Cisco CCNA Security 640-554

AAA, RADIUS and TACACS+

by Keith Barker

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Introduction to CCNA Security

Network Foundation Protection

Fortifying the Local Router

AAA, RADIUS and TACACS+

00:00:00 - Using AAA, RADIUS, TACACS, our objective this Nugget is
00:00:06 - really simple.
00:00:07 - We want to take the knowledge we gain from the previous
00:00:10 - Nugget about the basics of how AAA works and transfer it to a
00:00:13 - central AAA server using one of two languages of love.
00:00:17 - Either RADIUS or TACACS+.
00:00:20 - Let's jump in.
00:00:24 - So here's the situation.
00:00:25 - At our company, we have R1.
00:00:28 - But we've just discovered that it's not the only router or
00:00:31 - switch that we have to manage.
00:00:32 - There's actually a couple hundred of them.
00:00:34 - So previously in a Nugget we used the local database.
00:00:37 - The running config on a single router because it was a small
00:00:40 - environment.
00:00:41 - We created a user name on the router in the running config.
00:00:44 - And then we told AAA that we wanted the
00:00:47 - default login method.
00:00:49 - Anybody trying to login into the router for administration
00:00:52 - of that router to go ahead and use a default method of the
00:00:54 - local database.
00:00:56 - And poof.
00:00:56 - All of a sudden, anybody that tries to login via the VTY
00:00:59 - lines, the console, the auxiliary port, or any other
00:01:03 - method they might use to get a command line interface on that
00:01:06 - router, they would have to use the local database, which
00:01:09 - means the router would prompt them for a user.
00:01:11 - And prompt them for a password.
00:01:13 - It's wonderful.
00:01:14 - Now, here's the problem with 200 devices.
00:01:16 - With 200 devices, we don't want to create the user admin,
00:01:20 - or Bob, or whatever user names we're going to create, we
00:01:23 - don't want to create that on 200 different devices.
00:01:26 - Holy shnikers.
00:01:27 - Unless we're being paid by the hour.
00:01:28 - And then it's great.
00:01:29 - However, because our lives are already busy enough, we need
00:01:32 - some way to allow Bob to log into these routers, assuming
00:01:36 - he's a manager or an administrator.
00:01:38 - But we don't want to have to create the date user in the
00:01:40 - actual local database.
00:01:42 - So here is the game plan.
00:01:44 - What we're going to do is we're going to play a game
00:01:46 - called centralized database.
00:01:49 - Ooh, it's a great game.
00:01:50 - Check it out.
00:01:51 - You'll love it.
00:01:51 - A centralized database is where you have all the
00:01:53 - information in one place.
00:01:58 - When I talk about users, that could mean end users sending
00:02:02 - traffic through the system.
00:02:03 - And it also could refer to administrators.
00:02:05 - That's always been a pet peeve of mine.
00:02:06 - It's like, they talk about users and I'm thinking I'm
00:02:09 - never going to let a user manage my box.
00:02:11 - So a user could represent an administrator.
00:02:14 - So I'll be more clear.
00:02:15 - So let's say we have Bob, who is an
00:02:17 - administrator, and we have Lois.
00:02:18 - And we have Jennifer.
00:02:21 - And we have some other people.
00:02:23 - They're all administrators.
00:02:24 - So what we could do is we could use centralized
00:02:26 - database, and keep all of their user names and their
00:02:29 - passwords on a centralized server.
00:02:32 - This guy's a mail server.
00:02:33 - So we'll just say, for a moment, he's just going to be
00:02:35 - centralize server.
00:02:36 - So we keep Bob's user name, Lois's username, and
00:02:38 - Jennifer's user name all there along with their passwords.
00:02:42 - And here's the play by play.
00:02:44 - Now, we tell the router dear Mr.Router, you have just lost
00:02:48 - some responsibility.
00:02:50 - What we want you to do now is that if somebody tries to
00:02:53 - connect and login, whether it's on the VTY lines, the
00:02:56 - console port, or the auxiliary port, instead of using the
00:02:59 - default method of saying use the local database, we want
00:03:03 - you to instead use a AAA server.
00:03:06 - So this centralized database is an example of a AAA server
00:03:10 - that has Bob, and Lois, and Jennifer, all the
00:03:12 - administrators names, in that database and their passwords.
00:03:15 - So Bob, Lois, or Jennifer tries to login.
00:03:18 - The router says hold on a nanosecond.
00:03:20 - It sends that request up to the AAA server and says, hey,
00:03:23 - AAA server.
00:03:24 - I got somebody who wants to login.
00:03:26 - I'm so excited.
00:03:27 - They're name is Bob.
00:03:28 - The password is Cisco.
00:03:30 - Is it right?
00:03:31 - Is it good?
00:03:32 - Is it accurate?
00:03:33 - And the AAA server is going to send a message back saying
00:03:36 - pass or fail.
00:03:39 - That's if it's reachable.
00:03:40 - Now if the AAA server's not reachable, the router has got
00:03:43 - to make another decision.
00:03:44 - But as ling as the server's reachable, they'll get a pass
00:03:47 - or fail message.
00:03:48 - If it's a pass, the router says, Bob, come on in and
00:03:51 - gives him the exec shell.
00:03:52 - Now, that's assuming that we're not also doing
00:03:54 - authorization.
00:03:55 - So for just the authentication piece, that's how we would do
00:03:58 - the authentication.
00:03:59 - Have a centralized server.
00:04:00 - And now, check this out.
00:04:02 - Now if we have 200 other routers out here, we can all
00:04:06 - have them talking with that AAA server, as well, so that
00:04:10 - we only have to manage Bob's user name and password in one
00:04:13 - place on the centralized AAA server.
00:04:16 - That's how it works.
00:04:16 - Now, for fault tolerance, what are we going to
00:04:18 - do in the real world?
00:04:20 - For fault tolerance, we're going to have a couple of
00:04:22 - these servers.
00:04:23 - And they're going to be replicating so that if any
00:04:25 - single server fails we're not going to be locked out of our
00:04:28 - entire network.
00:04:29 - But that's the concept of extending our AAA beyond the
00:04:34 - single router.
00:04:35 - So let's you and I chat about how this is going to happen.
00:04:38 - It's, actually, really easy to set up.
00:04:41 - And it makes a lot of sense.
00:04:43 - And let me walk you through the piece of doing it.
00:04:45 - If we want two devices to communicate with each other,
00:04:48 - here is the laundry list of stuff we would have to do.
00:04:51 - Number one, we need to create some user
00:04:53 - accounts on this AAA server.
00:04:59 - And I'm calling it a AAA server, and we should pause
00:05:01 - there for a moment.
00:05:02 - Now, AAA from a previous Nugget, or this one too, is
00:05:05 - authentication, authorization, and accounting.
00:05:08 - So when we create users on this server we could also
00:05:12 - create their passwords, of course.
00:05:13 - But we could also specify what they're authorized to do.
00:05:17 - So we could specify that they're authorized to get an
00:05:19 - exec shell.
00:05:20 - They're authorized to be at privilege level 15.
00:05:23 - They're authorized to go ahead and issue the command
00:05:25 - configure space terminal.
00:05:27 - We can control all of that up here.
00:05:29 - And what the router could do is it can, simply, ask every
00:05:31 - time a customer makes a move-- a user like Bob--
00:05:35 - the router could say, oh, he's logged in.
00:05:37 - And now he wants to type in config T. Is that allowed?
00:05:40 - And the AAA server says yes or no based on the policy that's
