48 - group of TACACS servers.
00:42:50 - We happen to have one
at the moment.
00:42:51 - That will do.
00:42:52 - And then the next TACACS
will be the user name.
00:42:54 - How about that user
we just created?
00:42:56 - What was her name?
00:42:58 - How about Test Admin?
00:43:00 - Let's check test admin,
the one we just made.
00:43:04 - We'll put in this password.
00:43:05 - Unfortunately, for this test
it's going to be clear text on
00:43:08 - the screen.
00:43:09 - So if somebody's watching you,
that wouldn't be a good thing.
00:43:12 - But it is what it is.
00:43:13 - Maybe, make a test account.
00:43:14 - Try it out.
00:43:15 - Delete the test account.
00:43:17 - And then there's an option for
how we want to send it.
00:43:19 - And I'm going to use
00:43:22 - So now what?
00:43:22 - OK, wow.
00:43:23 - That worked first time.
00:43:25 - Fantastic.
00:43:26 - So this says attempting to
authenticate to the server
00:43:29 - group TACACS.
00:43:30 - User was successfully
00:43:32 - And the debug is, simply,
showing us that it found out
00:43:35 - you had the user information.
00:43:36 - It wanted to get the password,
which it all did from that one
00:43:39 - command test of AAA.
00:43:41 - And the success was pass.
00:43:43 - The status was pass.
00:43:44 - So if it come back as fail--
00:43:46 - let's do it.
00:43:46 - Let's do a fail.
00:43:47 - Let's do another test.
00:43:48 - Lets put a user that
00:43:50 - How about Billy just to
make sure that Billy
00:43:55 - doesn't exist here?
00:43:57 - All right.
00:43:58 - So Billy doesn't exist.
00:43:59 - And we'll go ahead and
see the responses.
00:44:03 - It was rejected by the server.
00:44:05 - And look at this.
00:44:05 - It has a fail message.
00:44:07 - So we have a message from the
TACACS debugging saying, yep,
00:44:11 - the AAA server responded.
00:44:12 - And the answer was no.
00:44:15 - It wasn't that we timed out.
00:44:16 - It was that the AAA
server said no.
00:44:17 - So now if we leave the debug
running and we do a debug AAA
00:44:22 - authentication, and debug AAA
authorization, and debug AAA
00:44:28 - accounting because I think we
have a whole bunch of stuff
00:44:32 - for the VTY lines.
00:44:33 - Then we're telling
it to ourselves.
00:44:37 - And let's go in as test admin.
00:44:42 - And the password is Cisco.
00:44:46 - And then we'll go into
00:44:50 - Now I didn't do authorization
of the exec shell.
00:44:52 - And that's why it didn't,
automatically, put me at
00:44:55 - privilege level 15.
00:44:56 - I didn't tell the router to
check for authorization for an
00:44:59 - exec shell, which would
have tied it to my
00:45:01 - own privilege level.
00:45:02 - So in this Nugget, we've
identified how we can extend
00:45:05 - the reach of a centralized AAA
server and make it usable by
00:45:10 - multiple clients.
00:45:11 - This guy could use it.
00:45:12 - In fact, the switches could
all tie into for
00:45:14 - authentication of users
if they were doing
00:45:16 - something like 802.1X.
00:45:18 - Port based authentication,
00:45:20 - We can use, as the language
of love, TACACS or RADIUS.
00:45:24 - They both have their
pros and cons.
00:45:26 - And here's what I'd like
to do as a final little
00:45:27 - exercise with AAA.
00:45:29 - I realize that AAA can
be a little daunting.
00:45:33 - There's a lot of bells
00:45:35 - Here's a little exercise I'd
like each of you to do.
00:45:38 - First of all, I'd like you to
start off with a router that's
00:45:41 - not in a production
00:45:43 - You've got a command line
interface to it.
00:45:45 - And here's what I'd
like you to do.
00:45:46 - I'd like you to get into
00:45:49 - And then go to configuration
00:45:51 - I'd like you to turn on
set enable secret.
00:45:53 - Go to AAA new model.
00:45:55 - Enable that.
00:45:56 - And then set a default method
list saying I want the enable
00:45:59 - secret to be my default method
00:46:02 - So with just those commands
00:46:05 - Enable secret.
00:46:06 - AAA new model.
00:46:08 - And a default method list.
00:46:09 - This guy right here.
00:46:11 - Now, if we tell that to
ourselves or go back on the
00:46:14 - council, either way, it should
prompt us for a password.
00:46:18 - So the password is going
to be Cisco.
00:46:20 - The first thing it said was get
the password because the
00:46:23 - default method was
00:46:25 - And then, when I supplied
00:46:26 - password, it let me in.
00:46:27 - Let's try it again.
00:46:29 - And let's put in the
00:46:31 - So I'm going to put in the
incorrect enable secret.
00:46:35 - I want you to see visually
how it says fail.
00:46:38 - Wrong password.
00:46:39 - And now it's prompting me,
again, for another password.
00:46:42 - I put in the correct password.
00:46:43 - It lets me in.
00:46:44 - So the basic concept of AAA is
make sure you find out who
00:46:49 - people are.
00:46:50 - Or if your using a method like
the enable secret, make sure
00:46:53 - you have the correct enable
00:46:55 - Once you have a user
authenticated by identifying
00:46:58 - who that user is, if you're
using the local database or
00:47:00 - TACACS, you can then authorize
if you want.
00:47:03 - That's the second A of AAA.
00:47:05 - And then you can send accounting
records, as well,
00:47:08 - up to the AAA server.
00:47:11 - I have had a lot of fun in
this Nugget on AAA and,
00:47:14 - actually, putting
it in motion.
00:47:16 - Most companies are using some
type of centralized
00:47:19 - authentication for medium
and large companies.
00:47:21 - You definitely want to be
comfortable with it.
00:47:23 - Again, I'd encourage you to do
the practice, the hands on.
00:47:26 - Go visit the Nugget lab.
00:47:28 - Download all the commands I
used in this Nugget, and
00:47:31 - practice them yourself.
00:47:32 - I hope this has been informative
00:47:34 - And I'd like to thank
you for viewing.