Authentication in Cisco IOS

AAA (Authentication Authorization and Accounting) - an authentication and authorization authentication system integrated into the Cisco IOS operating system that provides users with secure remote access to Cisco network equipment. It offers various methods of user identification, authorization, as well as the collection and sending of information to the server.

However, not only is aaa turned off by default; the configuration of this system is a rather confusing matter. Deficiencies in the configuration can lead either to an unstable, unsafe connection, or to the absence of any connection in principle. In this article, we will detail the authentication configuration scheme using aaa .

In general, the authentication scheme looks like this:
Fig. 1. Authentication scheme (by clicking on it opens in full size)
Fig. 2. Authentication scheme (continued, clicks to open in full size)
The scheme is not divided into two parts by chance: the first describes the main path from the control lines (vty or con) to authentication methods, and the second describes the authentication methods themselves.

But first things first.

Lack of aaa new-model


In this case, we are talking about the right side of the circuit (see Fig. 1).



Fig. 3. Authentication scheme without aaa new-model
As already mentioned, the default service is aaa new-model switched off. Connection to the device can be performed either physically, by connecting via the console port (line console 0) without entering any credentials, or through the TELNET protocol (line vty). Moreover, in the latter case, even if you set the IP address on Cisco, you will not be able to access the device due to the lack of a password (authentication method is "line", see Fig. 3). If a password is set on the vty line, the device will only require you to enter a password, which significantly reduces the security of the connection, since you do not need to enter a login to enter; however, everything here, of course, also depends on the complexity of the password that you configured.

When executing the "login local" command, the device, having established a connection, will require you to enter a login and password to enter.

So: in the absence of aaa new-model, the maximum that you can require from Cisco IOS is to use a password (authentication method "line") and use a login and password from a local database (authentication method "local").



Fig. 4. Authentication methods without aaa new-model

Aaa new-model configuration


The advantage of aaa configuration is that it contains many authentication methods (unlike the previous case). Aaa is enabled by adding the aaa new-model command in global configuration mode. Next up is the choice of authentication methods. All methods are organized into lists that are assigned either the default value or a specific list name ( list-name ). Thus, on different types of lines ( aux, vty, con ... ), you can "hang" different authentication methods, delimiting access between users.

Example of setting up aaa new-model and authentication lists:

Router(config)#aaa new-model
Router(config)#aaa authentication login {default | list-name} method1 [method2…]
Router(config)#line {vty | aux | con…} line-numbers
Router(config-line)#login authentication {default | list-name}

Methods


As mentioned earlier, there are a lot of authentication methods in aaa. Let's try to list the most common:
Local - the database of logins and passwords is stored on the network device itself. Требует username {password | secret} .
Local-case - the same method as local, but case sensitive when entering login.
Enable — для аутентификации требуется enable{password | secret} . .
Line - authentication requires the password line (see Fig. 4 authentication method "line").
None - authentication is not required, access to the device is provided without entering a username and password.
Group {tacacs+ | radius} - connecting servers with Tacacs + installed ( http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html#wp1000899 ) or Radius ( http: // www. cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html#wp1000902 ) to extend aaa configuration options.
Group {group-name} - allows you to configure a group of servers with Tacacs + or Radius installed or configure a private group server.

The most interesting authentication method is group: it is quite common in medium and large companies.

The following is an example of setting the group method, which must be implemented in conjunction with authentication lists.

Example of adding a server group and a private Radius server:

Router(config)#aaa authentication login default group servradius1
Router(config)#aaa group server radius servradius1
Router(config-sg-radius)#server 192.168.1.1
Router(config-sg-radius)#server 192.168.1.2
Router(config-sg-radius)#server 192.168.1.3
Router(config-sg-radius)#server-private 192.168.1.10

This example shows that three Radius servers are configured. But the question arises: how will they work? The first thing that comes to mind: most likely, they will work in turn: if 192.168.1.1 is unavailable, they will go to 192.168.1.2, etc. But this is not so. In this example, an error was made: 192.168.1.1, 192.168.1.2, 192.168.1.3 are configured incorrectly, and therefore will not be used in authentication. In this configuration, the Router (config) # radius-server host command for each server is missing. A more detailed description of the settings can be found on the vendor's resources (for example: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html ). Schematically, this can be represented as follows:



Fig. 5. Configuring authentication for the group method
Here, in fact, is all the information that will help you successfully configure authentication on your network device. Follow the diagram, and if your settings lead to "true", then there will be happiness, and if to "false" - look at the configuration carefully: perhaps an error is made somewhere or access to the device is possible without entering a login and password (authentication method " none "). I hope this article was useful and helped you understand the nuances of aaa configuration.
We, in turn, always try to automate such complex checks. Как пример — результат проверки MaxPatrol относительно службы ААА:



Fig. 6. Requirement Status



Fig. 7. Results of the requirement for AAA service
Posted by Maxim Habrat, Positive Research Center