00:05:44 - all on this centralized AAA server.
00:05:46 - Now, this AAA server could have lots of different names.
00:05:49 - And then explain why that is.
00:05:51 - The communication.
00:05:53 - Right here.
00:05:53 - This communication between this client because this
00:05:57 - router is acting as a client to this AAA server.
00:06:00 - Are you with me?
00:06:02 - So we might think the user is Bob out here trying to log in.
00:06:05 - But from a AAA perspective, the client is the router who's
00:06:10 - making requests to the AAA server.
00:06:12 - AAA server is responding back to the client, the router,
00:06:15 - saying yes or no.
00:06:16 - We're getting passwords and so forth.
00:06:18 - This language of love, right here, can be done with a
00:06:21 - couple different protocols.
00:06:23 - The language of love.
00:06:24 - The protocols.
00:06:24 - The rules in place could be done with a couple different
00:06:27 - sets of rules.
00:06:28 - One is called RADIUS.
00:06:30 - And the other is called TACACS.
00:06:33 - So whenever you see those terms, I want you to think
00:06:36 - we're talking about the dialogue and the conversation
00:06:40 - right here between the AAA server and its' client, which,
00:06:44 - in this case, is R1.
00:06:45 - Which one's the best to use?
00:06:47 - Let's talk about that for a moment.
00:06:49 - As far as which one we should implement--
00:06:52 - the actual acronyms too, which is what both of these are, we
00:06:55 - should also possibly talk about that for just a moment.
00:06:57 - Radius stands for the Remote Authentication
00:07:02 - Dial in Users Service.
00:07:05 - Effectively, what is it?
00:07:06 - It's a protocol to talk between a AAA
00:07:08 - server and a client.
00:07:10 - In this case, a router.
00:07:11 - The TACACS, what that stands for is the Terminal Access
00:07:16 - Controller Access Control System.
00:07:21 - No wonder they just call it TACACS.
00:07:23 - Now, there's been several flavors of TACACS.
00:07:26 - There was a X flavor, and there was the normal TACACS.
00:07:29 - There's TACACS+.
00:07:31 - Today, the only current standard is TACACS+, as far as
00:07:34 - that protocol goes.
00:07:35 - So we don't, usually, say the plus at the end.
00:07:37 - We just call it by its acronym.
00:07:39 - TACACS.
00:07:40 - So say it like this T-A-C-K-AXE.
00:07:46 - So that's how it's pronounced.
00:07:47 - TACACS.
00:07:48 - And then RADIUS, you pronounce it RADIUS.
00:07:49 - I don't have a short was of spelling that.
00:07:51 - But we call them by the acronyms because it's too
00:07:53 - painful to spell out the whole process.
00:07:55 - So which language of love are we going to use between the
00:07:58 - two devices?
00:08:00 - Now, before we jump in and say, let's use RADIUS or let's
00:08:03 - use TACACS.
00:08:04 - Let's take a look at the pros and cons and how they operate.
00:08:07 - I put here for you what I think are the most critical
00:08:11 - things that you deserve to know about the differences
00:08:13 - between these two protocols, which can both be used between
00:08:17 - the AAA server and the router itself.
00:08:19 - And let's take a look at RADIUS first.
00:08:21 - RADIUS is an open standard.
00:08:23 - I'm going to start with that one.
00:08:24 - It's open standard meaning that any vendor can use it.
00:08:28 - Meaning it's open, it's public, and there's lots of
00:08:31 - vendors who support it.
00:08:32 - So if we have a non Cisco network and they're using
00:08:35 - centralized authentication services for remote access
00:08:39 - users, and users going through the network, and
00:08:41 - authenticating administrators, it's very likely to be using
00:08:43 - RADIUS between the network devices and the AAA server.
00:08:46 - In that case, it would be RADIUS server.
00:08:48 - In fact, let's go ahead and write out the names for this
00:08:51 - server right here.
00:08:52 - This is fun because this device right here, this
00:08:54 - server, could be called the AAA server.
00:08:57 - No problem.
00:08:58 - It could be called a RADIUS server.
00:09:01 - Now, why would we call it RADIUS server?
00:09:03 - It could be called a RADIUS server because the way they
00:09:06 - have it set up, the customer, is they have their routers
00:09:09 - communicating with the authentication
00:09:11 - server using RADIUS.
00:09:13 - So they may call it a RADIUS server.
00:09:15 - They also could call it and authentication server.
00:09:19 - That's another option.
00:09:20 - That's quite valid.
00:09:21 - And that's perfectly OK.
00:09:23 - So RADIUS uses a open standard.
00:09:25 - Anybody can use it.
00:09:26 - Anybody can write to it, program it, et cetera.
00:09:28 - It encrypts only the passwords, which is a little
00:09:30 - bit of a bummer.
00:09:32 - So let's say that Bob is here, and Bob wants to authenticate.
00:09:36 - The actual conversation between R1 and the AAA server
00:09:40 - is going to be in plain text, except for
00:09:43 - the passwords involved.
00:09:44 - So Bob's password is protected.
00:09:46 - The passwords that allow these guys to
00:09:48 - communicate is protected.
00:09:50 - But everything else is in clear text.
00:09:51 - So it's a little less secure.
00:09:53 - However, not a huge deal because the
00:09:55 - passwords are encrypted.
00:09:56 - And then, finally, RADIUS uses UDP as it's layer for a
00:10:00 - transport protocol.
00:10:01 - Now, why is that important?
00:10:02 - It's important because if you have firewalls or other
00:10:04 - filtering devices in place, you need to make sure you
00:10:07 - allow the correct layer four transport protocol and the
00:10:10 - correct ports.
00:10:11 - So originality, a long, long time ago in a galaxy far away,
00:10:16 - we used those ports.
00:10:17 - 1645 for the authentication function.
00:10:19 - And 1646 if R1 was going to send accounting records up to
00:10:23 - that server.
00:10:24 - Now, the current standard is 1812 for authentication of
00:10:28 - import and 1813 for accounting.
00:10:30 - Which one is yours going to use?
00:10:32 - It depends on how it was implemented.
00:10:34 - So I would just be aware that those are both possibilities
00:10:37 - for UDP ports used by RADIUS.
00:10:39 - Now, on the other side of the house, in this
00:10:41 - column, we have TACACS.
00:10:43 - And TACACS, first of all, is proprietary to Cisco.
00:10:46 - They wrote it.
00:10:47 - And there are some open TACACS services out there.
00:10:50 - I've seen them.
00:10:51 - You can download them, and they're open source and free.
00:10:54 - But they're using a TACACS proprietary protocol to do it.
00:10:57 - Most of the time, if people are using TACACS, they've got
00:11:01 - a AAA server called an ACS server.
00:11:05 - Wow.
00:11:06 - Another acronym for it.
00:11:07 - Now, what does ACS stand for?
00:11:09 - That's the Cisco secure ACS.
00:11:12 - Their Access Control Server.
00:11:14 - It's a product that Cisco sells.
00:11:16 - And it comes in several flavors.
00:11:18 - So this box, this ACS server from Cisco, it could be a
00:11:21 - physical box.
00:11:22 - And a long time ago, they used to sell it where you could
00:11:25 - install it on top of Windows.
00:11:27 - So you have a Windows server.
00:11:28 - You install the ACS software on top of it.
00:11:31 - They now sell it as an appliance.
00:11:33 - So you can install it in a virtualized environment, which
00:11:36 - is what I'm going to be demonstrating today.
00:11:38 - So you can have, for example, ESXI, VMware, and run it as an
00:11:42 - appliance virtually, which is fantastic.
00:11:45 - And what are the other options?
