AAA
Authentication, Authorization, and Accounting
- Defines AAA lists on device that have a number of methods attached for processing
- Different lists can be assigned to different access methods
- Example: login, enable or ppp
- Can have named lists assigned or use default lists for that access method
- Use RADIUS or TACACS and then fallback to local database, should connection to server fail.
- If using none as fallback then there will be no authentication option will be used
TACACS+ (Terminal Access Controller Access-Control System)
- Used mainly for management of the device
- Supports per-command authorization and accounting
[_/su_spoiler]
RADIUS (Remote Authentication Dial In User Service)
- Used mainly for user authentication
- Can assign users to a role or privilege level
- Doesn't support per-command authorization and accounting
[_/su_spoiler]
Local Access
- Default authentication method
- Uses a local database
- Generally uses as fallback option if connection lost to TACACS+ or RADIUS server
- Passwords are stored in clear by default
- Can be configured to encrypt using various options:
- Secret instead of password
- Sets password to Type 5 and creates MD5 hash
- Stronger than Type 7 password
- Command:
- (config)#username <username> secret <password>
- (config)#enable secret <password>
- Enable password encryption
- Sets all passwords to Type 7
- Weak encryption method/reversible
- Command:
- (config)#service password-encryption
[_/su_spoiler]
AAA Configuration
- To enable AAA globally on device
- Device access
- Create a default authentication method list to use the local database
- (config)#aaa authentication login default local
- Create a named authentication method list to use the local database
- (config)#aaa authentication login LOCAL_DATABASE local
- Create a default authentication method list to use RADIUS first then fall back to local database
- (config)#aaa authentication login default group radius local
- Create a default authentication method list to use the enable password for Priv EXEC access
- (config)#aaa authentication enable default enable
- Authorization on specific privilege level commands
- (config)#aaa authorization commands <command privilege level> <auth list name> group tacacs local
- Use TACACS+ for authorization configuration commands
- Disabled by default
- (config)#aaa authorization config-commands
- Enable authorization
- (config)#aaa authorization exec default local
[_/su_spoiler]
Privilege Levels
Privilege Levels
- Controls access to exec commands
- Defined privilege level allows you to run all commands up to that level
- Example Priv level 8 can run all commands from Priv level 0 to 8
- Default levels
- 0 – No access
- 1 – User mode access
- 15 – Privilege Enable mode access
- User defined levels
- Can modify commands within certain modes to function at certain privilege level
- This isn’t scalable – better to use TACACS+
- In EXEC mode:
- Move a command to Priv Level 3
- Command:
- (config)#privilege exec level 3 show run
- In Configure mode:
- Move a command to Priv Level 4
- Command:
- (config)#privilege configure level 4 interface
- In Interface mode:
- Move a command to Priv Level 5
- Command:
- (config)#privilege interface level 5 ip address
Role-Based CLI Access
Role-Based CLI Access
- Still not a scalable solution to control access
- Uses the concept of ‘views’
- Create a view and assign commands to include or exclude in view
- Example:
- (config)#parser view <view name>
- (config-view)#secret <password>
- (config-view)#command exec include <included command>
- e.g. (config-view)#command exec include show
- Includes all the show commands under Priv EXEC mode
- (config-view)#command exec include-exclusive <include specific command>
- e.g. (config-view)#command exec include-exclusive show ip route
- Includes the show ip route command
- Doesn’t share this command with a “superview”
- (config-view)#command exec exclude <excluded command>
- e.g. (config-view)#command exec exclude show version
- Excludes the show version command from Priv EXEC mode
- (config-view)#command exec exclude all <excluded master command>
- (config-view)#command exec exclude all show ip
- To create a “SuperView” made up of multiple views
- Commands:
- (config)#parser view <view-name> superview
- (config-view)#view <view name>
- (config-view)#secret <password>
- To assign local users to a view
- Command:
- (config)#username <username> view <view name>
- Enable authorization on local user database for view commands
- Command:
- (config)#aaa authorization exec default local
Configuration Change Notification
Configuration Change Notification and Logging
- Local command accounting
- Tracks commands issues through CLI and HTTP
- Uses configuration archive function
- Commands:
- (config)#archive
- (config-archive)#log config – Enables logging of configuration changes
- (config-archive)#logging enable
- (config-archive)#logging size <size> – Sets the size (in lines) of the logs
- (config-archive)#hidekeys – Hides passwords being entered
- (config-archive)#notify syslog – Sends the messages to the syslog daemon
Login Enhancements
Login Enhancements
- Protection against brute force attacks
- Blocks login attempts for a certain time period if too many invalid attempts are made within a certain time period
- Command:
- (config)#login block-for <seconds> attempts <attempts> within <seconds>
- Example:
- (config)#login block-for 10 attempts 3 within 5
- Blocks for 10 seconds if 3 attempts are made within 5 seconds
IOS Resilient Config
IOS Resilient Config
- Protects the configuration and image from being deleted
- If using a secure image
- It removes the image from being viewed with dir
- Erase of flash doesn’t delete the image
- Command:
- (config)#secure boot-image
- If using the secure configuration
- Configuration is archived as a secret file
- Can’t delete out of NVRAM
- If you write erase and reload, you can still recover the configuration
- Commands:
- (config)#secure boot-config
- (config)#secure boot-config restore <path to image>
Troubleshooting Commands
Troubleshooting Commands
- #show privilege – Displays the current users privilege level
- #show archive log config all – Displays the current configuration change logs
- #show archive config differences <config> – Compares listed config to current config