00:11:47 - There's also an engine, which is an
00:11:49 - appliance that you plug-in.
00:11:50 - It's like a headless horseman.
00:11:52 - And there's also another guy coming out, and that's ISE.
00:11:57 - And that's making a lot of headway.
00:11:58 - ISE stands for the Identity Services Engine.
00:12:03 - And it has a lot of similar functionalities to ACS.
00:12:06 - It does communicate with RADIUS.
00:12:08 - And the purpose is for authentication.
00:12:10 - And it could do profiling of the client and it supports
00:12:13 - 802.1X and a whole bunch of other really cool features.
00:12:16 - ISE, if you see that, that's how it's pronounced.
00:12:18 - I know it says ISE for Identity Services Engine.
00:12:21 - But if you ever hear about ISE, it's, simply, another
00:12:23 - product that fits in that area of a centralized server for
00:12:28 - controlling access into the network.
00:12:30 - TACACS.
00:12:31 - If it's a Cisco implementation we might go ahead.
00:12:34 - If you're using ACS, we might use TACACS.
00:12:36 - And TACACS, one of the benefits is it does encrypt
00:12:39 - the full payload.
00:12:40 - It doesn't encrypt the headers because packets need to be
00:12:42 - forwarded on a network.
00:12:44 - But the actual payload, the conversation of what's really
00:12:46 - happening between the AAA server and the router, is all
00:12:49 - being encrypted, which is cool.
00:12:51 - And it uses TCP port 49 at layer four.
00:12:55 - So that's what I would recommend.
00:12:57 - Maybe even take a moment, right now, and I would have
00:13:00 - you write out this table just so you know the differences
00:13:02 - and can see them.
00:13:03 - A while you're writing that out-- getting a piece of paper
00:13:06 - or notepad.
00:13:07 - And don't just screen shoot it.
00:13:10 - You can do a screen shot, but that won't help
00:13:11 - you remember it.
00:13:12 - I want you to, actually, write it down.
00:13:14 - You'll be gratefully you did.
00:13:15 - A couple of observations I also wanted to point out with
00:13:18 - you is that RADIUS, kind of, groups its' shots.
00:13:21 - What o you mean groups its' shots?
00:13:22 - It's less granular for authorization control.
00:13:26 - With RADIUS, let's say this is a AAA server and the language
00:13:29 - of love that we've chosen to use between our AAA client,
00:13:32 - right here, R1.
00:13:33 - And the AAA server is RADIUS.
00:13:35 - So we'll circle that column for a moment.
00:13:37 - If we want to do authorization, it's, kind of,
00:13:39 - bundled into the authentication process.
00:13:43 - So Bob is here.
00:13:44 - Bob says I want to authenticate and get access to
00:13:47 - the network.
00:13:48 - The authentication request and authorization request, if
00:13:51 - there is one, are bundled together in the same session,
00:13:55 - if you will, up to the AAA server.
00:13:57 - If the AAA service says, yes, he can login.
00:13:59 - He's authorized.
00:14:00 - Access is granted and it's done.
00:14:02 - As far as continued authorization, it doesn't have
00:14:04 - a really granular control ability to check.
00:14:07 - It does have granular accounting.
00:14:08 - It's amazing at accounting.
00:14:10 - So how does that compare with TACACS.
00:14:13 - Let's clear the screen.
00:14:14 - And let's give you a example of the same user,
00:14:16 - Bob, logging in.
00:14:17 - This time, we'll go ahead and we'll use TACACS as the
00:14:20 - language of love between our AAA server and the actual
00:14:23 - client, R1.
00:14:24 - With TACACS, of course, the entire session is encrypted.
00:14:27 - It's using TCP.
00:14:28 - And it has separate control for authorization.
00:14:33 - It would go like this.
00:14:34 - Bob wants to login.
00:14:35 - He wants to authenticate.
00:14:36 - The routers been trained to use a AAA server for
00:14:39 - authentication.
00:14:40 - So it says, can he authenticate?
00:14:42 - Does he have the right user name and password?
00:14:45 - And the AAA server, hopefully, says yes.
00:14:47 - So that's the first A of AAA.
00:14:50 - This is optional but if the router has been configured to
00:14:53 - check for authorization of commands.
00:14:56 - What do you mean, Keith, commands?
00:14:57 - Every time Bob, as an administrator, if he's going
00:15:00 - into configuration mode, every command he types, if you want
00:15:04 - the router to check with the AAA server before allowing
00:15:07 - that to happen you can do that.
00:15:09 - And that's where the granular control comes in.
00:15:11 - So at TACACS we could tell the router.
00:15:13 - We could do a default authorization method list for
00:15:16 - all commands at level 15.
00:15:18 - And any level 15 command, like router, would say, oh, before
00:15:21 - I let him execute this command, I better check with
00:15:23 - the AAA server.
00:15:25 - And the reply comes back yes or no.
00:15:27 - So it's this part right here, this blue area, which is the
00:15:30 - separated authorization, which gives very, very granular
00:15:34 - control that RADIUS doesn't have built into it.
00:15:37 - So RADIUS lumps the authentication
00:15:38 - authorization together.
00:15:40 - And TACACS can let them be very, very
00:15:43 - granular and separate.
00:15:44 - If we want to do accounting--
00:15:47 - let me get a different color there.
00:15:48 - If you want to do accounting in a different color, we can
00:15:50 - send accounting records up saying Bob did this.
00:15:52 - Bob did that.
00:15:53 - So accounting, they can both do a fine job.
00:15:55 - The opinion of the world is that RADIUS, somehow, does a
00:15:58 - better job with accounting.
00:16:00 - More detailed so that's fine.
00:16:02 - We can believe that.
00:16:03 - And we can also answer that way, if we're asked, in a
00:16:07 - small room.
00:16:08 - But for the purpose of actual granular authorization,
00:16:11 - command by command by command is TACACS.
00:16:14 - So what does this all boil down to.
00:16:16 - Let's take a look at what it boils down.
00:16:17 - It boils down to the fact that we can use TACACS or RADIUS
00:16:20 - between the router and the AAA server.
00:16:23 - In most implementations, it's going to go
00:16:25 - something like this.
00:16:26 - For end users, let's say you have an
00:16:28 - end user on the internet.
00:16:30 - So here is Sally.
00:16:32 - She's at her home in some state, some city, and some
00:16:35 - location in the world.
00:16:36 - And she wants to build a VPN tunnel into corporate
00:16:39 - headquarters.
00:16:40 - So maybe her firewall is also the VPN head end device for
00:16:44 - that VPN tunnel.
00:16:45 - And we'll have a whole Nugget on that coming up.
00:16:47 - So that's part of this course.
00:16:48 - So Sally wants to build a VPN tunnel coming in.
00:16:51 - And we want to validate, we want to authenticate, Sally.
00:16:55 - So it's very likely that we might use RADIUS.
00:16:58 - Make the firewall a RADIUS client, and have him use
00:17:01 - RADIUS to authenticate Sally.
00:17:03 - And that's the normal fair, by the way.
00:17:06 - RADIUS is, typically, used to authenticate end users before
00:17:10 - allowing them access in the network.
00:17:11 - However, let's take another user.
00:17:13 - And let's take us.
00:17:14 - So you and I, we're sitting at this PC, right here.
00:17:16 - And we want to SSH.
00:17:18 - We're not like Sally.
00:17:19 - We don't want network access through the network.
00:17:21 - We want a command line interface.
00:17:23 - It's very likely for authenticating SSH.
00:17:26 - If we have an ACS server, we are, very likely, using TACACS
00:17:30 - for that purpose.
00:17:31 - Why?
00:17:31 - Why TACACS here and RADIUS there?
00:17:34 - Well, TACACS has that more granular control.
00:17:37 - So if you want to lock down your network and make sure
00:17:40 - that every command that's issued by us, as the
00:17:43 - administrators, is checked with a AAA server, command by
00:17:46 - command, before those commands are allowed to be executed on
00:17:48 - the router, the TACACS has that granular control.
00:17:52 - So typically, you'll see TACACS for authenticating and
00:17:55 - authorizing administrators.
00:17:57 - And RADIUS used for authenticating and allowing
00:18:00 - access to end users who are going through the network,
00:18:03 - like Sally, authenticating the VPN.
00:18:06 - Now, can you use both?
00:18:06 - The answer is absolutely yes.
00:18:09 - So this router could be a--
00:18:11 - I'll put green here--
00:18:13 - TACACS client.
00:18:20 - I said that backwards.
00:18:22 - So it could be a RADIUS client or a TACACS
00:18:24 - client at the same time.
00:18:25 - It could, actually, have two sessions.
00:18:27 - And it can be trained with a method list saying, I want to
00:18:31 - authenticate network access for end users using RADIUS.
00:18:35 - And I want to authenticate login access using TACACS.
00:18:40 - And that's perfectly agreeable to the system.
00:18:43 - And you'll see that all the time, as well, in practical
00:18:46 - applications.
00:18:47 - All right, so that's what we've done as far as taking a
00:18:49 - look at extending our authentication beyond a single
00:18:53 - local database on a local router.
00:18:56 - We've also taken a look at the comparison
00:18:58 - between TACACS and RADIUS.
00:19:02 - I don't know why I say TACACS first.
00:19:04 - Just a Freudian slip there.
00:19:05 - But RADIUS is open standard.
00:19:07 - TACACS is proprietary.
00:19:08 - What is left for us to do?
00:19:10 - Well, be only thing left for us to do is to implement this.
00:19:13 - So here's what we're going to do together.
00:19:15 - You and I are going to take this router, R1, and we're
00:19:18 - going to have it work in combination with a AAA server.
00:19:22 - So what I've done is I've neutered R1.
00:19:25 - That means I took all the security off of him.
00:19:28 - Why?
00:19:28 - Here's what I want to do.
00:19:29 - I want to show you the commands, step by step, that
00:19:32 - I'm going to do on this router as if you're doing it from
00:19:35 - scratch yourself.
00:19:37 - And that way, you can take a Greenfield environment,--
00:19:40 - basic IP addresses; routing working--
00:19:42 - implement these commands, and get the same results.
00:19:45 - I also want to point out there's a lot
00:19:47 - of open RADIUS servers.
00:19:51 - And there's also some open TACACS servers.
00:19:55 - So if you want to get those and install them on a Linux
00:19:58 - box, or a Unix box, or whatever platform they're on,
00:20:02 - you don't have to have an official
00:20:04 - ACS server from Cisco.
00:20:06 - You can still use RADIUS or TACACS on an open source box
00:20:10 - and still practice the commands
00:20:11 - with your local router.
00:20:14 - Abraham Lincoln said--
00:20:15 - I believe it was Abraham Lincoln--
00:20:16 - that if we had eight hours to cut down a tree, we should
00:20:19 - spend, at least, six hours sharpening the axe to be more
00:20:23 - effective at it.
00:20:24 - Well, the same thing is true with network and planning.
00:20:26 - If we're going to set up AAA services, we want to do a
00:20:29 - couple of things, planning wise, first before we start
00:20:32 - clicking on icons and putting commands in the router.
00:20:35 - So the first thing we're going to do as a safety net is we're
00:20:38 - going to create a local user on R1.
00:20:46 - And we're going to give that local user
00:20:47 - privilege level 15 access.
00:20:49 - Well, Keith, I thought we were moving away from the whole
00:20:52 - local database.
00:20:53 - We're doing centralized now.
00:20:54 - Well, as a fail safe, we want to make sure that we have, at
00:20:57 - least, one account locally so that if a AAA server is not
00:21:00 - reachable, or something bad happens on the network, we can
00:21:03 - still login.
00:21:04 - Like, at the console, it might be really important to do so.
00:21:07 - So we're going to create a local user.
00:21:09 - And we're going to enable AAA, if it hasn't been already.
00:21:16 - We're going to specify our method lists.
00:21:21 - And for this example, let's just do authentication.
00:21:29 - I'm going to ask you a question.
00:21:30 - Do you remember the name of the method list that, if we
00:21:33 - put it in place, it applies to all the login.
00:21:36 - So what is the login method list called that, once it's
00:21:40 - applied, applies to all the points where we could login?
00:21:43 - VTY lines.
00:21:44 - Console.
00:21:45 - Auxiliary.
00:21:46 - Do you remember the name, the special name,
00:21:48 - of the method list?
00:21:51 - It is default.
00:21:54 - So if we have an authentication method list
00:21:57 - named default, basically, all the VTY lines, all the console
00:22:01 - ports, all the auxiliary ports, and anywhere somebody
00:22:03 - could do a login, they would follow the rules of that
00:22:07 - method list.
00:22:07 - So on our default method list we're going
00:22:09 - to specify two methods.
00:22:11 - We're going to specify a TACACS server or a group of
00:22:17 - TACACS servers.
00:22:18 - And then that will be our first option.
00:22:20 - And then we'll specify the local database.
00:22:23 - So here's what will happen.
00:22:26 - If Bob tries to authenticate to the router, the routers
00:22:30 - going to go, oh, I need to check with a TACACS server.
00:22:33 - Oh, there's not one configured.
00:22:35 - Or if there is one configured, he's not responding.
00:22:37 - And then it will fall back to the local database.
00:22:40 - And if the user name, Bob, is in the local database, or
00:22:43 - admin, or whoever he's logging in as, he can authenticate.
00:22:46 - We could also do this.
00:22:47 - We can make a third option.
00:22:48 - And that third option could be enable.
00:22:52 - Now, what does that mean?
00:22:53 - Well, that means that if a TACACS server is not
00:22:56 - reachable, no response, and the user logging in doesn't
00:23:00 - have an entry in the local database,
00:23:03 - there's no user account.
00:23:04 - It's not that there is a user account named Bob, and he has
00:23:06 - the wrong password.
00:23:07 - There's no Bob in the local database.
00:23:09 - Then it will default to the enable secret.
00:23:12 - At which point, it would prompt you for the password.
00:23:14 - So Bob would connect, initially.
00:23:16 - Bob would have a bogus user name that wasn't
00:23:18 - in the local database.
00:23:20 - And then it would fail.
00:23:21 - And then it would just ask us for a password.
00:23:24 - And that would be the enable secret.
00:23:25 - So this could be our method list as a fallback.
00:23:28 - Or we might want to say even we could do four.
00:23:31 - I guess we'd say none.
00:23:33 - If there's no enable secret, the default
00:23:35 - method would go to none.
00:23:36 - But that's not a good idea.
00:23:38 - Saying none for an authentication method
00:23:40 - isn't a good idea.
00:23:41 - So we'll do these steps.
00:23:43 - We'll create the local user, enable AAA, separate method
00:23:46 - list, and we're also going to specify at
00:23:48 - least one AAA server.
00:23:50 - So we will tell R1 about the IP address of a AAA server so
00:23:55 - that when the AAA server is configured, which is our next
00:23:57 - step, it'll be able to go ahead and communicate and
00:24:00 - respond and do authentication with it.
00:24:02 - So that's our plan.
00:24:03 - Step by step.
00:24:04 - Inch by inch.
00:24:05 - Life's a cinch.
00:24:06 - Let's go ahead and, first, take a look at R1, create our
00:24:09 - local user, enable AAA, and set up our method lists.
00:24:13 - So let's bring in our router.
00:24:14 - He's about to get a makeover with security with AAA.
00:24:17 - What I did on this router is I wiped it out as far as any of
00:24:21 - the previous security measures we had taken with AAA because
00:24:24 - I wanted to give you the ability to see it all step by
00:24:26 - step by step on a brand new device.
00:24:28 - So on this device, the very first thing we're going to go
00:24:30 - ahead and do is in privileged mode, privilege level 15,
00:24:34 - we'll get into configuration mode.
00:24:36 - And then we'll create a local user account.
00:24:37 - Why?
00:24:38 - Because if all else fails,--
00:24:40 - we can't reach an external AAA server, we have a password
00:24:43 - configured incorrectly, what have you-- we want to have a
00:24:46 - method in our method list that says use the local database.
00:24:50 - And we want to make sure we have a local user that has
00:24:52 - privilege level 15 access.
00:24:54 - So it'll only create two users.
00:24:55 - One for admin with privilege level 15.
00:24:58 - And one for Bob at privilege level one.
00:25:01 - Because we use the secret key word, both of those are stored
00:25:04 - as the MD5 digest and their secret.
00:25:07 - They're kept that way.
00:25:08 - Next, we want to make sure we have an enable secret.
00:25:10 - And we also want to enable AAA.
00:25:13 - Well, the next thing we want to do is I want to tell this
00:25:15 - router, hey, guess what?
00:25:17 - Dear Mr. Router, there's a TACACS server available.
00:25:20 - Let's take a look.
00:25:21 - So if this router's on the 192 168 zero network and the 10
00:25:25 - three and the 10 two and the 10 one, I've
00:25:28 - also got another network.
00:25:29 - It's, actually, off of this firewall.
00:25:32 - It's like on a little sub network.
00:25:33 - That's the 192 168 one sub net.
00:25:36 - And that happens to be where the TACACS server is.
00:25:40 - So I'm going to tell this router that if it ever needs
00:25:43 - to talk to TACACS server for any reason,--
00:25:45 - he doesn't have any good reasons yet to do it--
00:25:48 - I want to give him the IP address of that tactic server.
00:25:51 - So that's our next task.
00:25:53 - It is to say, for a TACACS server, there's a host at 192
00:25:57 - 168 one dot 252.
00:25:59 - What we also might want to do is verify that we can ping
00:26:03 - that host just to make sure we have basic
00:26:05 - connectivity in place.
00:26:07 - So let's do a do ping of 192 dot 168 dot one dot 252.
00:26:14 - And hopefully, we have connectivity.
00:26:16 - Good.
00:26:17 - We do.
00:26:17 - So one of those got eaten by ARP, which is normal.
00:26:20 - And then the rest of them made it.
00:26:21 - That's fantastic.
00:26:22 - We also need to tell the router what the password is
00:26:26 - that it should use to encrypt the entire session with that
00:26:30 - TACACS server.
00:26:31 - So we're going to specify TACACS server key.
00:26:34 - I'm going to use a key of Cisco 1, 2, 3.
00:26:37 - When we configure the TACACS server to respond to this
00:26:40 - router, we'll have to configure the same keys so
00:26:42 - they can successfully communicate with each other.
00:26:45 - So far we've enabled AAA.
00:26:47 - But we haven't done is we haven't specified a default
00:26:51 - method yet.
00:26:53 - So if we want to specify default method, let's do this.
00:26:55 - Let's tell this router that the default authentication
00:26:59 - method for character mode login--
00:27:02 - we want it to be, first, one of the
00:27:04 - group of TACACS servers.
00:27:06 - Currently, we have a group of one.
00:27:07 - That's OK.
00:27:08 - And if we can't reach a TACACS server successfully, go ahead
00:27:12 - and use the local database.
00:27:13 - Because the TACACS server is not online yet and it's not
00:27:16 - fully configured yet, we definitely want to have that
00:27:19 - fall back to the local database in our default method
00:27:22 - list so that we can still log on as a local user
00:27:25 - administrator.
00:27:27 - So we'll do that right now.
00:27:28 - And you might also notice that, as I do this, there's no
00:27:32 - clicking of the keyboard.
00:27:33 - I have a lot of this pre done because I want to make it
00:27:35 - available for you in the Nugget lab area.
00:27:38 - So for this video, for video three, using AAA with radius,
00:27:44 - there's a Nugget lab file that is going to contain all the
00:27:49 - commands that I'm implementing here.
00:27:50 - So you can download that, review it, and make sure
00:27:53 - you're comfortable with them.
00:27:55 - Because that applies to the VTY lines, the console, the
00:27:59 - auxiliary port and anywhere that we can get a login access
00:28:02 - for authentication that's going to apply.
00:28:04 - Let's create a custom method list that we can create and
00:28:07 - apply, if we want to, to an individual console or
00:28:11 - individual VTY line just so you get a feel
00:28:14 - for the whole picture.
00:28:15 - So we'll create a custom authentication method list for
00:28:19 - character mode login.
00:28:21 - And I'm going to call it free bird.
00:28:23 - My good friend Kevin Wallace did a quality of service and
00:28:28 - he used the term free bird in it regarding how long it would
00:28:31 - take with or without quality service.
00:28:33 - And I still think of him, to this day, whenever I
00:28:34 - think of free bird.
00:28:35 - But this method list called free bird says, if this method
00:28:39 - list is used, no authentication is required.
00:28:43 - So I'll tell you why we're going to use that.
00:28:45 - Let's use that on line console zero.
00:28:48 - Why?
00:28:49 - Because if we apply that to line console zero, then I
00:28:53 - won't have to go ahead and authenticate when I connect to
00:28:56 - the console.
00:28:57 - It will make it a lot easier for me.
00:28:58 - For security, not that great.
00:29:00 - We might want to leave the default in place.
00:29:02 - But to demonstrate applying a specific method list, we're
00:29:06 - going to line console zero.
00:29:08 - We're saying login authentication free bird.
00:29:10 - And guess what?
00:29:11 - Now, as we connect to the console, it will look for the
00:29:14 - method list and say, oh, no authentication required.
00:29:17 - Just come in because the method list is there.
00:29:20 - In fact, we could demonstrate that and we will.
00:29:23 - Let me finish the config, and we'll demonstrate
00:29:25 - all of these together.
00:29:26 - All right.
00:29:27 - Next, just for fun, let's go ahead and set up a couple of
00:29:31 - authorization method lists just for grins.
00:29:35 - Now, authorization is optional.
00:29:38 - So once you've authenticated somebody, if you want to
00:29:40 - additionally ask the router to perform authorization for that
00:29:43 - individual, we can authorize lots of different things.
00:29:46 - We can authorize exec shells.
00:29:49 - We could authorize people who are trying to go into
00:29:51 - privilege mode.
00:29:52 - We could authorize commands at privilege level one or
00:29:56 - privilege level 15.
00:29:57 - You can authorize, virtually, anything.
00:30:00 - And authorization means this.
00:30:01 - If you're telling the router authorization is required, the
00:30:05 - router won't let that happen until the authorization gets
00:30:09 - the two thumbs up saying, yes, that's OK to happen.
00:30:12 - So this first authorization method list says any commands
00:30:16 - at privilege level one, use a TACACS server.
00:30:19 - And if your TACACS server is not reachable, check with the
00:30:21 - local database for a valid user.
00:30:23 - And the second method says any commands at level 15 should be
00:30:28 - checked against a TACACS server.
00:30:30 - And if one can't be reached, check the local database.
00:30:32 - So these names right here--
00:30:34 - instead of using the keyword default, I use this name.
00:30:37 - And that's what makes this a custom method list.
00:30:40 - What are the two methods in this list?
00:30:42 - It says use a group of TACACS server.
00:30:44 - That's the first method.
00:30:45 - And if that's not reachable, go ahead and
00:30:47 - use the local database.
00:30:48 - And there's a similar functionality for the commands
00:30:50 - at level 15.
00:30:51 - It's amazing.
00:30:52 - Behind the scenes, the routers keeping track of all the
00:30:54 - commands that are being issued and what level they're at.
00:30:56 - And this, these authorization lists, they are
00:30:59 - not in place yet.
00:31:00 - They're not enforced yet.
00:31:02 - They're, simply, authorization lists that are sitting in
00:31:04 - global config.
00:31:05 - But they would need to be applied to be worth
00:31:08 - something and used.
00:31:09 - Actually, before we apply them, let's create a couple of
00:31:12 - accounting method lists as well.
00:31:14 - It's the same exact concept.
00:31:16 - We're going to create a method list for accounting records.
00:31:20 - We're going to specify what should be accounted for.
00:31:24 - And then we'll specify where to go ahead and send them.
00:31:27 - For accounting, it doesn't make sense to send it to the
00:31:29 - local database because there's no accounting server there.
00:31:32 - However, if you do have a TACACS server or a RADIUS
00:31:35 - server, you could, certainly, send your accounting records
00:31:37 - up to the TACACS or RADIUS server that you had already
00:31:40 - gotten defined.
00:31:41 - So this one right here also, this command in the middle, is
00:31:45 - an interesting one that, by default, even if you're doing
00:31:48 - command authorization, if somebody goes into
00:31:51 - configuration mode, by default, the router stops
00:31:54 - checking for authorization.
00:31:56 - By issuing that highlighted command, it also
00:31:59 - says, oh, by the way.
00:32:00 - Even though this user is in configuration mode, still keep
00:32:03 - checking to see if router rip is OK, or OSPF is OK, or
00:32:06 - anything else they might issue in configuration mode.
00:32:09 - So that one in yellow is, kind of, like a little gotcha.
00:32:12 - A lot of times people say, I want to authorize every single
00:32:15 - command everywhere on the router.
00:32:17 - And then they don't include that.
00:32:19 - And once the guy gets into configuration mode, they
00:32:21 - wonder why their accounting records stop or their
00:32:23 - authorization records stop.
00:32:24 - And that command needs to be there for the tap in.
00:32:27 - So the accounting records, the accounting method list, says I
00:32:31 - want to do accounting on commands at
00:32:33 - privilege level one.
00:32:34 - And here's this method list called TACACT1.
00:32:37 - I just made it.
00:32:38 - I want to account for when they started, when they
00:32:40 - stopped, and I want to go ahead and send
00:32:42 - it to a TACACS server.
00:32:44 - So if there's a TACACS server configured and working, it'll
00:32:47 - send all the commands that are being issued at privilege
00:32:50 - level one and privilege level 15 if this
00:32:54 - method list is applied.
00:32:56 - So any customer method list is not applied by default.
00:32:59 - So we're going to fix that right now.
00:33:01 - We're going to take our method list, our custom ones for
00:33:04 - authorization and our method list for accounting, and let's
00:33:08 - go ahead and apply them to actually put them to work.
00:33:10 - To apply them means to apply them to a logical place we're
00:33:14 - somebody would try to authenticate.
00:33:16 - So we're going to apply these, as an
00:33:18 - example, to the VTY lines.
00:33:20 - So we'll go to VTY lines zero through four.
00:33:23 - And we'll say authorization for commands at level one.
00:33:27 - Authorization for commands at level 15.
00:33:30 - Use your respective method lists.
00:33:33 - For you who are brand new to AAA, in this video Nugget that
00:33:39 - we're doing together, right now, I'm showing you a large
00:33:43 - portion of all the pieces.
00:33:44 - How they fit together.
00:33:45 - The basic concepts are, however, that AAA new model
00:33:49 - says I have a new paradigm of how to control authentication,
00:33:54 - authorization, and accounting.
00:33:56 - We can use default method lists for authentication,
00:33:59 - authorization, and accounting, which apply everywhere.
00:34:02 - Or we can create custom method lists and apply them, as we
00:34:06 - are, right here for various aspects to control
00:34:09 - access on that line.
00:34:11 - Case in point.
00:34:12 - Somebody tries to tunnel it in right now on a VTY line.
00:34:16 - Because they're coming in on the VTY line, they're going to
00:34:19 - subject to the default authentication method list,
00:34:21 - which applies everywhere.
00:34:22 - And they're going to be subject to this custom method
00:34:26 - list for authorization at commands at level fifth one
00:34:30 - and commands at level 15.
00:34:31 - As well as, accounting for commands at level one and 15.
00:34:34 - On the console we have a custom
00:34:37 - method list saying none.
00:34:39 - So no authentication and no authorizations happening
00:34:42 - there, whatsoever.
00:34:43 - And let's demonstrate this.
00:34:44 - In fact, let's do this.
00:34:49 - Now, a trick here is I'm not going to leave the router.
00:34:51 - I'm going to tunnel that in to myself because if something
00:34:54 - goes terribly bad I don't want to completely lock myself out.
00:34:58 - So instead of logging all the way out, let's
00:34:59 - do a telnet to 10.1.0.1.
00:35:02 - That's my own address.
00:35:03 - And let's also do some debugging.
00:35:05 - That'll be fun too.
00:35:06 - We'll do the AAA authentication.
00:35:11 - That'll be enough for now.
00:35:12 - And lets do a telnet to 10.1.0.1.
00:35:16 - Now, what I would expect to happen is, because they're
00:35:18 - going to be coming in on one of these four VTY lines, the
00:35:21 - authentication is going to use the default method list if we
00:35:24 - go up to here and take a look at it.
00:35:27 - And here's our default authentication method list
00:35:32 - right here.
00:35:35 - And this default authentication method list
00:35:36 - says, go ahead and try a group of TACACS servers first.
00:35:40 - If you can't find them, use the local database.
00:35:43 - If we try to go in the console because it has the free bird
00:35:47 - method list we should see nothing.
00:35:48 - In fact, this let's go to the console.
00:35:50 - Let's demonstrate that first because that way you can see
00:35:52 - the actual free bird being mentioned.
00:35:56 - So back on the console, debugging is still active.
00:36:00 - Take a look at that.
00:36:00 - It said, oh, you're coming on the council, which method list
00:36:03 - should I use?
00:36:04 - Free bird.
00:36:05 - And free bird said no authentication required.
00:36:07 - And poof.
00:36:08 - It didn't prompt me for a user name.
00:36:09 - It didn't prompt me for a password.
00:36:11 - It just let me in.
00:36:13 - So let's go ahead and tell that.
00:36:19 - I need to put the right password in for going into
00:36:21 - privilege mode.
00:36:22 - So let's go ahead and tell that to ourselves with the
00:36:25 - debug still running.
00:36:28 - And now we're coming in a VTY line.
00:36:30 - And now look at what method list it chose for
00:36:33 - authentication.
00:36:34 - It shows the default method list.
00:36:36 - And that default method list said use a
00:36:38 - TACACS server first.
00:36:40 - Timed out.
00:36:40 - Couldn't find one.
00:36:41 - And then it's going to local database.
00:36:43 - So we can type in the local user admin.
00:36:46 - And a password of Cisco.
00:36:48 - And we're in.
00:36:48 - Now, if we wanted to see that, as well, check this out.
00:36:51 - We could do a debug of TACACS.
00:36:55 - And we could see the router trying to talk to the TACACS
00:36:57 - server saying, hey, are you there?
00:36:59 - I got a user.
00:37:00 - Oh, I'm timing out.
00:37:01 - OK, I'll use the local database.
00:37:03 - So let's try that telnet, again, to the TY lines.
00:37:09 - So here's our TACACS+ request.
00:37:11 - It started a five second time out.
00:37:13 - So it sent out a request on TCP.
00:37:17 - And the TCP port is 49, as we have right here.
00:37:22 - So they sent out a TCP request to the TACACS server saying,
00:37:24 - hey, I've got somebody trying to login.
00:37:26 - Are you there?
00:37:27 - Are you there?
00:37:28 - It wasn't there after five seconds.
00:37:30 - It timed out and went to the local database.
00:37:32 - Still asking me for a user but now it's off
00:37:34 - to the local database.
00:37:37 - And now I'm in.
00:37:39 - So there's the authentication.
00:37:41 - Again, it' just based on where we connect to.
00:37:43 - So I would encourage you, for this, to, maybe, download the
00:37:47 - file from the Nugget lab site.
00:37:50 - And go through the commands and practice with this on a
00:37:53 - non-production router because the first couple of times you
00:37:57 - do this, you're very likely to unauthorized yourself right
00:38:02 - out of the router.
00:38:03 - We have to physically turn it off and
00:38:04 - physically power it on.
00:38:05 - Let me tell you a quick true story.
00:38:07 - In 2003, I went to go get my CCIA in security.
00:38:11 - And I had a great time.
00:38:12 - Lots of fun as those labs always are.
00:38:15 - And I, absolutely, locked myself out
00:38:17 - of one of my devices.
00:38:18 - So I had been saving as I went.
00:38:20 - I got to a AAA task.
00:38:22 - I was in a hurry.
00:38:23 - I put a default method list for authorization.
00:38:27 - I pressed enter and it was done because no longer did I
00:38:31 - have the authorization to access my gear.
00:38:34 - So to fix it I had to power off the router that I was
00:38:38 - working on.
00:38:39 - Power it back on.
00:38:40 - It came back right to where we left it.
00:38:42 - We put in the correct commands,
00:38:44 - continued, and passed.
00:38:45 - However, it happens to the best of us.
00:38:48 - Where do we go from here?
00:38:49 - Now that we have this functioning, we have the basic
00:38:52 - configuration set up on the router, let's go ahead and
00:38:55 - take a look at setting up the AAA server to support it.
00:38:59 - And our AAA server is right here.
00:39:01 - He's out on this network.
00:39:04 - And he's off of the firewall.
00:39:06 - And he's at 192.168.1.252.
00:39:13 - So setting up the AAA server, the big concept here is that
00:39:17 - we have a centralized server that is willing and able to
00:39:19 - take the request of these AAA clients, the routers.
00:39:22 - And verify user's credentials, verify whether authorization
00:39:27 - should be permitted or not, and, essentially, keep
00:39:29 - accounting records.
00:39:30 - So let's bring over Cisco's ACS.
00:39:33 - And the actual configuration of ACS, it's a big animal.
00:39:38 - It's got lots of bells and whistles.
00:39:40 - And I'll tell you why.
00:39:42 - It's possible that in an organization with hundreds of
00:39:45 - devices, or thousands of devices, and dozens of
00:39:48 - administrators, you might want certain users to have certain
00:39:52 - rights on certain devices.
00:39:53 - So we have network device groups that we can set up.
00:39:56 - We have user groups that we can set up.
00:39:58 - We can give different permissions to the groups.
00:40:00 - And then we can put users in those groups to get access to
00:40:02 - certain devices.
00:40:03 - So it's mix and match.
00:40:05 - Very modular.
00:40:06 - Let's take a look, first of all, at our network devices
00:40:08 - and AAA clients.
00:40:09 - Here's R1.
00:40:10 - Let's go take a look at him by clicking on him.
00:40:12 - It says this is R1.
00:40:14 - His location is here.
00:40:16 - His device type is a group of routers device type.
00:40:19 - Again, we can categorize that as west coast routers, east
00:40:22 - coast routers, and so forth.
00:40:23 - And here's the IP address.
00:40:25 - Now, this IP address, 192 168 1.125, doesn't look right.
00:40:30 - So let's take a peek over here.
00:40:33 - Oh, I see what's happening.
00:40:34 - So there's some network address translation that's
00:40:36 - happening between the AAA server that's off of here as
00:40:39 - it goes through this firewall.
00:40:41 - So the AAA server is actually seeing the router.
00:40:44 - Even though its' address is 192 168 0.1, it's seeing it as
00:40:48 - 192 168 1.25 as goes through NAT.
00:40:51 - Network Address Translation.
00:40:52 - All right.
00:40:53 - So that works.
00:40:54 - And then, here, we have TACACS.
00:40:56 - So for TACACS, we want to put the correct secret,
00:40:59 - which is 1, 2, 3.
00:41:01 - If you don't have the right secret, they won't be able to
00:41:02 - successfully communicate.
00:41:04 - And I'll submit that.
00:41:06 - And then we'll go take a look at users.
00:41:08 - Here's our internal users.
00:41:11 - I've got Admin, Bob, King Kong, Sally.
00:41:14 - We could make a new one.
00:41:15 - So I'll click on create.
00:41:16 - Let's call it Test Admin.
00:41:19 - And his password, we'll make the password Cisco.
00:41:23 - It's not very secure but very easy for me to remember.
00:41:26 - Now, this is the magic.
00:41:27 - If we already have groups set up, we could
00:41:29 - say, you know what?
00:41:30 - I want to put this user as part of the admin group.
00:41:34 - And by that association, he'll get all the rights that the
00:41:37 - admin group has to a certain group of
00:41:39 - routers in a device group.
00:41:41 - So that's the mixing pot of how certain rights get
00:41:45 - associated with individuals.
00:41:46 - So we'll click on OK.
00:41:48 - And I need to confirm the password of Cisco here.
00:41:52 - And submit it.
00:41:53 - And now I've got this user called Test Admin who's a
00:41:56 - member of the admin group.
00:41:58 - I've also got a user called Sally who's a member of the
00:42:00 - help desk who, of course, won't have the same rights as
00:42:03 - Test Admin.
00:42:03 - And I've got Bob, King Kong, Admin.
00:42:07 - So how do we test something like this?
00:42:09 - So the AAA server knows about the router.
00:42:12 - The router knows about the AAA server.
00:42:14 - It is so easy to test this.
00:42:16 - Check this out.
00:42:17 - From the router, let me bring him back over here.
00:42:20 - Let's do a debug of TACACS, again.
00:42:26 - And let's just do a test.
00:42:27 - This is a fantastic troubleshooting tool because a
00:42:30 - lot of times there's so many moving parts.
00:42:31 - Like, how do we verify that this user connecting from that
00:42:34 - place is using the AAA server in the back end?
00:42:37 - This is a great test between the client and the AAA server
00:42:40 - just to make sure that piece is working correctly.
00:42:42 - Let's do a AAA.
00:42:44 - And we'll specify a group TACACS, which represents a
00:42:48 - group of TACACS servers.
00:42:50 - We happen to have one at the moment.
00:42:51 - That will do.
00:42:52 - And then the next TACACS will be the user name.
00:42:54 - How about that user we just created?
00:42:56 - What was her name?
00:42:58 - How about Test Admin?
00:43:00 - Let's check test admin, the one we just made.
00:43:04 - We'll put in this password.
00:43:05 - Unfortunately, for this test it's going to be clear text on
00:43:08 - the screen.
00:43:09 - So if somebody's watching you, that wouldn't be a good thing.
00:43:12 - But it is what it is.
00:43:13 - Maybe, make a test account.
00:43:14 - Try it out.
00:43:15 - Delete the test account.
00:43:17 - And then there's an option for how we want to send it.
00:43:19 - And I'm going to use legacy method.
00:43:22 - So now what?
00:43:22 - OK, wow.
00:43:23 - That worked first time.
00:43:25 - Fantastic.
00:43:26 - So this says attempting to authenticate to the server
00:43:29 - group TACACS.
00:43:30 - User was successfully authenticated.
00:43:32 - And the debug is, simply, showing us that it found out
00:43:35 - you had the user information.
00:43:36 - It wanted to get the password, which it all did from that one
00:43:39 - command test of AAA.
00:43:41 - And the success was pass.
00:43:43 - The status was pass.
00:43:44 - So if it come back as fail--
00:43:46 - let's do it.
00:43:46 - Let's do a fail.
00:43:47 - Let's do another test.
00:43:48 - Lets put a user that doesn't exist.
00:43:50 - How about Billy just to make sure that Billy
00:43:55 - doesn't exist here?
00:43:57 - All right.
00:43:58 - So Billy doesn't exist.
00:43:59 - And we'll go ahead and see the responses.
00:44:03 - It was rejected by the server.
00:44:05 - And look at this.
00:44:05 - It has a fail message.
00:44:07 - So we have a message from the TACACS debugging saying, yep,
00:44:11 - the AAA server responded.
00:44:12 - And the answer was no.
00:44:15 - It wasn't that we timed out.
00:44:16 - It was that the AAA server said no.
00:44:17 - So now if we leave the debug running and we do a debug AAA
00:44:22 - authentication, and debug AAA authorization, and debug AAA
00:44:28 - accounting because I think we have a whole bunch of stuff
00:44:32 - for the VTY lines.
00:44:33 - Then we're telling it to ourselves.
00:44:37 - And let's go in as test admin.
00:44:42 - And the password is Cisco.
00:44:46 - And then we'll go into privilege mode.
00:44:50 - Now I didn't do authorization of the exec shell.
00:44:52 - And that's why it didn't, automatically, put me at
00:44:55 - privilege level 15.
00:44:56 - I didn't tell the router to check for authorization for an
00:44:59 - exec shell, which would have tied it to my
00:45:01 - own privilege level.
00:45:02 - So in this Nugget, we've identified how we can extend
00:45:05 - the reach of a centralized AAA server and make it usable by
00:45:10 - multiple clients.
00:45:11 - This guy could use it.
00:45:12 - In fact, the switches could all tie into for
00:45:14 - authentication of users if they were doing
00:45:16 - something like 802.1X.
00:45:18 - Port based authentication, as well.
00:45:20 - We can use, as the language of love, TACACS or RADIUS.
00:45:24 - They both have their pros and cons.
00:45:26 - And here's what I'd like to do as a final little
00:45:27 - exercise with AAA.
00:45:29 - I realize that AAA can be a little daunting.
00:45:33 - There's a lot of bells and whistles.
00:45:35 - Here's a little exercise I'd like each of you to do.
00:45:38 - First of all, I'd like you to start off with a router that's
00:45:41 - not in a production environment.
00:45:43 - You've got a command line interface to it.
00:45:45 - And here's what I'd like you to do.
00:45:46 - I'd like you to get into privilege mode.
00:45:49 - And then go to configuration mode.
00:45:51 - I'd like you to turn on set enable secret.
00:45:53 - Go to AAA new model.
00:45:55 - Enable that.
00:45:56 - And then set a default method list saying I want the enable
00:45:59 - secret to be my default method for authenticating.
00:46:02 - So with just those commands right there.
00:46:05 - Enable secret.
00:46:06 - AAA new model.
00:46:08 - And a default method list.
00:46:09 - This guy right here.
00:46:11 - Now, if we tell that to ourselves or go back on the
00:46:14 - council, either way, it should prompt us for a password.
00:46:18 - So the password is going to be Cisco.
00:46:20 - The first thing it said was get the password because the
00:46:23 - default method was enable secret.
00:46:25 - And then, when I supplied the correct
00:46:26 - password, it let me in.
00:46:27 - Let's try it again.
00:46:29 - And let's put in the wrong password.
00:46:31 - So I'm going to put in the incorrect enable secret.
00:46:35 - I want you to see visually how it says fail.
00:46:38 - Wrong password.
00:46:39 - And now it's prompting me, again, for another password.
00:46:42 - I put in the correct password.
00:46:43 - It lets me in.
00:46:44 - So the basic concept of AAA is make sure you find out who
00:46:49 - people are.
00:46:50 - Or if your using a method like the enable secret, make sure
00:46:53 - you have the correct enable secret supplied.
00:46:55 - Once you have a user authenticated by identifying
00:46:58 - who that user is, if you're using the local database or
00:47:00 - TACACS, you can then authorize if you want.
00:47:03 - That's the second A of AAA.
00:47:05 - And then you can send accounting records, as well,
00:47:08 - up to the AAA server.
00:47:11 - I have had a lot of fun in this Nugget on AAA and,
00:47:14 - actually, putting it in motion.
00:47:16 - Most companies are using some type of centralized
00:47:19 - authentication for medium and large companies.
00:47:21 - You definitely want to be comfortable with it.
00:47:23 - Again, I'd encourage you to do the practice, the hands on.
00:47:26 - Go visit the Nugget lab.
00:47:28 - Download all the commands I used in this Nugget, and
00:47:31 - practice them yourself.
00:47:32 - I hope this has been informative for you.
00:47:34 - And I'd like to thank you for viewing.

Securing the Switched Data-plane

Tools to Protect the Management-plane

Controlling the IPv4 Data-plane with ACLs

Protecting IPv6 Networks

IOS Firewall Fundamentals

Zone Based Firewall Implementation

ASA Firewall

Intrusion Prevention Systems (IPS)

IOS-based IPS

Cryptography Essentials

IPsec Site to Site VPNs

SSL VPNs

Defense in Depth

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.

Bookmarks

Pick up where you left off watching a video.

Notes

Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

NuggetLab

Files/materials that supplement the video training

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Keith Barker

Keith Barker

CBT Nuggets Trainer

Certifications:
Cisco CCDP, CCIE Security, CCIE Routing & Switching; Juniper JNCIS-ENT, JNCIS-SP; Brocade BCNP ; HP-MASE; (ISC)2 CISSP; CompTIA Network+, Security+, VCP5-DCV

Area Of Expertise:
Cisco, security, networking, bitcoin. Author or coauthor of: CCNA Security 640-554 Official Cert Guide; CCNP Security IPS 642-627 Official Cert Guide; CCNA Security 640-554 Official Cert Guide, and many more.


Stay Connected

Get the latest updates on the subjects you choose.


  © 2014 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS