Cisco AAA Implementation Case Study.pdf

Cisco AAA Implementation Case 

Study 

Internetworking Solutions Guide 

May 2000 

Corporate Headquarters 

Cisco Systems, Inc. 

170 West Tasman Drive 

San Jose, CA 95134-1706 

USA 

http://www.cisco.com 

Tel: 408 526-4000 

800 553-NETS (6387) 

Fax: 408 526-4100 

Text Part Number: OL-0397-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT 

NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE 

PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR 

APPLICATION OF ANY PRODUCTS. 

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION 

PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO 

LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. 

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of 

UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of Ca lifornia. 

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED 

“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, 

INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. 

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL 

DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR 

INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, 

Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, 

Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco 

Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet 

Quotient, IP/VC, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX,PointandClick 

Internetworking, Policy Builder, Precept, RateMUX, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, 

TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Voice Line, VlanDirector, Voice LAN, Wavelength Router, Workgroup 

Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet 

Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, 

the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, 

GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and 

VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other tradem arks mentioned in this 

document are the property of their respective owners. The use of the word partner does not imply a partnership relationship betw een Cisco and any of its 

resellers. (0004R) 

Cisco AAA Implementation Case Study 

Copyright © 2000, Cisco Systems, Inc. 

All rights reserved.

CONTENTS 

Preface xi 

Purpose xi 

Audience xi 

Scope xi 

Related Documentation and Sites xii 

Software Used in This Case Study xii 

Hardware Used in This Case Study xii 

Document Conventions xiii 

Command Syntax Conventions xiii 

Cisco Connection Online xiii 

Documentation CD-ROM xiv 

Providing Documentation Feedback xiv 

Acknowledgements xv 

CHAPTER 1 Cisco AAA Case Study Overview 1-1 

1.1 AAA Technology Summary 1-1 

1.1.1 AAA RFC References 1-2 

1.2 TACACS+ Overview 1-2 

1.3 RADIUS Overview 1-3 

1.4 Comparison of TACACS+ and RADIUS 1-4 

1.4.1 UDP and TC P1-4 

1.4.2 Packet Encryption 1-4 

1.4.3 Authentication and Authorization 1-5 

1.4.4 Multiprotocol Support 1-5 

1.4.5 Router Management 1-5 

1.4.6 Interoperability 1-6 

1.4.7 Attribute-Value Pairs (AVPs )1-6 

1.5 Differences in Implementing Local and Server AAA 1-6 

1.6 Scenario Description 1-8 

1.7 Planning Your Network 1-9 

1.8 Network Service Definitions 1-10 

1.8.1 Authentication Policy 1-10 

OL-0397-01 


iii

Contents 

1.8.2 Authorization Polic y1-11 

1.8.3 Accounting Polic y1-11 

1.9 Security Implementation Policy Consideration s1-12 

1.10 Network Equipment Selection 1-13 

1.11 Task Check Li st1-14 

CHAPTER 2 Implementing the Local AAA Subsystem 2-1 

2.1 Implementing Local Dialup Authentication 2-2 

2.2 Implementing Local Dialup Authorization 2-5 

2.3 Implementing Local Router Authentication 2-8 

2.4 Implementing Local Router Authorization 2-10 

2.5 Implementing Local Router Accounting 2-12 

CHAPTER 3 Implementing Cisco AAA Servers 3-1 

3.1 Installing CiscoSecure for UNIX with Oracle 3-2 

3.1.1 Creating Oracle Tablespace 3-2 

3.1.2 Verifying the Oracle Database Instance 3-3 

3.1.3 Installing CiscoSecure for UNIX 3-5 

3.1.4 Creating and Verifying Basic Us e r 3-10 P r o f i l e 

CHAPTER 4 Implementing the Server-Based AAA Subsystem 4-1 

4.1 Implementing Server-Based TACACS+ Dialup Authenticatio n4-2 

4.2 Implementing Server-Based TACACS+ Dialup Authorizatio n4-4 

4.3 Implementing Server-Based RADIUS Dialup Authentication 4-6 

4.4 Implementing Server-Based RADIUS Dialup Authorization 4-8 

4.5 Implementing Server-Based TACACS+ Router Authenticatio n4-10 

4.6 Implementing Server-Based TACACS+ Router Authorizatio n4-13 

CHAPTER 5 Implementing Server-Based AAA Accountin g 5-1 

5.1 Implementing Server-Based TACACS+ Dial Accountin g5-1 

5.2 Implementing Server-Based TACACS+ Router Accountin g5-4 

5.3 AAA Disconnect Cause Code Descriptions 5-6 

CHAPTER 6 Diagnosing and Troubleshooting AAA Operations 6-1 

6.1 Overview of Authentication and Authorization Processes 6-2 

6.2 Troubleshooting AAA Implementation 6-7 

iv 


OL-0397-01

Contents 

6.2.1 Troubleshooting Methodology Overview 6-7 

6.2.2 Cisco IOS Debug Command Summary 6-7 

6.3 AAA Troubleshooting Basics 6-8 

6.3.1 Troubleshooting Dial-Based Local Authentication 6-9 

6.3.2 Troubleshooting Dial-Based Server Authentication 6-10 

6.3.3 Troubleshooting Dial-Based Local Authorization 6-13 

6.3.4 Troubleshooting Dial-Based Server Authorization 6-15 

6.3.5 Troubleshooting Router-Based Local Authentication 6-19 

6.3.6 Troubleshooting Router-Based Server Authentication 6-21 

6.3.7 Troubleshooting Router-Based Local Authorization 6-24 

6.3.8 Troubleshooting Router-Based Server Authorization 6-26 

6.4 Troubleshooting Scenarios 6-29 

6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server 

Authentication) 6-29 

6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 6-30 

6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 6-31 

6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization ) 6-33 

6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 6-34 

6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 6-35 

6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 6-36 

APPENDIX A AAA Device Configuration Listing s A-1 

A.1 Sample Cisco IOS Configuration Listing sA-1 

A.1.1 Example Local-Based Router AAA Configuration A-2 

A.1.2 Example Server-Based TACACS+ NAS Configuration A-5 

A.1.3 Example Server-Based RADIUS NAS Configuration A-9 

A.2 Router AAA Command Implementation Descriptions A-13 

A.3 NAS AAA Command Implementation Descriptions A-13 

A.4 CiscoSecure for UNIX Configuration Listin g A-15 s 

A.4.1 CSU.cfg Listing A-16 

A.4.2 CSConfig.ini Listing A-19 

A.4.3 Oracle User Environment Variable A-23 

A.4.4 listener.ora Listing A-24 

A.5 CiscoSecure Log Files A-25 

OL-0397-01 


v

Contents 

APPENDIX B AAA Impact on Maintenance Task s B-1 

APPENDIX C Server-Based AAA Verification Diagnostic Output C1 

C.1 Server-Based TACACS+ Dialup Authentication Diagnostics C1 

C.2 Server-Based TACACS+ Dialup Authorization Diagnostics C2 

C.3 Server-Based RADIUS Dialup Authentication Diagnostics C4 

C.4 Server-Based RADIUS Dialup Authorization Diagnostics C5 

C.5 Server-Based TACACS+ Router Authentication Diagnostics C7 

C.6 Server-Based TACACS+ Router Authorization Diagnostics C9 

C.6.1 Test Results for rtr_low Gro u C9p 

C.6.2 Test Results for rtr_tech Grou pC14 

C.6.3 Test Results for rtr_super Grou pC20 

INDEX 

vi 


OL-0397-01

FIGURES 

Figure 1-1 AAA-Based, Secure Network Access Scenario 1-2 

Figure 1-2 Local-Based Access Options 1-7 

Figure 1-3 Server-Based Access Options 1-8 

Figure 2-1 Local-Based Dial Access Environment 2-2 

Figure 2-2 Local-Based Router Environment 2-8 

Figure 3-1 AAA-Based, Secure Network Access Scenario 3-1 

Figure 4-1 Basic AAA Case Study Environment 4-2 

Figure 4-2 Server-Based Dial Environment (TACACS+) 4-2 

Figure 4-3 Server-Based Dial Environment (RADIUS) 4-6 

Figure 4-4 Server-Based VTY Access (Telnet) 4-10 

Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology 4-14 

Figure 6-1 Basic AAA Case Study Environment 6-2 

Figure 6-2 Dial Access Authentication and Authorization Flow Diagram 6-3 

Figure 6-3 RADIUS Dial Access Authentication and Authorization Process 6-4 

Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) 6-5 

Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) 6-6 

OL-0397-01 


vii

Figures 

viii 


OL-0397-01

TABLES 

Table 1-1 Comparison of RADIUS and TACACS+ 1-4 

Table 1-2 Examples of RADIUS AVPs 1-6 

Table 1-3 Examples of TACACS+ AVPs 1-6 

Table 1-4 General Service Definition Checklist 1-9 

Table 1-5 AAA Service Definition Checklist 1-10 

Table 1-6 AAA Security Checklist 1-12 

Table 1-7 AAA Task Checklist 1-14 

Table 4-1 Group Profile Command Summary 4-13 

Table 5-1 AAA Disconnect Cause Code Listings 5-6 

Table 6-1 Single User Failure; Individual Dial-in User Connection Fails 6-9 

Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS 6-9 

Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) 6-10 

Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) 6-12 

Table 6-5 User Cannot Start PPP 6-13 

Table 6-6 Network Authorization Fails 6-14 

Table 6-7 Unable to Access Specific Host or Network Service 6-14 

Table 6-8 Multilink Fails 6-14 

Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+) 6-16 

Table 6-10 Network Authorization Fails (RADIUS and TACACS+) 6-17 

Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) 6-17 

Table 6-12 Multilink Fails (TACACS+) 6-18 

Table 6-13 Multilink Fails (RADIUS) 6-18 

Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+) 6-18 

Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS) 6-18 

Table 6-16 No EXEC Shell for TACACS+ 6-19 

Table 6-17 No EXEC Shell for RADIUS 6-19 

Table 6-18 Cannot Start Concurrent Sessions (TACACS+) 6-19 

Table 6-19 Cannot Start Concurrent Sessions (RADIUS) 6-19 

Table 6-20 Single User Failure; Individual Dial-in User Connection Fails 6-20 

Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router 6-20 

Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both 6-21 

OL-0397-01 


ix

Tables 

Table 6-23 Single User Failure; Individual User Unable to Make a Connection 6-22 

Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router 6-23 

Table 6-25 Users Pass Authentication on Console or VTY, but Not Both 6-24 

Table 6-26 User Fails Router Command 6-25 

Table 6-27 User Disconnected After Entering a Password 6-25 

Table 6-28 Users Access Incorrect Privilege Level Commands 6-26 

Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-26 

Table 6-30 User Fails Router Command 6-27 

Table 6-31 User Disconnected After Entering Password 6-27 

Table 6-32 Users Access Incorrect Privilege Level Commands 6-28 

Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” 6-28 

Table 6-34 Router User Unable to Initiate Shell Session with Router 6-28 

Table 6-35 AVPs Not Working on Console Port 6-28 

Table A-1 Cisco IOS Commands Required to Set AAA for a Router A-13 

Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) A-14 

x 


OL-0397-01

Preface 

This case study describes various Cisco-based security and accounting capabilities for monitoring and 

managing access within a large-scale dial environment. 

Purpose 

This Internetworking Solutions Guide (ISG) case study provides examples intended to be models for 

building an effective, Cisco AAA-based security environment for dial-based and router environments. 

In following the procedures and recommendations provided in this document, readers should be able to: 

• Understand the working relationship among various Cisco AAA components, including NASs, 

AAA servers, and the AAA database. 

• Configure and verify operation for these AAA components. 

• Troubleshoot typical problems found in AAA environments. 

Audience 

The audience for this document consists of network engineers supporting large-scale dial networks. The 

audience is expected to have a basic understanding of Cisco IOS software, and a working knowledge of 

both the UNIX operating system and CiscoSecure for UNIX user interface. 

Scope 

This case study provides: 

• Complete network device configurations and specific fragments to support implementation task 

descriptions. 

• Example diagnostic output showing verification of correct configuration. 

• Troubleshooting output supporting problem scenarios show problem configurations and other AAA 

environment failures. 

• A foundation from which effective AAA-based security solutions can be tailored to specific 

network requirements. 

The information provided here does not include advanced tuning tips—nor does it provide a primer for 

the uninitiated novice. In addition, site planning and preparation are beyond the scope of this case study. 


xi

Related Documentation and Sites 

Preface 

Related Documentation and Sites 

The following URLs provide the essentials for preparing to install Cisco Secure for UNIX and NT: 

• CiscoSecure ACS for UNIX 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx 

• CiscoSecure ACS for NT 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23 

• Oracle database implementation 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csinstl.htm 

Software Used in This Case Study 

The features and capabilities described in this case require these software versions: 

• Cisco IOS 12.0(7)T 

• OS Solaris 2.5(1) 

• CiscoSecure for UNIX 2.3(3) 

• Oracle DB Server 7.3(4) 

• Oracle DB Client 7.3(4) 

• SQL*Plus: Release 3.3.4.0.1 

To identify other software versions that might apply, please contact your Cisco customer service 

representative. 

Hardware Used in This Case Study 

This case is built on a production environment consisting of a single authentication, authorization, and 

accounting (AAA) server, an Oracle-based AAA database, a Cisco network access server (NAS), and a 

router. The diagnostic captures and system configurations provided in this case study were derived from 

the following systems: 

• Cisco AS5300 or Cisco AS5800 network access server (NAS) 

• Cisco 7206 VXR router 

• Sun Microsystems server (UltraSPARC Enterprise 2 Model) 

– Two 200 MHz processors 

– One GB RAM 

– One internal 4.2 GB disk drive 

– CD-ROM drive 

The system used as a platform for CiscoSecure ACS for UNIX 2.3 must meet with the minimum system 

specifications described in the following URL: 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/instl23.htm 

xii 

Cisco AAA Implementation Case Study

Preface 

Document Conventions 

Document Conventions 

Convention 

italic 

Description 

File names, paths to files, user names, and groups names used in 

descriptions. Example: /var/log/csuslog 

< > Angle brackets show nonprinting characters, such as passwords. 

! An exclamation point at the beginning of a line indicates a comment 

line. (Exclamation points are also displayed by the Cisco IOS software 

for certain processes.) 

[ ] Square brackets show default responses to system prompts. 

Command Syntax Conventions 

Convention 

bold 

Description 

Command or keyword that you must enter. This format is used for 

commands, paths to files, and file names when used within an example 

illustrating required input. 

italic 

Argument for which you supply a value. 

[x] 

Optional keyword or argument that you enter. 

{x | y | z} Required keyword or argument that you must enter. 

[x {y | z}] Optional keyword or argument that you enter with a required keyword or 

argument. 

string 

Set of characters that you enter. Do not use quotation marks around the 

character string, or the string will include the quotation marks. 

screen 

Information that appears on the screen. 

Important line of text in an example. 

^ or Ctrl 

Control key—for example, ^D means press the Control and the D keys 

simultaneously. 

< > Nonprinting characters, such as passwords. 

! Comment line at the beginning of a line of code. 

Cisco Connection Online 

Cisco Connection Online (CCO) is the primary, real-time support channel for Cisco Systems. 

Maintenance customers and partners can self-register on CCO to obtain additional information and 

services. 


xiii

Documentation CD-ROM 

Preface 

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services 

to customers and business partners of Cisco Systems. CCO services include product information, 

product documentation, software updates, release notes, technical tips, the Bug Navigator, 

configuration notes, brochures, descriptions of service offerings, and download access to public and 

authorized files. 

CCO serves a wide variety of users through two interfaces that are updated and enhanced 

simultaneously: a character-based version and a multimedia version that resides on the World Wide 

Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet 

e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version 

of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as 

hyperlinks to related information. 

You can access CCO in the following ways: 

• http://www.cisco.com 

• http://www-europe.cisco.com 

• http://www-china.cisco.com 

• Telnet: cco.cisco.com 

• Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following 

terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up 

to 28. 8kbps. 

For a copy of the CCO Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional 

information, contact cco-team@cisco.com. 

Note 

If you are a network administrator and need personal technical assistance with a Cisco 

product that is under warranty or covered by a maintenance contract, contact the Cisco 

Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To 

obtain general information about Cisco Systems, Cisco products, or upgrades, contact 

800 553-6387, 408 526-7208, or cs-rep@cisco.com. 

Documentation CD-ROM 

Cisco documentation and additional literature are available in a CD-ROM package, which ships with 

your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated 

monthly; therefore, it might be more current than printed documentation.To order additional copies of 

the Documentation CD-ROM, contact your local sales representative or call customer service. The 

CD-ROM package is available as a single package or as an annual subscription. You can also access 

Cisco documentation on theWorld Wide Web at http://www.cisco.com, http://www-china.cisco.com, 

or http://www-europe.cisco.com. 

Providing Documentation Feedback 

If you are reading Cisco product documentation on theWorld Wide Web, you can submit comments 

electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, 

click Submit to send it to Cisco. 

You can also submit feedback on Cisco documentation as follows: 

xiv 


Preface 

Acknowledgements 

• Mail in the Cisco Reader Comment Card located at the front of this book 

• Send an e-mail to bug-doc@cisco.com 

• Send a fax to 40 8527-8089 

We appreciate your comments. 


This ISG case study was created as a collaborative effort. The following team members participated in 

the creation of this document: Joellen Amato, Dave Anderson, Robert “Bob” Brown, Alan Dowling, 

Dianne Dunlap, Paul Hafeman, Anthony Hall, Kim Lew, Robert Lewis, Dave Leyland, Brian Murphy, 

Dang Nguyen, Nilesh Panicker, Anjali Puri, Robert Sargent, David Sims, Tim Stevenson, Kris 

Thompson, Craig Tobias, and Syed Atif Ullah. 


xv


Preface 

xvi 


CHAPTER 

1 

Cisco AAA Case Study Overview 

This chapter summarizes the technology behind AAA security solutions, outlines typical network 

definitions and network assumptions adopted for this case study, and lists tasks associated with 

implementing, verifying, and troubleshooting the AAA environment presented. Specific sections 

provided here are: 

• 1.1 AAA Technology Summary 

• 1.2 TACACS+ Overview 

• 1.3 RADIUS Overview 

• 1.4 Comparison of TACACS+ and RADIUS 

• 1.5 Differences in Implementing Local and Server AAA 

• 1.6 Scenario Description 

• 1.7 Planning Your Network 

• 1.8 Network Service Definitions 

• 1.9 Security Implementation Policy Considerations 

• 1.10 Network Equipment Selection 

• 1.11 Task Check List 

1.1 AAA Technology Summary 

Dial access presents a challenge to network managers entrusted with network security. This case study 

illustrates essential steps in planning and implementing authentication, authorization, and accounting 

(AAA) technologies based on Cisco product capabilities. 

For the purposes of this case study, the following generic definitions apply: 

• Authentication: The process of validating the claimed identity of an end user or a device, such as a 

host, server, switch, router, and so on. 

• Authorization: The act of granting access rights to a user, groups of users, system, or a process. 

• Accounting: The methods to establish who, or what, performed a certain action, such as tracking 

user connection and logging system users. 

Figure 1-1 illustrates a generalized view of a Cisco-based AAA environment, featuring a network 

access server (NAS) and AAA server. This basic arrangement forms the foundation for this case study. 


1-1

1.2 TACACS+ Overview 

Chapter 1 


Figure 1-1 

AAA-Based, Secure Network Access Scenario 

Network element 

management server 

(NTP, Syslog, SNMP) 

Oracle dB server 

Analog lines 

PSTN 

PRI lines 

AAA 

server 

Clients 

Modems 

Cisco AS5x00 

with integrated 

modems 

IP intranet 

DNS 

server 

Default 

gateway 

Internet 

firewall 

Internet 

35089 

In the context of the Cisco-based AAA environment addressed here, the key operational elements are 

network access servers (NASs), routers, and CiscoSecure Access Control Server for UNIX servers 

(referred to in this document as AAA servers). Depending on the conventions and requirements of your 

particular design, you can select a security environment which utilizes Terminal Access Controller 

Access Control System Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS). 

This case study addresses implementation of both environments. 

1.1.1 AAA RFC References 

Requests for Comments (RFCs) play a crucial role in defining the behavior of devices in complex 

networking environments. The following RFCs are useful references for TACACS+ and RADIUS: 

• TACACS+: http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt 

• TACACS: http://www.ietf.org/rfc/rfc1492.txt 

• MD5: http://www.ietf.org/rfc/rfc1321.txt 

• RADIUS: http://www.ietf.org/rfc/rfc2138.txt 

1.2 TACACS+ Overview 

Key TACACS+ features: 

• TACACS+ separates AAA into three distinct functions (Authentication, Authorization and 

Accounting). 

• TACACS+ supports router command authorization integration with advanced authentication 

mechanisms, such as Data Encryption Standard (DES) and One-Time Password (OTP) key. 

• TACACS+ supports 16 different privilege levels (0-15). 

1-2 


Chapter 1 


1.3 RADIUS Overview 

• TACACS+ permits the control of services, such as Point-to-Point Protocol (PPP), shell, standard 

log in, enable, AppleTalk Remote Access (ARA) protocol, Novell Asynchronous Services Interface 

(NASI), remote command (RCMD), and firewall proxy. 

• TACACS+ permits the blocking of services to a specific port, such as a TTY or VTY interface on 

arouter. 

The most common services supported by TACACS+ are PPP for IP and router EXEC shell access using 

console or VTY ports. EXEC shell allows users to connect to router shells and select services, such as 

PPP, Telnet, TN3270, or manage the router itself. 

Many TACACS+ servers are available on the market today; however, the AAA server is designed 

specifically to be scalable and compatible with Cisco's broad line of routers, access servers, and 

switches. Hence, this case utilizes the Cisco AAA server as the TACACS+ server of choice. 

When configured correctly, the AAA server validates AAA and responds to requests from routers and 

access servers with a pass or fail signal. The AAA server contains an internal database sized to 5000 

users; therefore, an external Oracle database is used in our case study for user account attributes and 

billing information. 

The AAA server acts as a proxy server by using TACACS+ to authenticate, authorize, and account for 

access to Cisco routers and network access servers. 

1.3 RADIUS Overview 

The RADIUS protocol was developed by Livingston Enterprises, Inc., as an access server authentication 

and accounting protocol. The RADIUS specification (RFC 2138) is a proposed standard protocol and 

RADIUS accounting standard (RFC 2139) is informational. 

Although TACACS+ is considered to be more versatile, RADIUS is the AAA protocol of choice for 

enterprise ISPs because it uses fewer CPU cycles and is less memory intensive. 

Communication between a network access server (NAS) and a RADIUS server is based on the User 

Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. 

Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled 

devices rather than the transmission protocol. 

RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is 

usually a daemon process running on a UNIX or Windows NT machine. The client passes user 

information to designated RADIUS servers and acts on the response that is returned. RADIUS servers 

receive user connection requests, authenticate the user, and then return the configuration information 

necessary for the client to deliver services to the user. A RADIUS server can act as a proxy client to 

other RADIUS servers or other kinds of authentication servers. 


1-3

1.4 Comparison of TACACS+ and RADIUS 

Chapter 1 



Table 1-1 summarizes the differences between RADIUS and TACACS+. 

Table 1-1 

Comparison of RADIUS andTACACS+ 

RADIUS 

RADIUS uses UDP. 

RADIUS encrypts only the password in the 

access-request packet; less secure. 

RADIUS combines authentication and 

authorization. 

Industry standard (created by Livingston). 

RADIUS does not support ARA access, Net BIOS 

Frame Protocol Control protocol, NASI, and X.25 

PAD connections. 

RADIUS does not allow users to control which 

commands can be executed on a router. 

TACACS+ 

TACACS+ uses TCP. 

TACACS+ encrypts the entire body of the packet; 

more secure. 

TACACS+ uses the AAA architecture, which 

separates authentication, authorization, and 

accounting. 

Cisco Proprietary. 

TACACS+ offers multiprotocol support. 

TACACS+ provides two ways to control the 

authorization of router commands: on a per-user 

or per-group basis. 

1.4.1 UDP and TCP 

RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a 

connection-oriented transport, while UDP offers best effort delivery. RADIUS requires additional 

programmable variables, such as retransmit attempts and time-outs to compensate for best-effort 

transport, and it lacks the level of built-in support that reliable transport offers: 

• Using TCP provides a separate acknowledgment that a request has been received, within 

(approximately) a network RTT, regardless of bandwidth. (TCP ACK). 

• TCP provides immediate indication of a crashed (or not running) server (RST packets).You can 

determine when a server has crashed and come back up if you use long-lived TCP connections. 

UDP cannot tell the difference between a server that is out-of-service,slow, or non-existent server. 

• By using TCP keepalives, you can detect server crashes out-of-band with actual requests. 

Connections to multiple servers can be maintained simultaneously, and you only need to send 

messages to the servers that are known to be up and running. 

• TCP is more scalable than UDP. 

1.4.2 Packet Encryption 

RADIUS encrypts only the password in the access-request packet from the client to the server. The 

remainder of the packet is in the clear. Other information, such as username, authorized services, and 

accounting, can be captured by a third party. 

RADIUS can use encrypted passwords by using the UNIX /etc/password file; however, this process is 

slow because in involves a linear search of the file. 

1-4 


Chapter 1 



TACACS+ encrypts the entire body of the packet but leaves a standardTACACS+ header. Within the 

header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful 

to have the body of the packets in the clear. However, normal operation fully encrypts the body of the 

packet for more secure communications. 

1.4.3 Authentication and Authorization 

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS 

server to the client contain authorization information, making it difficult to decouple authentication and 


TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting. 

This architecture allows separate authentication solutions that can still use TACACS+ for authorization 

and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and 

TACACS+ authorization and accounting. After a NAS passes authentication on a Kerberos server, it 

requests authorization information from a TACACS+ server without having to re-authenticate the NAS 

by using the TACACS+ authentication mechanism. The NAS informs the TACACS+ server that it has 

successfully passed authentication on a Kerberos server, and the server then provides authorization 

information. 

During a session, if additional authorization checking is needed, the access server checks with a 

TACACS+ server to determine if the user is granted permission to use a particular command. This 

provides greater control, compared to RADIUS, over the commands that can be executed on the access 

server while decoupling the authorization process from the authentication mechanism. 

1.4.4 Multiprotocol Support 

RADIUS does not support the following protocols (which are supported byTACACS+): 

• AppleTalk Remote Access (ARA) protocol 

• Net BIOS Frame Protocol Control protocol 

• Novell Asynchronous Services Interface (NASI) 

• X.25 PAD connection 

1.4.5 Router Management 

RADIUS does not allow users to control which commands can be executed on a router and which 

cannot; therefore, when compared with TACACS+, RADIUS is not as useful for router management and 

is not as flexible for terminal services. 

TACACS+ provides two ways to control the authorization of router commands on a per-user or 

per-group basis. The first way is to assign privilege levels to commands and have the router verify with 

the TACACS+ server whether or not the user is authorized at the specified privilege level. The second 

way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands 

that are allowed. 


1-5

1.5 Differences in Implementing Local and Server AAA 

Chapter 1 


1.4.6 Interoperability 

The RADIUS standard does not guarantee interoperability. Although several vendors implement 

RADIUS clients, this does not ensure they are interoperable. There are approximately 45 standard 

RADIUS ATTRIBUTES. Using standard ATTRIBUTES improves the likelihood of interoperability. 

Using proprietary extensions reduces interoperability. 

1.4.7 Attribute-Value Pairs (AVPs) 

Throughout this case study, implementation tasks and diagnostic procedures refer to attribute-value 

pairs (AVPs). Each AVP consists of a type identifier associated with one or more assignable values. 

AVPs specified in user and group profiles define the authentication and authorization characteristics for 

their respective users and groups.TACACS+ and RADIUS implement an array ofAVPs, each with 

separate type definitions and characteristics. Table 1-2 and Table 1-3 illustrate several typical AVPs. 

Table 1-2 

Examples of RADIUS AVPs 

Attribute 

User-Name 

Password 

CHAP-Password 

Client-Id 

Login-Host 

Login-Service 

Login-TCP-Port 

Type of Value 

String 

String 

String 

IP address 

IP address 

Integer 

Integer 

Table 1-3 

Examples of TACACS+ AVPs 

Attribute 

Inacl 

Addr-pool 

Addr 

Idletime 

protocol 

timeout 

Outacl 

Type of Value 

Integer 

String 

IP address 

Integer 

Keyword 

Integer 

Integer 


AAA requirements differ between local-based and server-based environments. Throughout this case 

study, procedures and examples refer to scenarios based on this important distinction. 

In local-based AAA access, users are permitted or denied access based on local AAA IOS account 

configuration. For the purposes of this case study, local-based AAA access features these attributes: 

1-6 


Chapter 1 



• User accounts are stored in router or NAS configurations. 

• AVPs only are supported from EXEC shell terminal access. 

• Limited set of AVPs are supported. 

• AAA negotiation is performed internally by the Cisco IOS and is not protocol specific. 

Figure 1-2 illustrates three local-based connectivity situations to consider: 

• Local-based console access 

• Local-based virtual terminal type (VTY) connections 

• Local-based dial access 

Figure 1-2 

Local-Based Access Options 

Local-based 

console access 

IP 

Local-based 

VTY access (Telnet) 

IP 

Modem 

PSTN 

Local-based 

dial access 

IP 

31348 

In server-based AAA access, users and groups are permitted or denied access based on AAA 

negotiations between s router or NAS and the AAA server. See the following attributes of server-based 

AAA access features: 

• User or group profiles and accounting records stored in an internal or external database 

• AVPs supported on both standard and EXEC shell-initiated PPP sessions 

• Wide array ofAVPs supported, including vendor-specific (non-Cisco) AVPs 

Figure 1-3 illustrates the three server-based connectivity situations: 

• Server-based console access 

• Server-based VTY connections 

• Server-based dial access 


1-7

1.6 Scenario Description 

Chapter 1 


Figure 1-3 

Server-Based Access Options 

Server-based 

console access 

IP 

AAA server 

Server-based 


IP 


Server-based 

dial access 

Modem 

PSTN 

IP 


31347 

Each connectivity scenario illustrated in Figure 1-2 and Figure 1-3 involves situation-specific 

requirements. As a result, each scenario also contains situation-specific implementation and 

troubleshooting considerations. The diagnostic chapters that follow present a series of implementation 

steps (configuring, verifying, and testing) symptoms, problems, and suggested diagnostic processes that 

reflect both these differences and similarities. 

1.6 Scenario Description 

The baseline network environment for a hypothetical access network scenario is used as a foundation 

for assessing the application of various security and management features available from Cisco. 

Figure 1-1 (presented in “1.1 AAA Technology Summary”) illustrates the underlying network 

environment and relationship between AAA components. The high-level AAA objectives: 

• Enable secure dialup service to access an intranet and the Internet by using the public switched 

telephone network (PSTN). 

• Build a manageable, redundant, and secure access strategy that supports large dialup access 

implementations. 

• Provide versatile means of controlling administrative access to routers. 

1-8 


Chapter 1 


1.7 Planning Your Network 

• Account for configuration changes in routers. 

1.7 Planning Your Network 

A network design engineer meets with each company to complete the following tasks: 

• Complete a needs assessment dial questionnaire. 

• Create a user-network service definition. 

• Recommend a network implementation and operation strategy. 

The following tables present two checklists that were completed for this case study.Tabl e1-4 focuses 

on general networking issues. Table 1-5 focuses on AAA implementation issues. Both checklists apply 

to a hypothetical network referred to in this case as Access Network. 

Table 1-4 

General Service Definition Checklist 

General Access Network Checklist Questions 

What media do you want to use to provide dialup 

service? 

How many dial-in users does the new equipment 

need to support over the next 3 months, 1 year, 

and 5 years? 

What kind of remote nodes do you want to 

support? 

When users connect to modems, what will they be 

allowedtodo? 

Will you allow users to change their own 

passwords? If yes, how? 

What kind of dialup operating systems do you 

want to support? 

Do you want to support remote routers? 

Do you want to use an external authentication 

database such as Windows NT or Novel NDS? 

Do you want to support per user protocol and 

attribute definitions? 

Do you want to support dial out? 

Do you want to support PPP timeouts? 

Doyouwanttoworkwithanexistingaccounting 

system? 

Do you have an existing network element server? 

Access Network Policy 

Plain old telephone service (POTS) analog 

modems 

ISDN 

3 months: 2000 users 

1 Year: 5,000 users 

5 Years: 10,000 users 

Modems, terminal adapters, ISDN modems 

Support EXEC shell sessions (async terminal 

service) 

Support PPP sessions 

Yes 

EXEC shell (character-mode session) 

Windows, UNIX, Macintosh 

Asynch DDR or multiple B-channel access 

Yes, Oracle 

Yes 

No 

No 

Yes 

Yes 


1-9

1.8 Network Service Definitions 

Chapter 1 


Table 1-5 

AAA Service Definition Checklist 

Access Network AAA Checklist Questions 

What AAA protocols do you plan to deploy? 

Where do you want the users’ passwords to be 

stored? 

Do you plan to support one-time passwords? If so, 

what tool do you plan to use to support this 

requirement? 

Do you intend to implement database replication? 

Do you require support for token caching? 

What type of accounts currently exist? 

Do you plan to implement an AAA server? If so, 

on which product? 

What database do you plan to use? 


RADIUS and TACACS+ 

External Oracle database 

No 

No 

No 

UNIX, NT 

Yes, CiscoSecure for UNIX 

External, Oracle 


Based on the checklist information providedin Ta ble1-4 and Ta ble1-5, the following service 

definitions (stated as policies) can be asserted for this environment. 

Dialup and router shell access AAA requirements are characterized in the following sections: 

• 1.8.1 Authentication Policy 

• 1.8.2 Authorization Policy 

• 1.8.3 Accounting Policy 

1.8.1 Authentication Policy 

Separate the authentication policy into two distinct sections: router administration and dialup PPP. 

Policies relating to router administration involve creating support for the following two authentication 

elements: 

• DES passwords stored in external database 

• Local user if connection to AAA server is down 

Policies relating to dialup PPP involve creating support for the following two authentication elements: 

• Password Authentication Protocol (PAP) for dialup PPP authentication 

• Challenge Handshake Authentication Protocol (CHAP) for remote ISDN devices 

1-10 


Chapter 1 



1.8.2 Authorization Policy 

Separate the authorization policy into two distinct sections: router administration and dialup PPP. 

Policies relating to router administration involve creating support for the following authorization 

elements: 

• Privilege level 15 command authorization 

• Three levels of router administration command control (low, medium, and high) 

• Privilege level 15 assigned to local users, which is valid only if an AAA server is down 

Policies relating to dialup PPP involve creating support for the following authorization elements: 

• Apply autocommand ppp negotiate to all groups other than router administrators 

• Access control list filtering as required 

• AVP support for all dial access devices 

1.8.3 Accounting Policy 

Accounting records are exported from an Oracle database using SQL queries. Separate the accounting 

policy into two distinct sections: router administration and dialup PPP. 

Policies relating to router administration involve creating support for the following accounting 

elements: 

• Failed log in attempts 

• Privilege level 15 commands 

• Failed command authorization 

• Start, stop, and elapsed times of sessions 

• Source IP address of routers 

Policies relating to dialup PPP involve creating support for the following accounting elements: 

• Failed log in attempts 

• Start, stop, and elapsed time of sessions 

• Disconnect cause codes 

• Caller ID if applicable 


1-11

1.9 Security Implementation Policy Considerations 

Chapter 1 


1.9 Security Implementation Policy Considerations 

Table 1-6 present checklists summarizing the key security policy elements of this case. 

Table 1-6 

AAA Security Checklist 

Access Network AAA Checklist Questions 

What is the current security policy for passwords? 

What services will be denied? 

What type of mechanism will exist if AAA server 

is down? 

Are local accounts allowed in routers and NASs? 

What accounting information is required? 

What type of accounting mechanism will be used? 

Who is responsible for reviewing daily logs? 

Will users be allowed concurrent sessions? 

What type of administrative access will be 

assigned to router administrators? 

Support for Multilink? 


PAP for dial-in PPP users 

CHAP passwords for dialup routers 

DES passwords for router administrators 

Concurrent sessions for dial-in users 

EXEC shell access for dial-in PPP users 

Access to specific hosts within the corporate 

intranetwork 

Access to specific network services, such as 

Telnet, FTP, and rlogin 

Local privilege level 15 account 

Authentication and authorization disabled on 

console port 

Yes 

Username 

Privilege level of clients 

Session start and stop times 

Elapsed time 

Privilege level 15 command usage 

Configuration changes 

Failed log in attempts 

Failed command authorizations 

Customer written SQL query to Oracle database 

Network managers 

Dialup PPP = No 

Dialup router = Yes 

Router administrator = Yes 

Full control assigned to senior router 

administrators 

Basic control assigned to junior router 

administrators 

Customized command control for mid-level 

router administrators 

Yes 

1-12 


Chapter 1 


1.10 Network Equipment Selection 

In addition to these considerations, security-related attributes addressed in this case include: 

• Per-User Static IP Address Policy—Static IP addresses are assigned to required personnel to access 

specific areas within the internetwork. 

• Password Authentication and Command Authorization Policy—DES password support is 

segregated into two elements: privilege level and command authorization. Within that context, three 

levels of privilege are supported in this case: low, medium, and high, with high having full control 

assigned. Command authorization at privilege level 15 is enforced. A local user with privilege level 

15 is used in the event that the connection to the AAA server is down. 

1.10 Network Equipment Selection 

Figure 1-1 (presented in “1.1 AAA Technology Summary”) shows the specific devices used in the 

dialup access environment. Based on the requirements detailed in Table 1-4, Table 1-5, and Table 1-6, 

the following network entities were selected for this case study: 

• Remote clients using modems to access the IP intranet and IP Internet through the public switched 

telephone network (PSTN). 

• An AAA server. 

• An password authentication server. 

• An external Oracle database server acts as the repository for all user profile information. 

• An element management server performs basic dial access system management by using the 

network time protocol (NTP), system logs (syslog), and simple network management protocol 

(SNMP). 

• A remote AAA server performs basic user authentication. 

• A default gateway forwards packets to the IP intranet and IP Internet. 


1-13

1.11 Task Check List 

Chapter 1 



Table 1-7 summarizes AAA management implementation and operation activities for the hypothetical 

network in this case study. This case focuses on illustrating implementation of specific AAA-related 

security and management options over an Access Path implementation. Refer to Cisco AS5x00 Case 

Study for Basic IP Modem Service for specifics regarding commissioning Cisco access servers to 

support modem services at the following URL: 

http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/as5xipmo/index.htm 

Table 1-7 

AAA Task Checklist 

Task 

Chapter 2, “Implementing the Local AAA 

Subsystem” 

Chapter 3, “Implementing Cisco AAA 

Servers” 

Chapter 4, “Implementing the Server-Based 

AAA Subsystem” 

Topic 

2.1 Implementing Local Dialup 

Authentication 

2.2 Implementing Local Dialup 

Authorization 

2.3 Implementing Local Router 


2.4 Implementing Local Router 

Authorization 

2.5 Implementing Local Router Accounting 

3.1 Installing CiscoSecure for UNIX with 

Oracle 

4.1ImplementingServer-BasedTACACS+ 

Dialup Authentication 


Dialup Authorization 

4.3ImplementingServer-BasedRADIUS 

Dialup Authentication 

4.4ImplementingServer-BasedRADIUS 

Dialup Authorization 


Router Authentication 


Router Authorization 

1-14 


Chapter 1 



Table 1-7 

AAA Task Checklist 

Task 

Chapter 5, “Implementing Server-Based AAA 

Accounting” 

Chapter 6, “Diagnosing and Troubleshooting 

AAA Operations” 

Topic 


Dial Accounting 


Router Accounting 

6.1 Overview of Authentication and 

Authorization Processes 

6.2 Troubleshooting AAA Implementation 

• 6.2.1 Troubleshooting Methodology 

Overview 

• 6.2.2 Cisco IOS Debug Command 

Summary 

6.3 AAA Troubleshooting Basics 

6.4 Troubleshooting Scenarios 


1-15


Chapter 1 


1-16 


CHAPTER 

2 

Implementing the Local AAA Subsystem 

This chapter focuses on local AAA implementation and describes the following topics: 

• 2.1 Implementing Local Dialup Authentication 

• 2.2 Implementing Local Dialup Authorization 

• 2.3 Implementing Local Router Authentication 

• 2.4 Implementing Local Router Authorization 

Note 

See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, 

authorization, and accounting as they relate to AAA security implementation. 

Server-based authentication, authorization, and accounting issues are described in the following 

chapters: 

• Chapter 3, “Implementing Cisco AAA Servers” 

• Chapter 4, “Implementing the Server-Based AAA Subsystem” 

• Chapter 5, “Implementing Server-Based AAA Accounting” 

• Chapter 6, “Diagnosing and Troubleshooting AAA Operations” 

Caution 

The example configuration fragments used throughout this chapter include IP addresses, 

passwords, authentication keys, and other variables that are specific to this case study. If 

you use these fragments as foundations for you own configurations, be sure that your 

specifications apply to your environment. 


2-1

2.1 Implementing Local Dialup Authentication 

Chapter 2 



These steps help you to establish local-based dial authentication as illustrated in Figure 2-1: 

1. Configure basic dial access. 

2. Verify basic dial access. 

Figure 2-1 

Local-Based Dial Access Environment 

Modem 

PSTN 

Local-based 

dial access 

IP 

35054 

Step 1 

Configure basic dial access. 

Include the following Cisco IOS configuration commands in your configuration to construct dial access 

local authentication control: 

aaa new-model 

aaa authentication login default local 

aaa authentication ppp default if-needed local 

username diallocal password xxxxxx 

interface Group-Async1 

ip unnumbered Loopback0 

no ip directed-broadcast 

encapsulation ppp 

ip tcp header-compression passive 

no logging event link-status 

dialer in-band 

dialer idle-timeout 900 

async mode interactive 

no snmp trap link-status 

peer default ip address pool default 

no fair-queue 

no cdp enable 

ppp max-bad-auth 3 

ppp authentication pap chap 

group-range 1 48 

line 1 48 

exec-timeout 48 0 

autoselect during-login 

autoselect ppp 

absolute-timeout 240 

script dialer cisco_default 

modem InOut 

modem autoconfigure type mica 

transport preferred telnet 

transport input all 

transport output pad telnet rlogin udptn 

2-2 


Chapter 2 



Note See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, 

“AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA 

commands. 

Step 2 

Verify basic dial access. 

a. To verify user access, initiate a login process as follows: 

maui-nas-01#login 

User Access Verification 

Username:diallocal 

Password: 

b. To determine that local dial access authentication is operating correctly, enter the debug aaa 

authentication and debug ppp authentication commands. 

The following debug output contains only pertinent information: 

maui-nas-01# 

Debugs in NAS then initiate dialup: 

maui-nas-01#debug aaa authentication 

AAA Authentication debugging is on 

maui-nas-01#debug ppp authentication 

PPP authentication debugging is on 

maui-nas-01#show debug 

General OS: 


PPP: 

PPP authentication debugging is on 


2-3


Chapter 2 


The following shell-initiated PPP session example shows the AAA debug output that confirms 

correct configuration for local authentication: 

Note 

The method used is LOCAL. 

113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' 

ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 

113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' 

action=LOGIN service=LOGIN 

113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 

113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 

113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 

113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login 

(user='(undef)') 


113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 

113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 

113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login 

(user='diallocal') 

113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 

113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 

113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS 

113136: Feb 4 10:11:32.582 CST: As1 PPP: Treating connection as a callin 

113137: Feb 4 10:11:32.582 CST: AAA/MEMORY: dup_user (0x61DF306C) user='dialuser' 

ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1 

source='AAA dup lcp_reset' 

113138: Feb 4 10:11:32.582 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication 

needed. user='diallocal' port='tty1' rem_addr='async/81560' 

113139: Feb 4 10:11:32.582 CST: AAA/MEMORY: free_user (0x619C4940) user='dialuser' 


113140: Feb 4 10:11:33.158 CST: AAA/MEMORY: dup_user (0x6193A788) user='dialuser' 


source='AAA dup lcp_reset' 

113141: Feb 4 10:11:33.158 CST: AAA/MEMORY: free_user (0x61DF306C) user='dialuser' 


113142: Feb 4 10:11:33.158 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication 

needed. user='diallocal' port='tty1' rem_addr='async/81560' 

2-4 


Chapter 2 


2.2 Implementing Local Dialup Authorization 

The following example of a non-shell-initiated PPP session shows AAA debug output that confirms 

correct configuration for local authentication: 

Note 

The method used is LOCAL. 

113151: Feb 4 10:13:27.670 CST: AAA/MEMORY: create_user (0x61DFE188) user='' 


113152: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): port='tty2' list='' 





113156: Feb 4 10:13:27.710 CST: AAA/AUTHEN/ABORT: (776784700) because Autoselected. 

113157: Feb 4 10:13:27.710 CST: AAA/MEMORY: free_user (0x61DFE188) user='' ruser='' 

port='tty2' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 

113158: Feb 4 10:13:29.842 CST: As2 PPP: Treating connection as a callin 

113159: Feb 4 10:13:34.834 CST: As2 PAP: I AUTH-REQ id 1 len 18 from "diallocal" 

113160: Feb 4 10:13:34.834 CST: As2 PAP: Authenticating peer diallocal 

113161: Feb 4 10:13:34.838 CST: AAA: parse name=Async2 idb type=10 tty=2 

113162: Feb 4 10:13:34.838 CST: AAA: name=Async2 flags=0x11 type=4 shelf=0 slot=0 

adapter=0 port=2 channel=0 

113163: Feb 4 10:13:34.838 CST: AAA: parse name=Serial0:3 idb type=12 tty=-1 

113164: Feb 4 10:13:34.838 CST: AAA: name=Serial0:3 flags=0x51 type=1 shelf=0 slot=0 


113165: Feb 4 10:13:34.838 CST: AAA/MEMORY: create_user (0x61ABBCE4) user='dialuser' 

ruser='' port='Async2' rem_addr='async/81560' authen_type=PAP service=PPP priv=1 

113166: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): port='Async2' list='' 

action=LOGIN service=PPP 


113168: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = UNKNOWN 


113170: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = PASS 

113171: Feb 4 10:13:34.838 CST: As2 PAP: O AUTH-ACK id 1 len 5 


These processes help you to accomplish the following tasks: 

1. Configure dial access configuration for local authorization on the NAS. 

2. Verify and troubleshoot local authorization from NAS. 

3. Verify that access list 110 is assigned. 

Note 

Attribute-value pairs (AVPs) only are supported with EXEC shell initiated PPP 

sessions for local accounts. Configure dial access clients to “Bring Up a Terminal 

Window After Dial”. 


2-5


Chapter 2 


Step 1 

Configure dial access configuration for local authorization on the NAS. 

Include the following Cisco IOS configuration commands in your configuration to construct dial access 

local authorization: 

aaa new-model 


aaa authentication ppp default if-needed local 

aaa authorization exec default local if-authenticated 

aaa authorization network default local if-authenticated 

username dialclient access-class 110 password ciscorocks 

username dialclient autocommand ppp negotiate 

access-list 110 deny tcp any any eq telnet 

access-list 110 permit tcp any any 



commands. 

Step 2 

Verify and troubleshoot local authorization from NAS. 

To verify local dial access authorization is operating correctly, enter the debug aaa authorization 

command. 

The following EXEC sequence illustrates that the appropriate command is enabled: 

5800-NAS#show debug 

General OS: 

AAA Authorization debugging is on 

The following example of a shell-initiated session shows the AAA debug output that confirms correct 

configuration for local authorization. Some points to note about this debug output: 

• Method used is LOCAL. 

• Autocommand used is PPP negotiate. 

• Access list used is 110. 

• Authorization is successful. 

The following tests illustrate operations described in “2.4 Implementing Local Router Authorization” 

and include relevant router output: 

1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled). 

2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed. 

3. User diallocal is authorized PPP Network Service. 

4. User diallocal is authorized LCP. 

5. User diallocal is authorized IPCP. 

The following diagnostic results are presented in the order in which they are generated during the 

authorization process. Specific output fragments are differentiated with brief explanatory notes to help 

you identify relevant information. 

2-6 


Chapter 2 



Note 

The debug command output can vary depending on Cisco IOS versions. 

1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled). 

NAS debug output: 

07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Port='tty10' list='' service=EXEC 

07:10:52: AAA/AUTHOR/EXEC: As10 (693880654) user='diallocal' 

07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV service=shell 

07:10:52: As10 AAA/AUTHOR/EXEC (693880654): send AV cmd* 

07:10:52: As10 AAA/AUTHOR/EXEC (693880654): found list "default" 

07:10:52: As10 AAA/AUTHOR/EXEC (693880654): Method=LOCAL 

07:10:52: As10 AAA/AUTHOR (693880654): Post authorization status = PASS_ADD 

2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs 

processed. 


07:10:52: AAA/AUTHOR/EXEC: Processing AV service=shell 

07:10:52: AAA/AUTHOR/EXEC: Processing AV cmd* 

07:10:52: AAA/AUTHOR/EXEC: Processing AV autocmd=ppp 

07:10:52: AAA/AUTHOR/EXEC: Processing AV acl=110 

07:10:52: AAA/AUTHOR/EXEC: Authorization successful 

3. User diallocal is authorized PPP Network Service. 


07:10:52: As10 AAA/AUTHOR/PPP (2856468577): Port='tty10' list='' service=NET 

07:10:52: AAA/AUTHOR/PPP: As10 (2856468577) user='diallocal' 

07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV service=ppp 

07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV protocol=ip 

07:10:52: As10 AAA/AUTHOR/PPP (2856468577): send AV addr-pool*default 

07:10:52: As10 AAA/AUTHOR/PPP (2856468577): found list "default" 

07:10:52: As10 AAA/AUTHOR/PPP (2856468577): Method=LOCAL 

07:10:52: As10 AAA/AUTHOR (2856468577): Post authorization status = PASS_REPL 

4. User diallocal is authorized LCP. 


07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV service=ppp 

07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV protocol=ip 

07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV addr-pool*default 

07:10:54: AAA/MEMORY: free_user (0x61851148) user='diallocal' ruser='' port='tty 

10' rem_addr='65004/65301' authen_type=ASCII service=LOGIN priv=1 

07:10:56: AAA/MEMORY: free_user (0x61532710) user='diallocal' ruser='' port='tty 

10' rem_addr='65004/65301' authen_type=ASCII service=PPP priv=1 

07:10:56: As10 AAA/AUTHOR/FSM: (0): LCP succeeds trivially 

07:10:58: As10 AAA/AUTHOR/LCP: Authorize LCP 

07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Port='tty10' list='' service=NET 

07:10:58: AAA/AUTHOR/LCP: As10 (3185006257) user='diallocal' 

07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV service=ppp 

07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV protocol=lcp 

07:10:58: As10 AAA/AUTHOR/LCP (3185006257): found list "default" 

07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Method=LOCAL 



2-7

2.3 Implementing Local Router Authentication 

Chapter 2 


5. User diallocal is authorized IPCP. 


07:10:58: As10 AAA/AUTHOR/LCP: Processing AV service=ppp 

07:10:58: As10 AAA/AUTHOR/LCP: Processing AV protocol=lcp 

07:10:58: As10 AAA/AUTHOR/FSM: (0): Can we start IPCP? 

07:10:58: As10 AAA/AUTHOR/FSM (321297806): Port='tty10' list='' service=NET 

07:10:58: AAA/AUTHOR/FSM: As10 (321297806) user='diallocal' 

07:10:58: As10 AAA/AUTHOR/FSM (321297806): send AV service=ppp 

07:10:58: As10 AAA/AUTHOR/FSM (321297806): send AV protocol=ip 

07:10:58: As10 AAA/AUTHOR/FSM (321297806): found list "default" 

07:10:58: As10 AAA/AUTHOR/FSM (321297806): Method=LOCAL 


07:10:58: As10 AAA/AUTHOR/FSM: We can start IPCP 

Step 3 

Verify that access list 110 is assigned. 

To verify that access list 110 is being used to control access, enter the show line command as follows: 

maui-nas-03#show line 10 

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 

A 10 TTY - inout - 110 - 1 0 0/0 - 

Note 

Access lists can be defined as either input or output access lists. As configured and applied 

in this environment, access list 110 is an output access list assigned with the acl=110 AVP. 

In the show line listing, AccO refers to output access list 110. In this case, AccI is not set 

(indicated by a dash). 


These processes help you to establish local-based router authentication as illustrated in Figur e2-2: 

1. Configure basic router access. 

2. Verify local authentication operation. 

Figure 2-2 

Local-Based Router Environment 

Local-based 


IP 

35053 

2-8 


Chapter 2 



Step 1 

Configure basic router access. 

Include the following Cisco IOS configuration commands in your configuration to enforce local on all 

interfaces except the console port: 

username rtr_super privilege 15 password ciscorules 

! 

aaa new-model 


aaa authentication login NO_AUTHENT none 

! 

line con 0 

login authentication NO_AUTHENT 

Note 

The NO_AUTHENT list disables authentication on the console port. See “A.2 

Router AAA Command Implementation Descriptions” in Appendix A, “AAA 

Device Configuration Listings” for notes regarding Cisco IOS AAA commands. 

Step 2 

Verify local authentication operation. 

a. To verify user access, initiate a login process as follows: 

maui-rtr-03#login 


Username: rtr_super 

Password: 

maui-rtr-03# 


2-9

2.4 Implementing Local Router Authorization 

Chapter 2 


b. To determine that local dial access authentication is operating correctly, enter the debug aaa 

authentication command as follows: 

maui-rtr-03#debug aaa authentication 


maui-rtr-03#show debug 

General OS: 


maui-rtr-03#terminal monitor 

Feb 17 15:34:47.147: AAA: parse name=tty3 idb type=-1 tty=-1 

Feb 17 15:34:47.147: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 

channel=0 

Feb 17 15:34:47.147: AAA/MEMORY: create_user (0x61F88D2C) user='' ruser='' 

port='tty3' rem_addr='172.22.61.17' authen_type=ASCII service=LOGIN priv=1 

Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): port='tty3' list='' action=LOGIN 

service=LOGIN 

Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): using "default" list 

Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): Method=LOCAL 

Feb 17 15:34:47.147: AAA/AUTHEN (3701879404): status = GETUSER 

Feb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): continue_login (user='(undef)') 

Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETUSER 

Feb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): Method=LOCAL 

Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETPASS 

Feb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): continue_login (user='rtr_super') 

Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = GETPASS 

Feb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): Method=LOCAL 

Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = PASS 


Local router authorization is implemented through router command authorization configuration. The 

following example: 

• Shows how to create two privilege levels (1 and 15) with local access andhow to control the access 

to global configuration mode. 

• Provides a method to gain access by using the enable password if the local login fails. 

Follow a methodical approach when dealing with TACACS+ in routers to prevent the need to perform 

password recovery. 

Note 

Some versions of boot ROMs do not recognize all AAA commands. Be sure to 

disable AAA authentication and authorization before changing to boot ROM 

mode. For configuration notes regarding disabling AAA to access boot ROM 

mode, see Appendix B, “AAA Impact on Maintenance Tasks.” 

These processes are intended to help you to accomplish the following tasks: 

1. Configure local router authorization at privilege level 15. 

2. Verify local router authorization is set to privilege level 15. 

2-10 


Chapter 2 



Step 1 Configure local router authorization at privilege level 15. 

Include the following Cisco IOS configuration commands in your configuration to enforce local 

authorization at privilege level 15 on all interfaces except the console port: 

! 

username rtr_super privilege 15 password ciscorules 

! 

aaa new-model 

aaa authentication login default local enable 



aaa authorization exec NO_AUTHOR none 

aaa authorization commands 15 NO_AUTHOR none 

aaa authorization commands 15 local if-authenticated 

! 

line con 0 

authorization commands 15 NO_AUTHOR 

authorization exec NO_AUTHOR 


Note 

You must first log out, and then log back into the router following the inclusion of 

the aaa authorization commands 15 local if-authenticated command 

(illustrated in the preceding configuration fragment). Doing this ensures that you 

log in as the user rtr_super (in this case study example). The NO_AUTHENT list 

disables authentication on the console port. The NO_AUTHOR list disables 

EXEC and command authorization on the console port. See “A.2 Router AAA 

Command Implementation Descriptions” in Appendix A, “AAA Device 

Configuration Listings” for notes regarding key Cisco IOS AAA commands. 

Step 2 Verify local router authorization is set to privilege level 15. 

Enter the following commands to verify correct authorization: 

maui-rtr-03#debug aaa authorization 



General OS: 


maui-rtr-03#login 


Username: rtr_super 

Password: 

The following tests illustrate operations described in “2.4 Implementing Local Router Authorization” 

and include relevant router output. 

1. User rtr_super is authorized EXEC shell access. 

2. User rtr_super logs is assigned priv-lvl 15 AVP. 

3. User rtr_super successfully performs privilege level 15 command. 


2-11


Chapter 2 





Note 



Router debug output: 

Mar 13 14:08:54.871 CST: AAA/MEMORY: create_user (0x6188BD2C) user='' ruser='' 


Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Port='tty2' list='' 

service=EXEC 

Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: tty2 (294199586) user='rtr_super' 

Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV service=shell 

Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV cmd* 

Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): found list "default" 

Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Method=LOCAL 

Mar 13 14:09:00.511 CST: AAA/AUTHOR (294199586): Post authorization status = PASS_ADD 

2. User rtr_super logs is assigned priv-lvl 15AVP. 


Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV service=shell 

Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV cmd* 

Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 

Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: Authorization successful 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): Port='tty2' list='' 

service=CMD 

3. User rtr_super successfully performs privilege level 15 command. 


Mar 13 14:09:01.648 CST: AAA/AUTHOR/CMD: tty2 (2192867088) user='rtr_super' 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV service=shell 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd=configure 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=terminal 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg= 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): found list "default" 

Mar 13 14:09:01.648 CST: tty2 AAA/AUTHOR/CMD (2192867088): Method=LOCAL 

Mar 13 14:09:01.648 CST: AAA/AUTHOR (2192867088): Post authorization status = 

PASS_ADD 


These processes help you to accomplish the following tasks: 

1. Configure basic local accounting for router access. 

2. Verify and troubleshoot local accounting from VTY (Telnet) based access to the router. 

2-12 


Chapter 2 



Step 1 

Configure basic local accounting for router access. 

Include the following Cisco IOS configuration commands in your configuration to construct local based 

router accounting for EXEC and command authorization for privilege level 15 commands: 

username rtr_super privilege level 15 password ciscorules 

aaa new-model 





aaa authorization commands 15 default local if-authenticated 


aaa accounting exec default start-stop group tacacs+ 

aaa accounting exec NO_ACCOUNT none 

aaa accounting commands 15 default stop-only group tacacs+ 

aaa accounting commands 15 NO_ACCOUNT none 

line con 0 



accounting commands 1 NO_ACCOUNT 


accounting exec NO_ACCOUNT 


Note 

In the preceding configuration fragment, the start-stop option is entered for 

EXEC shell sessions and the stop-only option is entered for privilege-level 15 

commands. The router sends a start packet in the beginning of a shell service and 

a stop packet when the session terminates. A stop packet is only sent upon 

completion of a privilege level 15 command in the router. Additionally, note the 

use of the NO_ACCOUNT list to disable AAA accounting on the console port. 

Step 2 

Verify and troubleshoot local accounting from VTY (Telnet) based access to the router. 

Enter the debug aaa accounting command to verify local router accounting is operating as expected. 

The following EXEC sequence illustrates that the appropriate commands are enabled: 


General OS: 

AAA Accounting debugging is on 

The following tests illustrate operations described in “2.5 Implementing Local Router Accounting” and 

include relevant router output. 


2. User rtr_super successfully performs configure terminal, a privilege level 15 command. 

The following diagnostic results are presented in the order in which they are generated during a typical 

authorization and command request process. Specific output fragments are separated out with brief 

explanatory notes to help you identify relevant information. 


2-13


Chapter 2 


Note 




Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, port tty3 

Apr 11 16:48:32.483: AAA/ACCT/EXEC: Found list "default" 

Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, Port tty3, task_id=362 

start_time=955471712 timezone=CST service=shell 

Apr 11 16:48:32.483: AAA/ACCT: user rtr_super, acct type 0 (1526108857): 

Method=tacacs+ (tacacs+) 

Apr 11 16:48:33.487: TAC+: (1526108857): received acct response status = SUCCESS 

2. User rtr_super successfully performs configure terminal, a privilege level 15 command. 


Apr 11 16:51:52.741: AAA/ACCT/CMD: User rtr_super, Port tty3, Priv 15: "configure 

terminal " 

Apr 11 16:51:52.741: AAA/ACCT/CMD: Found list "default" 

Apr 11 16:51:52.741: AAA/ACCT: user rtr_super, acct type 3 (2701117300): 


Apr 11 16:51:53.545: TAC+: (2701117300): received acct response status = SUCCESS 

2-14 


CHAPTER 

3 

Implementing Cisco AAA Servers 

This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1, 

“Cisco AAA Case Study Overview” for information regarding this case study’s network requirements 

and environment details for this case study. Figure 3-1 illustrates the general networking environment 

in which this CSU is implemented. 

These sections focus on the following topics: 

• 3.1 Installing CiscoSecure for UNIX with Oracle 

• 3.1.4 Creating and Verifying Basic User Profile 

Figure 3-1 

AAA-Based, Secure Network Access Scenario 





Analog lines 

PSTN 

PRI lines 


server 

Clients 

Modems 



modems 

IP intranet 

DNS 

server 

Default 

gateway 

Internet 

firewall 

Internet 

35089 


3-1

3.1 Installing CiscoSecure for UNIX with Oracle 

Chapter 3 



These processes of help you to install CiscoSecure for UNIX: 

• 3.1.1 Creating Oracle Tablespace 

• 3.1.2 Verifying the Oracle Database Instance 

• 3.1.3 Installing CiscoSecure for UNIX 

• 3.1.4 Creating and Verifying Basic User Profile 

3.1.1 Creating Oracle Tablespace 

You must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section 

are for reference. 

Note 

Ensure that an experienced Oracle database administrator (DBA) tunes and configures the 

database. 

For detailed Oracle installation notes, go to the following location: 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csbsdoc.htm 

Example of creating a Oracle tablespace: 

$su - oracle 

Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 

$$ORACLE_HOME/bin/svrmgrl 

Oracle Server Manager Release 2.3.4.0.0 - Production 

Copyright (c) Oracle Corporation 1994, 1995. All rights reserved. 

Oracle7 Server Release 7.3.4.0.1 - Production 

With the distributed option 

PL/SQL Release 2.3.4.0.0 - Production 

SVRMGR>connect internal 

Connected. 

SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m; 

Statement processed. 

SVRMGR>create user csecure identified by csecure default tablespace cstb; 


SVRMGR>grant dba to csecure identified by csecure; 


SVRMGR>exit 

Server Manager complete. 

3-2 


Chapter 3 



3.1.2 Verifying the Oracle Database Instance 

Before you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the 

following five pieces of information: 

• The Oracle user account for CiscoSecure (csecure) 

• The password for the Oracle account (csecure) 

• TNS service name for the Oracle server (ciscosj) 

• The location of $ORACLE_HOME (/opt/oracle/product/7.3.4) 

• The number of Connections to use for ORACLE RDBMS (50) 

Step 1 

To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed, 

enter the following command. Log in to the $ORACLE_HOME as follows: 

$env | grep ORACLE_HOME 

ORACLE_HOME=/opt/oracle/product/7.3.4 

Note 

This environment variable should have been configured during Oracle installation 

by the DBA. 

Step 2 

On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by 

entering the following command: 

$ps -ef |grep smon 

oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj 

The command returns the ora_smon_ process if the server is running. Notice the database 

instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this 

case, with username of csecure and password of csecure) and start the database by using Server 

Manager (svrmgrl) and Oracle listener (lsnrctl) as follows: 

$$ORACLE_HOME/bin/svrmgrl 

SVRMGR>connect internal 

SVRMGR>startup 

ORACLE instance started. 

Total System Global Area 4576056 bytes 

Fixed Size 

39816 bytes 

Variable Size 

4118448 bytes 

Database Buffers 

409600 bytes 

Redo Buffers 

8192 bytes 

Database mounted. 

Database opened. 


3-3


Chapter 3 


$$ORACLE_HOME/bin/lsnrctl start 

LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46 

Copyright (c) Oracle Corporation 1994. All rights reserved. 

Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait... 

TNSLSNR for Solaris:Version 2.3.4.0.0 - Production 

System parameter file is /opt/oracle/product/7.3.4/network/admin/listener.ora 

Log messages written to /opt/oracle/product/7.3.4/network/log/listener.log 

Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus)) 

Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY)) 

Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521)) 

Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj)) 

STATUS of the LISTENER 

------------------------ 

Alias 

LISTENER 

Version 

TNSLSNR for Solaris:Version 2.3.4.0.0 - Production 

Start Date 12-APR-00 09:40:50 

Uptime 

0 days 0 hr. 0 min. 0 sec 

Trace Level 

off 

Security 

OFF 

SNMP 

OFF 

Listener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.ora 

Listener Log File 

/opt/oracle/product/7.3.4/network/log/listener.log 

Services Summary... 

ciscoaus 

has 1 service handler(s) 

The command completed successfully 

Step 3 

To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter 

Security Manager using the sqlplus process: 

$sqlplus csecure/csecure@ciscosj 

SQL>select * from user_sys_privs; 

USERNAME PRIVILEGE ADM 

------------------------------ ---------------------------------------- --- 

CSECURE UNLIMITED TABLESPACE NO 

Note 

Ensure that the assigned resource role/privilege for the username and password is 

as shown. 

Step 4 

The command returns a table with a column listing the privileges granted to the Oracle database 

account. The default tablespace assigned to the Oracle database account must be at least 200MB. The 

size is verified by the installation script. 

To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows: 

$$ORACLE_HOME/bin/tnsping ciscosj 

TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28 

Copyright (c) Oracle Corporation 1995. All rights reserved. 

Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521)) 

OK (80 msec) 

3-4 


Chapter 3 



Step 5 

Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the 

PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number 

of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is 

set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study, 

at least four of the connections are reserved for mandatory background server processes. In addition, 

the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during 

the installation. 

3.1.3 Installing CiscoSecure for UNIX 

The general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX 

(CSU) on a Sun Solaris workstation. Installation consists of the following steps: 

1. Start the CSU installation process by invoking the pkgadd program. 

2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function: 

3. Create /var/log/csuslog file. 

4. Configure the AAA server for maximum level debugging. 

5. Restart the AAA server. 

6. Restart the syslog daemon. 


3-5


Chapter 3 


Step 1 

Start the CSU installation process by invoking the pkgadd program. 

The process that follows illustrates the general installation sequence. Extraneous output was omitted 

where noted for brevity. 

Note 

The following installation process requires approximately 20 minutes. 

$pkgadd -d CiscoSecure-2.3.3.solaris 

The following packages are available: 

1 CSCEacs CiscoSecure Access Control Software 

(sun4) 2.3(3) 

Select package(s) you wish to process (or 'all' to process 

all packages). (default: all) [?,??,q]:1 

Processing package instance from 

CiscoSecure Access Control Software 

(sun4) 2.3(3) 

Copyright(c) 1996-1999 Cisco Systems, Inc. 

CiscoSecure Access Control Server 

Version 2.3(3) 

All Rights Reserved. 

Copyright (c) 1994-1999 Netscape Communications Corporation 

Copyright (c) 1988-1999 Sybase, Inc. 

Trade Mark WebLogic, Inc. 

Notice: 

By using this product, you agree to be bound by the terms of 

the license supplied with this product. If you do not agree 

to these terms, promptly return the unused product, manuals, 

related equipment, and hardware (with proof of purchase) to 

the place of purchase for a full refund. 

To install this product, you must agree to accept the terms 

of the enclosed license [accept=y,exit=n,exit=q]: y 

checking patches... 

************************************************************************ 

* Notice: * 

* This installation program saves your Database files from a previous * 

* CiscoSecure install. If you have not installed CiscoSecure before, * 

* you should answer YES to the next question. If you have performed * 

* a 'package remove' and are installing a new version of CiscoSecure * 

* and want to retain your previous Database files, you should answer * 

* NO to the next question. * 

************************************************************************ 

Is this a new install (y/n/q) (default: yes, q to quit)?y 

Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure 

3-6 


Chapter 3 



IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q] 

If the hostname of this server is not the same as its fully qualified domain 

name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter 

to use the default (default: CSUserver) [?,q] 

Enter the AAA Server License key (default: ) [?,q] 

Enter the TACACS+ NAS name to use (default: ) [?,q] 

Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules 

Select any or all Token Cards to use 

1 CryptoCard 

2 Secure-Computing SafeWord 

3 SDI SDI Token Card 

Enter selection (default: none) [?,??,q]: 

Choose Database 

1 SQLAnywhere Sybase SQL Anywhere 

2 ORACLE Oracle Enterprise 

3 SYBASE Sybase Enterprise 

Enter selection (default: SQLAnywhere) [?,??,q]:2 

Enter the username for the ORACLE DB account [?,q]csecure 

Enter the password for the ORACLE DB account [?,q]csecure 

Enter the TNS service name for the Oracle Server [?,q]ciscosj 

Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4 

Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server 

process (default: 9900) [0-65535,?,q] 

Enter a unique name for the CiscoSecure DB Server Process (default: 

CSdbServer) [?,q] 

Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50 

Enter the directory Path to use for the AAA server profile caching 

(default: /, q to quit)? 

Modify any selections below? 

New CiscoSecure Install 

YES 

CiscoSecure Directory 

/opt/ciscosecure 

CiscoSecure IP Address 172.23.25.41 

CiscoSecure Web Server Name 

CSUserver 

Profile Cache Directory / 

AAA License Key 

 

TACACS+ NAS Name 

 

TACACS+ NAS Secret Key 

SECRET12345 

Token Cards selected 

none 

Data Base 

ORACLE 

DB User Account Name 

csecure 

DB User Account Passwd 

csecure 

Oracle TNS Name 

ciscosj 

Oracle Home 

/opt/oracle/product/7.3.4 

CiscoSecure DB Server IP Address 172.23.25.41 

CiscoSecure DB Server Port 9900 

CiscoSecure DB Server Proc Name CSdbServer 


3-7


Chapter 3 


DB Server Connections 50 

Modify any values [y,n,q]: n 

cs_install.log being written to /tmp directory 

Using as the package base directory. 

## Processing package information. 

## Processing system information. 

6 package pathnames are already properly installed. 

## Verifying disk space requirements. 

## Checking for conflicts with packages already installed. 

## Checking for setuid/setgid programs. 

This package contains scripts which will be executed with super-user 

permission during the process of installing this package. 

Do you want to continue with the installation of [y,n,?]y 

Installing CiscoSecure Access Control Software as 

## Executing preinstall script. 

## Installing part 1 of 1. 

Note 

Process output is omitted at this point because it is not relevant to the installation 

task presented in this chapter. 

[ verifying class ] 

## Executing postinstall script. 

Creating the initial database tables and views........ 

Loading properties from /opt/ciscosecure/config/CSConfig.ini 

Finished loading properties. 

Data Source = ORACLE 

Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = 

csecure password = ******** 

Connected to jdbc:weblogic:oracle:ciscosj 

Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) 

Version 2.5.4 

sql = select tablespace_name, floor(sum(bytes)/(1024*1024)) from sys.dba_free_sp 

ace where tablespace_name = (select default_tablespace from sys.dba_users where 

username = USER) group by tablespace_name 

Total free space in CSTB tablespace is 199 MB. 

Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql% 

Executing SQL statements.. 

3-8 


Chapter 3 



Note 

Process output is omitted at this point because it is not relevant to the installation 

task presented in this chapter. 

Successfully done. 

Initializing RADIUS data in the database........ 

Loading properties from /opt/ciscosecure/config/CSConfig.ini 

Finished loading properties. 

Data Source = ORACLE 

Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj username = 

csecure password = ******** 

Connected to jdbc:weblogic:oracle:ciscosj 

Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) 

Version 2.5.4 

Radius data version: 23 

Adding SERVER_LIST 

Adding DICTIONARY_LIST 

Adding SERVER.172.23.25.41 

Adding DICTIONARY.IETF 

Adding DICTIONARY.Cisco 

Adding DICTIONARY.Ascend 

Adding DICTIONARY.Cisco11.1 



Adding DICTIONARY.Ascend5 

No update to dictionary list 

Update radius version: INSERT INTO cs_id (id, type) VALUES (?, ?) 

Successfully done. 

Installation is complete. However, further configuration may be necessary. 

For more information on the steps necessary to finish configuration, read 

the /opt/ciscosecure/DOCS/README.txt file. 

Results of this install are saved in the /tmp/cs_install.log file and in 

/opt/ciscosecure/logfiles/cs_install.log. 

NOTE: For AAA Server tuning, refer to 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm# 

xtocid192003 

Installation of was successful. 

Step 2 

Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function: 

Enter the following command: 

#added by rbrown@cisco.com on 02/28/00 

local0.debug 

/var/log/csuslog 

Note 

Do not use whitespace to separate the above statements in /etc/syslog.conf. Use 

only tabs. 

Step 3 

Create /var/log/csuslog file. 


3-9


Chapter 3 


Enter the touch command to create the csulog file. 

$touch /var/log/csuslog;chmod 777 csuslog 

Step 4 

Step 5 

Configure the AAA server for maximum level debugging. 

Modify /opt/ciscosecure/config/CSU.cfg as follows: 

NUMBER config_logging_configuration = 0x7fffffff 

Restart the AAA server. 

Enter the following command to restart the AAA server: 

$/etc/rc0.d/K80CiscoSecure 

Stopping CiscoSecure Processes: 

CiscoSecure AutoRestart Stopped 

Fast Track Server Stopped 

Fast Track Admin Program Stopped 

Acme Server Stopped 

AAA Server Stopped 

DBServer Stopped 

$/etc/rc2.d/S80CiscoSecure 

Starting CiscoSecure Processes: 

Fast Track Admin Started 

FastTrack Server (Delayed Start) 

DBServer Started 

AAA Server starts in 15 Seconds: 123456789012345 

AAA Server Started 

Acme Server Started 

Cisco AutoRestart started 

Step 6 

Restart the syslog daemon. 

Enter the follow command to restart the syslog daemon: 

$ps -ef |grep syslog 

root 150 1 0 Feb 26 ? 0:00 /usr/sbin/syslogd 

$kill -HUP 150 

3.1.4 Creating and Verifying Basic User Profile 

These processes help you to accomplish basic user profile creation and verification: 

1. Create user csu_test. 

2. Verify user csu_test. 

3. Configure the router for basic authentication. 

4. Log in to the router and verify user access. 

5. Review the AAA server log. 

3-10 


Chapter 3 



Step 1 

Create user csu_test. 

Enter the following commands to add the user csu_test: 

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocks 

Profile Successfully Added 

Step 2 

Step 3 

Verify user csu_test. 

Enter the following commands to verify settings for user csu_test: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_test 

User Profile Information 

user = csu_test{ 

profile_id = 18 

profile_cycle = 1 

password = des "********" 

} 

Configure the router for basic authentication. 

Log in to the router and include the following commands: 

aaa new-model 

aaa authentication login default group tacacs+ local 

tacacs-server host 172.22.53.201 key ciscorules 

Step 4 

Step 5 

Log in to the router and verify user access. 

Enter the user name and password: 

Username:csu_test 

Password: 

Review the AAA server log. 

Enter the tail command to assess the csulog file: 

Note 

This CSU log fragment illustrates user csu_test being authenticated and permitted 

privilege level 15 access. 

$tail -f /var/log/csuslog 

Feb 29 16:52:28 CSUserver last message repeated 20 times1 

Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8) 

Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: 

csu_test 

Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: 

csu_test 

Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e) 

Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - 

Feb 29 16:52:30 CSUserver User Access Verification 

Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username: 

Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated 

Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) 

Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password: 

Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) 

Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS = 

coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15] 


3-11


Chapter 3 


3-12 


CHAPTER 

4 

Implementing the Server-Based AAA Subsystem 

This chapter focuses on the following server-based AAA implementation topics: 

• 4.1 Implementing Server-Based TACACS+ Dialup Authentication 

• 4.2 Implementing Server-Based TACACS+ Dialup Authorization 

• 4.3 Implementing Server-Based RADIUS Dialup Authentication 

• 4.4 Implementing Server-Based RADIUS Dialup Authorization 

• 4.5 Implementing Server-Based TACACS+ Router Authentication 

• 4.6 Implementing Server-Based TACACS+ Router Authorization 

Caution 





Note 

See Chapter 2, “Implementing the Local AAA Subsystem,” for specifics of local AAA 

implementation. See “1.1 AAATechnology Summary,” in Chapter 1 for brief definitions 

of authentication, authorization, and accounting as they relate to AAA security 

implementation. 


4-1

4.1 Implementing Server-Based TACACS+ Dialup Authentication 

Chapter 4 


Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based 

AAA components, including a AAA server and its associated AAA database. 

Figure 4-1 

Basic AAA Case Study Environment 





Analog lines 

PSTN 

PRI lines 


server 

Clients 

Modems 



modems 

IP intranet 

DNS 

server 

Default 

gateway 

Internet 

firewall 

Internet 

35089 

4.1 Implementing Server-Based TACACS+ Dialup 


The following section focuses on server-based dialup authentication configuration. In this context, 

server-based refers to actions dependent upon an external AAA server. These actions are described in 

a series of general steps along with related commands, server configurations, and diagnostic steps as 

appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment. 

Figure 4-2 

Server-Based Dial Environment (TACACS+) 

Server-based 

dial access 

Modem 

PSTN 

IP 


35051 

4-2 


Chapter 4 


4.1 Implementing Server-Based TACACS+ Dialup Authentication 

These steps help you to accomplish the following tasks: 

1. Configure TACACS+ server-based authentication on NAS. 

2. Configure a user profile in the database. 

3. Verify the AAA server-based user configuration. 

4. Verify and troubleshoot authentication from the AAA server. 

5. Verify and troubleshoot PPP authentication from the NAS. 

Step 1 

Configure TACACS+ server-based authentication on NAS. 

Include the following Cisco IOS configuration commands in your configuration to enforce server-based 

dial access authentication control with TACACS+: 

aaa new-model 

aaa authentication login default group tacacs+ 

aaa authentication ppp default if-needed group tacacs+ 

! 




commands. 

Step 2 

Configure a user profile in the database. 

Create a user in the AAA server by entering the following AddProfile command: 

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules –a 

'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp 

{\n }\n }\n’ 

Caution 

Step 3 

When entering AddProfile to create users or groups, it is possible to successfully create 

users or groups that have invalid database parameters that result in profile errors viewable 

in /var/log/csuslog. 

Verify the AAA server-based user configuration. 

Enter this server command to view the AAA server-based user configuration: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial 

user = tac_dial{ 



password = pap "********" 

service=ppp { 

protocol=ip { 

set addr-pool=default 

set inacl=110 

} 

protocol=lcp { 

} 

} 

} 


4-3

4.2 Implementing Server-Based TACACS+ Dialup Authorization 

Chapter 4 


Step 4 

Verify and troubleshoot authentication from the AAA server. 

Enter the tail command:. 


Note 

See “C.1 Server-BasedTACACS+ Dialup Authentication Diagnostics” for a 

description of relevant diagnostic output. 

Step 5 

Verify and troubleshoot PPP authentication from the NAS. 

Enter the debug aaa authentication and debug ppp authentication commands to confirm 

authentication from the NAS perspective. 

Note 

See “C.1 Server-BasedTACACS+ Dialup Authentication Diagnostics” for 

relevant diagnostic output. 


This section focuses on implementing of server-based dialup authorization and presents applicable 

configuration segments, server commands and file listings, and diagnostic steps. 


1. Configure TACACS+ server-based authorization on the NAS. 



4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. 

5. Verify and troubleshoot shell-initiated PPP authorization on the NAS. 

Step 1 

Configure TACACS+ server-based authorization on the NAS. 


dial access authorization with TACACS+: 

aaa new-model 


aaa authentication ppp default if-needed group tacacs+ 

aaa authorization exec default group tacacs+ if-authenticated 

aaa authorization network default group tacacs+ if-authenticated 

! 

tacacs-server host x.x.x.x key ciscorules 



commands. 

4-4 


Chapter 4 



Step 2 



$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules –pw 

pap,ciscorules –a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n 

set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’ 

Step 3 


Enter this UNIX server command to view the AAA server-based user configuration: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest 

An example of a ViewProfile output of the user profile looks like this: 


user = dialtest{ 




service=shell { 

default_cmd=permit 

} 

service=ppp { 

protocol=ip { 

set addr-pool=default 

set inacl=110 

} 


} 

} 

} 

Step 4 

Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. 

Enter the following UNIX server command to confirm that the authorization is operating correctly: 


Note 

See “C.2 Server-BasedTACACS+ Dialup Authorization Diagnostics.” 

Step 5 

Verify and troubleshoot shell-initiated PPP authorization on the NAS. 

Enter the debug aaa authorization command to verify server-based authorization is operating correctly 

for dial access. 

Note 

See “C.2 Server-BasedTACACS+ Dialup Authorization Diagnostics.” 


4-5

4.3 Implementing Server-Based RADIUS Dialup Authentication 

Chapter 4 



This section focuses on the configuration of server-based, RADIUS dialup authentication configuration. 

In this context, server-based refers to actions that depend on an external AAA server. Figur e4-3 

illustrates a simplified server-based dial environment. 


1. Configure RADIUS server-based authentication on access server. 



4. Enter the debug aaa authentication and debug ppp authorization commands to confirm 

authentication from NAS perspective. 

Figure 4-3 

Server-Based Dial Environment (RADIUS) 

Server-based 

dial access 

Modem 

PSTN 

IP 


35051 

4-6 


Chapter 4 



Step 1 

Configure RADIUS server-based authentication on access server. 


dial access authentication control with RADIUS: 

aaa new-model 

aaa authentication login default group radius 

aaa authentication ppp default if-needed group radius 

! 












no fair-queue 

no cdp enable 




! 

line 1 48 





modem InOut 




transport output lat pad telnet rlogin udptn v120 lapb-ta 

radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules 



commands. 

Step 2 


a. Create a RADIUS NAS configuration by entering the following AddProfile command: 

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a 

'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary 

="DICTIONARY.Cisco"\n }\n' 

b. Create a user in the AAA server by entering the following AddProfile command: 

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules 

-a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n' 

Description of attributes specified in AddProfile configuration: 

– 6=2 (meaning Framed-Protocol=ppp) 

– 7=1 [meaning User-Service-Type (Framed-User)] 


4-7

4.4 Implementing Server-Based RADIUS Dialup Authorization 

Chapter 4 


Step 3 


a. Enter this server command to view the AAA server-based NAS configuration: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105 


user = NAS.172.22.53.105{ 



NASName="172.22.53.105" { 

SharedSecret="ciscorules" 

RadiusVendor="Cisco" 

Dictionary="DICTIONARY.Cisco" 

} 

} 

b. Enter this command to verify the AAA server user configuration: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial 


user = rad_dial{ 




radius=Cisco { 

reply_attributes= { 

6=2 

7=1 

} 

} 

} 

Step 4 

Enter the debug aaa authentication and debug ppp authorization commands to confirm 

authentication from NAS perspective. 

Note 

See “C.3 Server-Based RADIUS Dialup Authentication Diagnostics.” 



1. Configure RADIUS server-based authorization on the NAS. 



4. Verify and troubleshoot RADIUS network authorization on the NAS. 

5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command. 

4-8 


Chapter 4 



Step 1 

Configure RADIUS server-based authorization on the NAS. 

Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS 

authorization assigning access-list 110 to the user, rad_dial: 

aaa new-model 


aaa authentication ppp default if-needed group radius 

aaa authorization exec default group radius 

aaa authorization network default group radius if-authenticated 

! 


! 

access-list 110 permit tcp any any eq telnet 

access-list 110 permit tcp any any eq ftp 

access-list 110 permit tcp any any eq ftp-data 

access-list 110 deny tcp any any 



commands. 

Step 2 

Step 3 



$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 

'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n' 











6=2 

7=1 

9,1="ip:inacl=110" 

} 

} 

} 

Note 

The Cisco AVP inacl=110 is included to enable an input access-list. 

Step 4 

Verify and troubleshoot RADIUS network authorization on the NAS. 

Enter the debug aaa authorization command to verify dial access server-based authorization is 

operating correctly for dial access. 

Note 

See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.” 


4-9

4.5 Implementing Server-Based TACACS+ Router Authentication 

Chapter 4 


Step 5 

Verify that access-list 110 is assigned to user rad_dial with the show caller user command. 

Note 

See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.” 

4.5 Implementing Server-Based TACACS+ Router 


This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a 

router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for 

arouter. 


1. Configure TACACS+ server-based authentication on the router. 

2. Configure and verify the group rtr_basic: 

3. Create the member rtr_test and assign this user to group rtr_basic. 

4. Verify user rtr_test. 

5. Log in to the router and verify proper authentication. 

Figure 4-4 

Server-Based VTY Access (Telnet) 

Server-based 


IP 


35050 

4-10 


Chapter 4 



Step 1 

Configure TACACS+ server-based authentication on the router. 

Include the following Cisco IOS configuration commands in your configuration to enforce AAA 

server-based command authorization on a router (excluding the console port): 

aaa new-model 



! 

ip http server 

ip http authentication aaa 

ip tacacs source-interface Loopback0 

! 


! 

line con 0 


Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, 


commands. 

Step 2 

Configure and verify the group rtr_basic: 

a. Create the group rtr_basic by entering the following AddProfile command: 

$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a 

'service=shell{\ndefault cmd=deny\n}\n' 


b. Verify the group rtr_basic by entering the ViewProfile command 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basic 

Group Profile Information 

group = rtr_low{ 




default cmd=deny 

} 

Step 3 

} 

Create the member rtr_test and assign this user to group rtr_basic. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr 

rtr_basic 



4-11


Chapter 4 


Step 4 

Step 5 

Verify user rtr_test. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test 


user = rtr_test{ 



member = rtr_basic 


} 

Log in to the router and verify proper authentication. 

Enter the login command to access the router command interface and monitor the output of debug aaa 

authentication from a separate shell session. Monitor the output of the AAA server by consulting the 

csuslog file using the tail command. 

Note 

See “C.5 Server-BasedTACACS+ Router Authentication Diagnostics.” 

4-12 


Chapter 4 


4.6 Implementing Server-Based TACACS+ Router Authorization 


The following examples, including authorization-related IOS command listings and AAA server 

profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups 

are created with low (rtr_low), medium (rtr_tech),andhigh(rtr_super) access. The default_cmd AVP 

(defined in the AAA server profile) is used to control access to privilege level 15 commands. Inthis 

case, privilege level 15 is the highest level of command access privilege allowed and is reserved for 

super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated 

with each of the administrative groups defined in this section. 

Table 4-1 

Group Profile Command Summary 

Group 

Cisco IOS Command rtr_super rtr_tech rtr_low 

debug all Denied Denied Denied 

debug * Permitted Permitted Denied 

clear * Permitted Permitted Denied 

reload Permitted Denied Denied 

show running-config 

Permitted Denied Denied 

write terminal 

copy running-config startup-config 

Permitted Permitted Denied 

write memory 

configure terminal Permitted Denied Denied 

Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization 

between a router and an AAA server. Troubleshooting and verifying is divided into three stages: 

authentication, EXEC authorization and command authorization. Each stage is accompanied by 

information particular to that stage: 

• Cisco IOS Configuration Fragments (on left) 

• Troubleshooting and verification methods for the router and AAA server (on right) 


4-13


Chapter 4 


Figure 4-5 

TACACS+ Authentication and Authorization Verification Methodology 

Cisco IOS Client Decision Flow Troubleshoot/Verify 


Router user 

requests login 

to TACACS+ server. 

aaa new-model 


tacacs-server host ip-address key secret-key 

Did 

authentication 

succeed? 

Yes 

No 

From Cisco IOS Client 

debug aaa authentication 

From AAA Server 

tail -f /var/log/csuslog 

Verify user 

user=rtr_geek 

password=des 

EXEC Authorization 

AAA authorization 

begins (EXEC) 

aaa authorization exec default group 

tacacs+ if-authenticated 

Did 

authorization 

succeed? 

No 


debug aaa authorization 



Verify user or group 

service=shell 

Yes 

Command Authorization 

AAA authorization 

command begins 

(command) 

aaa authorization commands 15 default 


Did 

authorization 

succeed? 

Yes 

AAA accounting 

begins 

No 


debug aaa authorization 



Verify user or group 

default_cmd=permit 

or priv_lvl=15 

or cmd=permit 

35076 


1. Configure TACACS+ server-based authorization from the console port on the router. 

2. Configure, verify, and test operation of the AAA server group rtr_low. 

3. Configure, verify, and test operation of the AAA server group rtr_tech. 

4. Configure, verify, and test operation of AAA server Group rtr_super. 

4-14 


Chapter 4 



Note 

Some versions of boot ROMs do not recognize all AAA commands. Be sure to 

disable AAA authentication and authorization before changing to boot ROM 

mode. For configuration notes regarding disabling AAA to access boot ROM 

mode, see Appendix B, “AAA Impact on Maintenance Tasks.” 

Step 1 

Configure TACACS+ server-based authorization from the console port on the router. 

Include the following Cisco IOS configuration commands in your configuration to enforce router-based 

security with TACACS+: 

aaa new-model 




aaa authorization exec default group tacacs+ 


aaa authorization commands 15 default group tacacs+ 

! 




! 


! 

line con 0 




Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, 


commands. 


4-15


Chapter 4 


Step 2 

Configure, verify, and test operation of the AAA server group rtr_low. 

The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the 

requirements specified inTabl e4-1: 

a. Create the group rtr_low. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a 

'service=shell{\ndefault cmd=deny\n}\n' 


b. Verify the group rtr_low. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low 


group = rtr_low{ 




default cmd=deny 

} 

} 

c. Create the member rtr_dweeb and assign this user to group rtr_low. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw 

des,ciscorules 


d. Verify the user rtr_dweeb. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweeb 


user = rtr_dweeb{ 



member = rtr_low 


} 

e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions: 

– Simultaneously monitor the output of debug aaa authorization from a console shell session 

and the AAA server csuslog file. 

– Log in to the router by using a new terminal window with the rtr_dweeb account and enter the 

commands shown inTabl e4-1. 

– From the AAA server, enter the following command to obtain the matching csuslog content: 


Note 

See “C.6 Server-BasedTACACS+ Router Authorization Diagnostics.” 

4-16 


Chapter 4 



Step 3 

Configure, verify, and test operation of the AAA server group rtr_tech. 

The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the 

requirements specified inTabl e4-1: 

a. Create the group rtr_tech. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell 

{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny 

all\n}\ncmd=configure{\ndeny .*}\n}\n' 

b. Verify the group rtr_tech. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_tech 


group = rtr_tech{ 




default cmd=permit 

cmd=debug { 

deny all 

permit .* 

} 

cmd=reload { 

deny all 

} 

cmd=configure { 

deny .* 

} 

} 

} 

c. Create the member rtr_techie and assign this user to group rtr_tech. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw 



d. Verify the user rtr_techie. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techie 


user = rtr_techie{ 



member = rtr_tech 


} 

e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions: 



– Log in to the router by using a new terminal window with the rtr_techie account and enter the 



4-17


Chapter 4 




Note 


Step 4 

Configure, verify, and test operation of AAA server Group rtr_super. 

The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with 

the requirements specified inTabl e4-1: 

a. Create the group rtr_super. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell 

{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n' 


b. Verify the group rtr_super. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_super 


group = rtr_super{ 




default cmd=permit 

cmd=debug { 

deny all 

permit .* 

} 

} 

} 

c. Create the member rtr_geek and assign this user to group rtr_super. 


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek -pr rtr_super -pw 


Profile Successfully 

d. Verify the user rtr_geek. 


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geek 


user = rtr_geek{ 



member = rtr_super 


} 

e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands: 



4-18 


Chapter 4 



– Log in to the router by using a new terminal window with the rtr_geek account and enter the 




Note 



4-19


Chapter 4 


4-20 


CHAPTER 

5 

Implementing Server-Based AAA Accounting 

This chapter focuses on the following two topics: 

• 5.1 Implementing Server-Based TACACS+ Dial Accounting 

• 5.2 Implementing Server-Based TACACS+ Router Accounting 

Caution 





Note 

See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, 

authorization, and accounting as they relate to AAA security implementation. 

5.1 Implementing Server-Based TACACS+ Dial Accounting 

The information compiled by the Cisco IOS client focuses on the performance of intermediate systems 

in terms of AAA accounting packet output, disconnect cause codes, elapsed time, packets in/out, and 

other useful information. This section addresses configuring server-based TACACS+ accounting on the 

AAA server and the Cisco IOS client or network access server (NAS). 

Note 

TACACS+ is used for accounting, even though RADIUS is used to support the dialup 

clients. 


1. Configure the server-based TACACS+ dial accounting on the AAA server. 

2. Configure server-based TACACS+ dial accounting on the NAS. 

3. Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to 

Oracle dB instance. 

4. Verify AAA accounting from the NAS. 

Step 1 

Configure the server-based TACACS+ dial accounting on the AAA server. 


5-1


Chapter 5 


Include the following configuration line in /opt/ciscosecure/CLI/config/CSU.cfg to enable group 

membership accounting: 

config_acct_fn_enable = 1 

For detailed accounting performance, go to: 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto 

cid84517 

Step 2 

Step 3 

Configure server-based TACACS+ dial accounting on the NAS. 

Include the following Cisco IOS commands in your configuration file to support dialup authentication, 

authorization, and accounting. 

aaa new-model 

aaa authentication login default group radius local 

aaa authentication ppp default if-needed group radius local 

aaa authorization exec default group radius if-authenticated 

aaa accounting exec default stop-only group radius 

aaa accounting network default stop-only group radius 

Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle 

dB instance. 

The following examples illustrate the use of SQL query commands to monitor user rad_dial being 

disconnected due to idletime configured with the line configuration session-timeout command in the 

NAS: 

$/export/home/oracle> sqlplus 

SQL*Plus: Release 3.3.4.0.1 - Production on Mon Apr 17 17:41:52 2000 

Copyright (c) Oracle Corporation 1979, 1996. All rights reserved. 

Enter user-name:csecure/csecure@ciscoaus 

Connected to: 

Oracle7 Server Release 7.3.4.0.1 - Production 

PL/SQL Release 2.3.4.0.0 - Production 

SQL> select * from cs_accounting_log where blob_data like '%rad_dial%'; 

LOG_ID BLOB_ORDINAL BLOB_DATA 

-------------------------------------------------------------------------------- 

172.22.87.3 rad_dial Async20 65004 stop server=danvers time=17:36:33 

date=04/17/2000 task_id=40 timezone=CST service=ppp protocol=ip 

addr=172.22.83.12 disc-cause=4 disc-cause-ext=1021 pre-bytes-in=132 

pre-bytes-out=139 pre-paks-in=5 pre-paks-out=7 bytes_i 

Note 

The disc-cause and disc-cause-ext output both reflect idle timeouts from 

Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this 

chapter. 

Step 4 

Verify AAA accounting from the NAS. 

Review and verify user rad_dial disconnecting session from the NAS by using the Cisco IOS 

show caller user and debug aaa accounting commands. 

5-2 


Chapter 5 



The following example illustrates local accounting diagnostic output in which user rad_dial is 

disconnected because of a line configuration session-timeout command configured in the NAS: 

Note 

User rad_dial dials into maui-nas-03. Note the session-timeout was applied. 

maui-nas-03#show caller user rad_dial detail 

User: rad_dial, line tty 20, service Async 

Active time 00:00:47, Idle time 00:00:00 

Timeouts: Absolute Idle Idle 

Session Exec 

Limits: 04:00:00 00:15:00 00:48:00 

Disconnect in: 03:59:12 00:14:59 - 

TTY: Line 20, running PPP on As20 

Location: PPP: 172.22.83.12 

DS0: (slot/unit/channel)=0/0/2 

Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits 

Status: Ready, Active, No Exit Banner, Async Interface Active 

HW PPP Support Active, Modem Detected 

Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out 

Modem Callout, Modem RI is CD, 

Line usable as async interface, Modem Autoconfigure 

Integrated Modem 

Modem State: Ready, Modem Configured 

User: rad_dial, line As20, service PPP 


Timeouts: 

Absolute Idle 

Limits: - 00:15:00 

Disconnect in: - 00:14:50 

User rad_dial is disconnected after 15 minutes of inactivity and an accounting packet is sent to the AAA 

Server: 


General OS: 


*Apr 17 17:36:35.262 CST: AAA/ACCT/ACCT_DISC: Found list "default" 

*Apr 17 17:36:35.262 CST: Async20 AAA/DISC: 4/"Idle Timeout" 

*Apr 17 17:36:35.262 CST: AAA/ACCT/ACCT_DISC: Found list "default" 

*Apr 17 17:36:35.262 CST: Async20 AAA/DISC/EXT: 1021/"Idle Timeout" 

*Apr 17 17:36:35.262 CST: Async20 AAA/DISC: 4/"Idle Timeout" 

*Apr 17 17:36:35.262 CST: Async20 AAA/DISC/EXT: 1021/"Idle Timeout" 

Note The disc-cause and disc-cause-ext both reflect idle timeouts from Table 5-1 

listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter. 


5-3

5.2 Implementing Server-Based TACACS+ Router Accounting 

Chapter 5 




1. Configure the server-based TACACS+ router accounting on the AAA server. 

2. Configure server-based TACACS+ EXEC and command level accounting on the router. 

3. Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle 

dB instance. 

4. Verify and troubleshoot server-based accounting operation from the router. 

Step 1 

Step 2 

Configure the server-based TACACS+ router accounting on the AAA server. 

config_acct_fn_enable = 1 

For detailed accounting performance, go to: 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto 

cid84517 

Configure server-based TACACS+ EXEC and command level accounting on the router. 

Include the following Cisco IOS commands in your configuration file to enable router EXEC and 

command AAA authentication, authorization, and accounting: 

aaa new-model 


aaa authentication login NO_AUTHEN none 





aaa accounting exec default stop-only group tacacs+ 


line con 0 



login authentication NO_AUTHEN 

Note 

Authentication and authorization is disabled on the console port with the use of 

the NO_AUTHEN and NO_AUTHOR named lists. 

5-4 


Chapter 5 



Step 3 

Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB 

instance. 

The following example illustrates the use of the SQL query select command to monitor user rtr_geek 

entering the configure terminal privilege level 15 command: 

SQL>select * from cs_accounting_log where blob_data like '%rtr_geek%'; 


-------------------------------------------------------------------------------- 

Mon Apr 17 14:06:27 2000 

Client-Id = 172.22.80.3 

Client-Port-Id = 0 

NAS-Port-Type = Async 

User-Name = "rtr_geek" 

Acct-Status-Type = Stop 


-------------------------------------------------------------------------------- 

172.22.87.3 rtr_geek tty0 async stop server=danvers time=18:10:02 

date=04/17/2000 task_id=52 timezone=CST service=shell priv-lvl=15 

cmd=configure terminal 

Step 4 

Verify and troubleshoot server-based accounting operation from the router. 

Enter the configure terminal command to test AAA accounting behavior as follows (be sure the 

debug aaa accounting command is enabled): 


General OS: 


maui-nas-03#configure terminal 

Enter configuration commands, one per line. End with CNTL/Z. 

maui-nas-03(config)#^Z 

This debug command output results from entering the configure terminal command: 

*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: User rtr_geek, Port tty0, Priv 15: 

"configure terminal " 

*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: Found list "default" 

*Apr 17 18:14:45.726 CST: AAA/ACCT: user rtr_geek, acct type 3 (1057208544): 


*Apr 17 18:14:45.930 CST: TAC+: (1057208544): received acct response status = SUCCESS 


5-5

5.3 AAA Disconnect Cause Code Descriptions 

Chapter 5 



Table 5-1 lists the disconnect codes reported by Cisco AAA accounting records. The disconnect cause 

codes are referred to in “5.1 Implementing Server-Based TACACS+ Dial Accounting.” 

Table 5-1 

AAA Disconnect Cause Code Listings 

Disconnect Cause Code 

Description 

1 User Request 

2 Lost Carrier 

3 Lost Service 

4 Idle Timeout 

5 Session Timeout 

6 Admin Reset 

7 Admin Reboot 

8 Port Error 

9 NAS Error 

10 NAS Request 

11 NAS Reboot 

12 Port Unneeded 

13 Port Preempted 

14 Port Suspended 

15 Service Unavailable 

16 Callback 

17 User Error 

18 Host Request 

1002 Unknown 

1004 CLID Auth Fail 

1010 No Carrier 

1011 AAA_VAL_DISC_LOST_CARR 

1012 No Modem result codes 

1020 AAA_VAL_DISC_USER_REQ 

1021 AAA_VAL_DISC_IDL_TIMOUT 

1022 Exited Telnet 

1023 Peer has No IPADDR 

1024 AAA_VAL_DISC_LOST_SERV 

1025 Password failure 

1026 TCP Disabled 

1027 Control-C Detected 

1028 AAA_VAL_DISC_HOST_REQ 

5-6 


Chapter 5 



Table 5-1 

AAA Disconnect Cause Code Listings 

Disconnect Cause Code 

Description 

1040 LCP Neg Timeout 

1041 LCP Neg Failed 

1042 PAP Auth Failed 

1043 CHAP Auth Failed 

1044 Remote Auth Failed 

1045 Received Terminate 

1046 Upper Layer Req Close 

1100 AAA_VAL_DISC_SES_TIMOUT 

1101 Fail Security 

1102 AAA_VAL_DISC_CALLBACK 

1120 AAA_VAL_DISC_SERV_UNAVAIL 


5-7


Chapter 5 


5-8 


CHAPTER 

6 

Diagnosing and Troubleshooting AAA 

Operations 

This chapter focuses on diagnosing and troubleshooting negotiations between AAA devices. This 

section reviews the case study environment and outlines the protocol flows associated with AAA 

negotiations in the context of this network environment. The subsequent sections focus on specific 

troubleshooting techniques as follows: 

• 6.1 Overview of Authentication and Authorization Processes 

• 6.2 Troubleshooting AAA Implementation 

• 6.3 AAA Troubleshooting Basics 

• 6.4 Troubleshooting Scenarios 


6-1

6.1 Overview of Authentication and Authorization Processes 

Chapter 6 

Diagnosing and Troubleshooting AAA Operations 


Before jumping immediately into troubleshooting AAA problems, it is useful to review authentication 

and authorization processes. Figure 6-1 provides the general scenario this case study is built around. 

The primary elements of this environment are the AAA server, the AAA database, and the NAS. 

Figure 6-1 

Basic AAA Case Study Environment 





Analog lines 

PSTN 

PRI lines 


server 

Clients 

Modems 



modems 

IP intranet 

DNS 

server 

Default 

gateway 

Internet 

firewall 

Internet 

35089 

6-2 


Chapter 6 



The negotiation suggested in Figure 6-1 is expanded in Figure 6-2 which presents the logical flow of 

the authentication and authorization processes and illustrates the relationship between the elements 

within the TACACS+ based AAA negotiation. While the network access server (NAS) communicates 

directly with the AAA server, the AAA server in turn exchanges information with the Oracle database 

server. 

Figure 6-2 

Dial Access Authentication and Authorization Flow Diagram 

Network 

access server 

Result 

Fail 

Valid user 

TACACS+ 

query 

CiscoSecure 

ACS 

Pass 

Fail 

Password = ? 

SQL 

Valid 

password 

Pass 

Fail 

Pass 

Authorization 

Pass 

Oracle 

database 

Pass 

27815 


6-3


Chapter 6 


The RADIUS dial-access authentication and authorization illustrated in Figure 6-3 describes RADIUS 

negotiation between the NAS and the AAA server. User rad_dial is permitted PPP access through 

EXEC shell (character mode) or autoselect PPP (packet mode). 

Figure 6-3 

RADIUS Dial Access Authentication and Authorization Process 

NAS 

Network 

time 


server 

Authentication and 

Authorization 

Access request 

Send username 

password 

Access accept 

User-Service-Type 

(Shell-User) 

User-Service-Type 

(Framed-User) 

Framed-Protocol = 

PPP 

AAA Server 

User Configuration 

user=rad_dial{ 

password=PAP "****" 

radius=Cisco{ 

reply_attributes={ 

6=6 

6=2 

7=1 

} 

} 

35048 

Note 

Unlike TACACS+, the authentication and authorization processes are not handled as 

separate stages in RADIUS-based AAA access control. 

6-4 


Chapter 6 



Figure 6-4 and Figure 6-5 expand on the basic negotiation flow depicted in Figur e6-2 by illustrating 

the specific TACACS+ negotiation process associated with particular users, as defined in their 

respective CSU profiles. 

Figure 6-4 

TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) 

Access server 

Network 

time 



Send start 

Get user 

Send user 

Get pass 

Send password 

Pass 

Oracle 

DB 

CSU User Configuration 

Authorization 

Authorization 

User = x 

Send AV service = shell 

AV cmd* 

Pass 

user = x 

Send AV service = ppp 

protocol = IP 

addr-pool = default 

Pass 

user = x 


protocol = lcp 

Pass 

user = x 


protocol = ip 

Pass 

user x = 

password = PAP 

service = shell { 

default_cmd = permit 

} 


protocol = ip { 

set addr-pool = default 

} 

protocol = lcp { 

} 

27812 

The difference in authorization behavior stems from the use of two commands in the AAA server user 

configurations. The default_cmd=permit command included in the example in Figure 6-4 enables 

default privilege level 15 commands for user x. 

As configured in Figure 6-4, the session for user x depicts a process that involves either a shell initiated 

or a standard PPP session. The same negotiations are used in initiating shell access to a router. 


6-5


Chapter 6 


Both figures depict the stages of dial access authentication and authorization sessions between an access 

server and an AAA server. The key difference is defined in the CSU user configuration (profiles) 

included in each illustration. In Figure 6-4, EXEC shell access authorization is permitted while it is not 

permitted in the illustration depicted in Figure 6-5. 

Figure 6-5 

TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) 

Access server 

Network 

time 



Network 

Authorization 

Send start 

Get user 

Send Abort 

Autoselect PPP 

user = x 

Authenticate 

peer 

Send password 

Pass 

LCP 

request 

Pass 

user = y 

service = ppp 

protocol = lcp 

Pass 

CONFREQ 

for options 

Pass 

Oracle 

database 

CSU User Configuration 

user = y 

password = PAP 


set autocmd = ppp negotiate 

} 

service = ppp { 

protocol = ip{ 

set addr pool = default 

} 

protocol = lcp { 

} 

27813 

The example session illustrated in Figure 6-5 omits the default_cmd=permit AVP and instead includes 

the autocmd=ppp negotiate AVP disabling EXEC shell access to IOS devices. User y fails any attempt 

to access the router and receives the message PPP not allowed on this interface as a result of the 

PPP configuration statement. This distinction provides an element of security, blocking access to 

routers. 

6-6 


Chapter 6 




These sections help you to accomplish the following tasks: 

• 6.2.1 Troubleshooting Methodology Overview 

• 6.2.2 Cisco IOS Debug Command Summary 

6.2.1 Troubleshooting Methodology Overview 

The troubleshooting methodology adopted in this chapter follows these general steps: 

1. Isolating the problem. 

– Gathering detailed information about trouble. 

– Determining the starting point and fault isolation procedures. 

2. Correcting the problem. 

– Making appropriate hardware, software, or configuration changes to correct the problem. 

3. Verifying that the trouble is corrected. 

– Performing operational tests to verify that trouble is corrected. 

The troubleshooting tables presented in “6.3 AAA Troubleshooting Basics” and the example scenarios 

presented in “6.4 Troubleshooting Scenarios” generally follow this methodology in listing typical 

symptoms, and provide associated problems and diagnostics measures. 

6.2.2 Cisco IOS Debug Command Summary 

Output from Cisco IOS debug commands provide a valuable source of information and feedback 

concerning state transitions and functions within the AAA subsystem environment. 

Use the debug commands that follow for capturing AAA-related transitions and functions: 

• debug condition user username 

Enabling this debug command sets conditional debugging for a specific user and generates output 

debugs related to the user. This command is helpful in an enterprise environment for 

troubleshooting. 

• debug aaa authentication 

Enabling this debug command displays authentication information withTACACS+ and RADIUS 

client/server interaction. 

• debug aaa authorization 

Enabling this debug command displays authorization information withTACACS+ and RADIUS 


• debug aaa accounting 

Enabling this debug command displays accounting information withTACACS+ and RADIUS 


• debug tacacs 

Enabling this debug command displays TACACS+ interaction between IOS client and AAA Server. 

• debug radius 


6-7


Chapter 6 


Enabling this debug command displays RADIUS interaction between the IOS client and the AAA 

server. 

In addition to debug command output gathered directly from devices running Cisco IOS, a Cisco AAA 

server can be configured to collect important operational diagnostics. 

Go to the following link for information regarding configuring and using CSU ACS logs: 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/troubles.htm 


AAA operational diagnostic activity for access environments is divided into the following basic areas: 

• Dial-based versus router-based access 

• Local versus server access 

• Authentication and authorization processes 

These three areas can be associated with eightunderlying diagnostic situations which are addressed in 

the following subsections: 

• 6.3.1 Troubleshooting Dial-Based Local Authentication 

• 6.3.2 Troubleshooting Dial-Based Server Authentication 

• 6.3.3 Troubleshooting Dial-Based Local Authorization 

• 6.3.4 Troubleshooting Dial-Based Server Authorization 

• 6.3.5 Troubleshooting Router-Based Local Authentication 

• 6.3.6 Troubleshooting Router-Based Server Authentication 

• 6.3.7 Troubleshooting Router-Based Local Authorization 

• 6.3.8 Troubleshooting Router-Based Server Authorization 

The following sections address each of the diagnostic topics separately. Detailed scenarios are provided 

in “6.4 Troubleshooting Scenarios.” 

The diagnostics summaries address the troubleshooting process using three basic stages: 

1. Identifying symptoms 

2. Isolating problems 

3. Resolving problems 

Each diagnostic table includes suggestions for identifying and isolating problems. Diagnostic 

information is provided in “6.4 Troubleshooting Scenarios.” Specific diagnostic output is included to 

illustrate how network entities react to failures and how to discern specific failures. 

Note 

Some of the symptoms described in the following tables can be caused by a variety of 

problems other than AAA issues. Because this case study focuses on AAA-based security 

topics, the problems and diagnostics provided here focus on AAA issues. 

6-8 


Chapter 6 



6.3.1 Troubleshooting Dial-Based Local Authentication 

The following symptoms are addressed in separate tables in this section: 

• Single User Failure; Individual Dial-in User Connection Fails 

• Multiple User Failure; All Dial-in Users Unable to Connect to NAS 

Table 6-1 

Single User Failure; Individual Dial-in User Connection Fails 

Problem 

Suggested Diagnostic Steps 

User entered invalid username or password. 1. To verify local account, enter: 

#debug aaa authentication 

Test login with username/password. 

Look for “user not found” or “password 

validation” failure. 

2. If user is not found, add the user. If password 

validation failure, reenter login with 

username and password combination. 

Table 6-2 

Multiple User Failure; All Dial-in Users Unable to Connect to NAS 

Problem 


AAA behavior configured incorrectly in NAS. 1. Enter this diagnostic command in NAS: 


2. To verify local authentication is configured 

correctly, enter: 

#show running-config 

3. Verify inclusion of one of these commands: 


or 

Shell initiated PPP session passes, but is torn 

down. 

aaa authentication login ppp default local 

1. Enter this diagnostic command in NAS: 


2. To verify AAA is configured correctly in 

NAS, enter: 


3. Verify inclusion of this command: 

aaa authentication ppp default if-needed 

local 


6-9


Chapter 6 


6.3.2 Troubleshooting Dial-Based Server Authentication 


• Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) 

• Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) 

Table 6-3 

Single User Failure; Individual User Unable to Make Connection (RADIUS andTACACS+) 

Problem 


User name not in server database. 1. To verify user is in database, enter: 

$/opt/ciscosecure/CLI/ViewPr 

ofile –p 9900 –u username 

User entered password incorrectly. 1. Verify password case-sensitivity. 

2. MonitoruseractivityinAAAserver: 

$tail –f 

/var/log/csuslog|grep username 

User profile configured incorrectly. The error 

message “bad method for user” reported in 

csuslog file. 

User account disabled due to too many failed 

logins. 

3. Review csuslog file for errors (for example, if 

user is configured for OTP, verify 

PASSCODE is accepted from OTP server. 

4. Reset user password or synchronize 

PASSCODE if needed. 

1. To verify user profile is programmed with 

correct password type, enter: 



2. Verify user profile privilege is sufficient to 

perform task. 

3. Verify profile is configured for correct 

password type. For example, PAP for OTP. 

1. To view user profile, enter: 

$/opt/ciscosecure/utils/bin/ 

ViewProfile -p 9900 -u username 

2. Verify that the profile is not disabled. If it is 

disabled, compare set server 

current-failed-login counters to max failed 

login setting in CSU.cfg file. 

3. If these attributes are the same, reset user 

profile status to enabled and reset the set 

server current-failed-login counter by using 

the web-based administration utility. 

6-10 


Chapter 6 



Table 6-3 

Single User Failure; Individual User Unable to Make Connection (RADIUS andTACACS+) 

Problem 


User account password or profile expired. 1. To view profile, enter: 



2. For TACACS+: Look for expiration in 

profile, such as: 

expires = "24 Jan 2000" 

3. For RADIUS: Look for expiration in profile, 

such as: 

Password-Expiration = "24 Jan 2000" 

User workstation configured incorrectly. 1. Review user dialup networking setup. 

2. To review user profile, enter: 



User exceeded the maximum number of 

concurrent sessions. 

3. Check for setup for parameter such as 

“Requires encrypted password.” 

To review user profile, enter: 



For TACACS+, look for this AVP: 

max-sessions 

For RADIUS, look for this AVP: 

Maximum-Channels 


6-11


Chapter 6 


Table 6-4 

Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and 

TACACS+) 

Problem 

Connection between NAS and AAA server is 

down. 

TACACS+ or RADIUS key incorrect in NAS or 

AAA server. 


Verify network connectivity between NAS and 

AAA server. Enter these diagnostic commands in 

NAS: 

#show tacacs 

#debug tacacs 

#debug radius 

#ping CSU-server-name 

Review NAS and CSU configurations for shared 

secret. 

In NAS, enter: 


In AAA server, enter: 

$grep NAS-IP-Address 

/opt/ciscosecure/config/CSU.cfg 


Maximum number of users exceeded. 1. Verify license key is entered correctly in 

AAA server. Enter the following commands 

at the CSUserver: 

$grep license-key 


2. To review expiration date of license key, 

enter: 



6-12 


Chapter 6 



Table 6-4 

Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and 

TACACS+) 

Problem 

Group profile password type does not match type 

specified in NAS group-async or dialer interface 

configuration (for example, PPP authentication 

PAP). 

Shell initiated PPP session passes, but is torn 

down. 


1. To review NAS configuration, enter: 

# show running-config 

2. Verify group-async or dialer interface is 

configured with correct password type. For 

example, for OTP, PAP must be specified. 

3. Verify group profile matches group-async or 

dialer interface configuration in NAS. 



2. To verify correct AAA configuration is 

configured in NAS, enter: 


3. Verify these commands are included in the 

NAS configuration: 


tacacs+ 

or 


radius 

6.3.3 Troubleshooting Dial-Based Local Authorization 


• User Cannot Start PPP 

• Network Authorization Fails 

• Unable to Access Specific Host or Network Service 

• Multilink Fails 

Table 6-5 

User Cannot Start PPP 

Problem 

User client configuration error. 


Refer to MS troubleshooting chapter: 

http://support.microsoft.com/support/kb/arti 

cles/Q130/0/79.asp?LNG=ENG&SA=ALLK 

B 


6-13


Chapter 6 


Table 6-6 

Network Authorization Fails 

Problem 

Attribute-value pairs (AVPs) not assigned 1 . 



#debug aaa authorization 

1. AAA authorization only supported on shell sessions with local accounts. 


NAS, enter: 



aaa authorization exec default local 

Table 6-7 

Unable to Access Specific Host or Network Service 

Problem 


Access list assigned to user. 1. Verify local account not restricted with 

access-class AVP: 


2. Enter these NAS commands to determine 

whether access list is assigned to user: 

#show caller user userid detail 

#show line 

3. To review access list with this NAS 

command, enter: 

#show access-list ACL-number 

Table 6-8 

Multilink Fails 

Problem 

User profile restricted. 


To verify user account is not restricted by 

inclusion of max-links AVP, enter: 


ofile -p 9900 -u username 

6-14 


Chapter 6 



6.3.4 Troubleshooting Dial-Based Server Authorization 


• Multiple Users Cannot Start PPP (RADIUS and TACACS+) 

• Network Authorization Fails (RADIUS and TACACS+) 

• User or Group Members Unable to Access Specific Host or Network Service (RADIUS and 

TACACS+) 

• Multilink Fails (TACACS+) 

• Multilink Fails (RADIUS) 

• Session Fails to Disconnect After Expected Idle Timeout (TACACS+) 

• Session Fails to Disconnect After Expected Idle Timeout (RADIUS) 

• No EXEC Shell for TACACS+ 

• No EXEC Shell for RADIUS 

• Cannot Start Concurrent Sessions (TACACS+) 

• Cannot Start Concurrent Sessions (RADIUS) 


6-15


Chapter 6 


Table 6-9 

Multiple Users Cannot Start PPP (RADIUS and TACACS+) 

Problem 

AAA authorization configured incorrectly in 

NAS. 





NAS, enter: 



aaa authorization network default group 

tacacs+ 


radius 

Does not have PPP service assigned. 1. To view group profile, enter: 

or 


ofile –p 9900 –g groupname 

2. For TACACS+, verify the following 

commands are assigned to group: 

service=ppp 

protocol=lcp 

protocol=ip 

3. For RADIUS, verify the following commands 

are assigned to group: 

Service-Type=Framed 

Group lacks shell service assigned (EXEC 

shell-initiated PPP session only). 

Framed-Protocol=ppp 

1. To view group profile, enter: 



2. For TACACS+, verify the following 

command is assigned to group: 

service=shell 

3. For RADIUS, verify the following command 

is assigned to group: 

User-Service-Type (Shell-User) 

6-16 


Chapter 6 



Table 6-10 

Network Authorization Fails (RADIUS and TACACS+) 

Problem 


AVPs not assigned. 1. Enter this diagnostic command in NAS: 



NAS, enter: 




tacacs+ 

or 


radius 

Table 6-11 

User or Group Members Unable to Access Specific Host or Network Service (RADIUS 

and TACACS+) 

Problem 


Access list assigned to user. 1. To view group profile, enter: 



Verify group account not restricted with inacl 

AVP. 

2. Enter these NAS commands to determine 

whether access list is assigned to user: 

#show caller user userid detail 

#show line 

3. Review access list with this NAS command: 

#show access-list ACL-number 


6-17


Chapter 6 


Table 6-12 

Multilink Fails (TACACS+) 

Problem 


User or group profile lacks proper AVP. 1. To verify group account includes 

protocol=multilink AVP assigned, enter: 



User or group profile restricted. 

2. Review profile for load-threshold AVP and 

whether it is configured properly. 

To verify group account not restricted with 

max-links AVP, enter: 



Table 6-13 

Multilink Fails (RADIUS) 

Problem 

User or group profile lacks proper AVP. 

User or group profile restricted. 


To verify group account includes 

framed-protocol=multilink AVP assigned, 

enter: 



To verify group account not restricted with 

max-links AVP, enter: 



Table 6-14 

Session Fails to Disconnect After Expected Idle Timeout (TACACS+) 

Problem 

The idletime AVP not configured on group 

profile. 


To verify group account includes idletime AVP 

assigned, enter: 



Table 6-15 

Session Fails to Disconnect After Expected Idle Timeout (RADIUS) 

Problem 

The Idle-Timeout AVP not configured on group 

profile. 


To verify group account includes Idle-Timeout 

AVP assigned, enter: 



6-18 


Chapter 6 



Table 6-16 

No EXEC Shell for TACACS+ 

Problem 

User or group lacks service=shell AVP assigned. 


To verify service=shell isassignedtouseror 

group, enter: 





Table 6-17 

No EXEC Shell for RADIUS 

Problem 

User or group does not have User-Service-Type 

AVP assigned. 


To verify User-Service-Type (Shell-User) is 

assignedtouserorgroup,enter: 





Table 6-18 

Cannot Start Concurrent Sessions (TACACS+) 

Problem 

User exceeds the maximum number of concurrent 

sessions. 


1. To review the user profile, enter: 



2. Look for the following AVP: 

server max sessions 

Table 6-19 

Cannot Start Concurrent Sessions (RADIUS) 

Problem 


sessions. 






Maximum-Channels 

6.3.5 Troubleshooting Router-Based Local Authentication 



6-19


Chapter 6 


• Single User Failure; Individual Dial-in User Connection Fails 

• Multiple User Failure; All Dial-in Users Unable to Connect to Router 

• Users Can Access Router by Using Console or VTY, but Not Both 

Table 6-20 

Single User Failure; Individual Dial-in User Connection Fails 

Problem 


User entered invalid username or password. 1. To verify local account, enter: 


2. Test login with username/password. 

3. Look for user not found or password 

validation failure. 

Table 6-21 

Multiple User Failure; All Dial-in Users Unable to Connect to Router 

Problem 


AAA behavior configured incorrectly in router. 1. Enter this diagnostic command in router: 


2. To verify local authentication is configured 

correctly, enter: 



aaa authentication login/ppp default local 

6-20 


Chapter 6 



Table 6-22 

Users Can Access Router by Using Console or VTY, but Not Both 

Problem 


Incorrect AAA configuration in router. 1. Enter this diagnostic command in router: 



router, enter: 


3. Verify method used for console 

authentication matches VTY method. 

For example: 

• AAA configuration: 

aaa authentication login listname group 

tacacs+ 

• Console line configuration: 

line con 0 

login authentication listname 

• VTY line configuration: 

line vty 0 4 


6.3.6 Troubleshooting Router-Based Server Authentication 


• Single User Failure; Individual User Unable to Make a Connection 

• Multiple User Failure; All Dial-In Users Unable to Connect to the Router 

• Users Pass Authentication on Console or VTY, but Not Both 


6-21


Chapter 6 


Table 6-23 

Single User Failure; Individual User Unable to Make a Connection 

Problem 


User name not in server database. 1. To verify user is in database, enter: 



User entered password incorrectly. 1. Verify password case sensitivity. 

2. TomonitoruseractivityinAAAserver,enter: 

$tail –f 

/var/log/csuslog|grep username 

User profile configured incorrectly. The error 

message “bad method for user” reported in 

csuslog file. 

User account disabled due to too many failed 

logins. 

3. Review csuslog file for errors. 

1. To verify user profile is programmed with 

correct password type, enter: 



2. Verify user profile privilege is sufficient to 

perform task. 

3. Verify profile is configured for correct 

password type. For example, DES or clear 

text. 

1. To view user profile, enter: 



2. Verify that the profile is not disabled. If it is 

disabled, compared set server 

current-failed-login counters to max failed 

login setting in CSU.cfg file. 

3. If these attributes are the same, reset user 

profile status to enabled and reset the set 

server current-failed-login counter by using 

the web-based administration utility. 

User account password or profile expired. 1. To view profile, enter: 




sessions. 

2. Look for expiration in profile, such as: 

expires = "24 Jan 2000" 





server max sessions 

6-22 


Chapter 6 



Table 6-24 

Multiple User Failure; All Dial-In Users Unable to Connect to the Router 

Problem 

Connection between router and AAA server 

down. 

TACACS+ key incorrect in router or AAA server. 


Verify network connectivity between router and 

AAA server. Enter these diagnostic commands in 

router: 

#show tacacs 

#debug tacacs 

#debug radius 

#ping CSU-IP-address 

Review router and CSU configurations for shared 

secret. 

In the router, enter: 


In the AAA server, enter: 

$grep router-IP-address 


Maximum number of users exceeded. 1. Verify license key is entered correctly in 

AAA server. Enter the following commands 

at the CSUserver: 



2. To review the expiration date of the license 

key, enter: 




6-23


Chapter 6 


Table 6-25 

Users Pass Authentication on Console or VTY, but Not Both 

Problem 

Incorrect AAA configuration in 

router. 


1. Enter this diagnostic command in router: 


2. To verify AAA is configured correctly in router, enter. 


3. Verify method used for console authentication matches VTY 

method. 

For example: 

• AAA configuration: 

aaa authentication login listname group tacacs+ 

• Console line configuration: 

line con 0 


• VTY line configuration: 

line vty 0 4 


6.3.7 Troubleshooting Router-Based Local Authorization 


• User Fails Router Command 

• User Disconnected After Entering a Password 

• Users Access Incorrect Privilege Level Commands 

• Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is 

Disconnected” 

6-24 


Chapter 6 



Table 6-26 

User Fails Router Command 

Problem 


AAA configuration error. 1. Enter this diagnostic command in router to 

determine method of authorization and 

failure: 



router, enter: 


User profile lacks appropriate privilege level to 

perform command. 

User profile lacks appropriate enable level to 


Example: 

If aaa authorization commands is used, ensure 

method specified is local. 

To review privilege configuration in router, enter: 


Example: 

Cisco IOS command aaa authorization 

commands 15 default local is used, but user does 

not have a corresponding privilege level assigned. 

To review enable privilege level configuration in 

router, enter. 


Example of relevant Cisco IOS commands: 

aaa authentication enable default local 

enable 15 secret 

enable 10 secret2 

In this example, users at enable level 10 cannot 

perform privilege level 15 commands. 

Table 6-27 

User Disconnected After Entering a Password 

Problem 

Authorization failed service. Looks like an 

authentication problem, but is an authorization 

failure. 


To review AAA configuration, enter: 


If aaa authorization exec command specifies 

method other than local, user fails shell access. 

For example, aaa authorization exec default 

tacacs+ results in local user failing authorization. 


6-25


Chapter 6 


Table 6-28 

Users Access Incorrect Privilege Level Commands 

Problem 


AAA behavior incorrectly configured. 1. Enter this diagnostic command in router to 

determine level of command authorization: 


2. To review AAA configuration in router, enter: 


3. Verify AAA configured properly in router. 

For example: 


local 

Table 6-29 

Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is 


Problem 

The autocommand ppp negotiate command 

assigned to user. 


1. To review correct configuration is configured 

in router, enter: 


Look for autocommand ppp negotiate 

command assigned to user. 

2. Delete autocommand ppp negotiate if 

appropriate. 

6.3.8 Troubleshooting Router-Based Server Authorization 


• User Fails Router Command 

• User Disconnected After Entering Password 

• Users Access Incorrect Privilege Level Commands 

• Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is 


• Router User Unable to Initiate Shell Session with Router 

• AVPs Not Working on Console Port 

6-26 


Chapter 6 



Table 6-30 

User Fails Router Command 

Problem 


AAA configuration error. 1. Enter this diagnostic command in router to 

determine method of authorization and 

failure: 


2. To review AAA configuration in router, enter: 


User profile lacks appropriate privilege level to 


User profile lacks appropriate enable privilege 

level to perform command. 

Example: 

If aaa authorization commands is used, ensure 

method specified is tacacs+. 

To view user profile for appropriate priv-lvl=x 

AVP, enter: 



To view user profile for appropriate enable 

privilege level, enter: 



For example: 

privilege = des "********" 15 

Table 6-31 

User Disconnected After Entering Password 

Problem 

Authorization failed service. 


To review AAA configuration, enter: 


If aaa authorization exec command specifies 

method other than TACACS+, user fails shell 

access. 

For example, aaa authorization exec default 

local results in TACACS+ user failing 



6-27


Chapter 6 


Table 6-32 

Users Access Incorrect Privilege Level Commands 

Problem 


AAA behavior incorrectly configured. 1. Enter this diagnostic command in router to 

determine level of command authorization: 



router, enter 


User profile configured incorrectly. 

Example of relevant Cisco IOS command: 


group tacacs+ 

To view user profile for appropriate priv-lvl=x 

AVP, enter: 



Table 6-33 

Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is 


Problem 

The autocommand ppp negotiate AVP assigned 

to user. 


1. To view user profile for inclusion of 

autocommand ppp negotiate AVP assigned 

to user, enter: 



2. Delete autocommand ppp negotiate if 

appropriate. 

Table 6-34 

Router User Unable to Initiate Shell Session with Router 

Problem 

Lack of service=shell AVP; user sees 

“Authorization failed service” error message. 


To view user profile for inclusion of service=shell 

AVP, enter: 



Table 6-35 

AVPs Not Working on Console Port 

Problem 

Feature is not supported on console ports. 


None. Feature not supported. 

6-28 


Chapter 6 




The following example troubleshooting scenarios elaborate the process of diagnosing, correcting, and 

testing several problems addressed in “6.3 AAA Troubleshooting Basics”: 

• 6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server 

Authentication) 

• 6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 

• 6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 

• 6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) 

• 6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 

• 6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 

• 6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 

6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ 

Dial-Based Server Authentication) 

This scenario focuses on a server-authentication failure for a dial-based connection and provides a 

statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics 

include output from relevant debug commands and other troubleshooting tools. See Tabl e6-4 for 

additional related problems. 

Symptom 

Multiple user failure; all dial-in users unable to connect to NAS. See Tabl e6-4. 

Possible Cause TACACS+ key incorrect in NAS or AAA server. See Table 6-4. 

Action 

Complete troubleshooting steps to isolate and resolve this possible cause. 

Step 1 

Step 2 

Gather general debug command information from the NAS. The following output is from a debug aaa 

authentication command executed on a NAS. The last line of this debug output shows the failure 

expressed for user dial_tac. 

088189: Jan 27 18:37:22.972 CST: AAA/MEMORY: create_user (0x61D7A2E0) user=’’ ruser=’’ 

port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 

088190: Jan 27 18:37:22.976 CST: AAA/AUTHEN/START (953379418): port=’tty51’ list= =30356 

25154 

088203: Jan 27 18:37:26.216 CST: TAC+: ver=192 id=3035625154 received AUTHEN status = 

GETPASS 

088204: Jan 27 18:37:26.216 CST: AAA/AUTHEN (3035625154): status = GETPASS 

088205: Jan 27 18:37:30.337 CST: AAA/AUTHEN/CONT (3035625154): continue_login 

(user=’dial_tac’) 


088207: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): Method=ADMIN (tacacs+) 

088208: Jan 27 18:37:30.337 CST: TAC+: send AUTHEN/CONT packet id=3035625154 


FAIL 

Enter the following command to assess warnings and errors reported in the AAA server log file: 



6-29


Chapter 6 


The AAA server log file reports the following warning when no key is specified (indicating that there 

is no encryption key): 

Jan 27 18:35:17 coachella CiscoSecure: WARNING - Insecure configuration: No encryption 

key for NAS 

Step 3 

Review NAS configurations for shared secret configuration. To obtain the NAS configuration, enter: 


The following configuration fragment specifies the TACACS+ server and key. In this case, the key is 

bobbit. 

tacacs-server host 172.22.53.201 key bobbit 

Review the AAA server configuration for the corresponding server shared secret configuration. View 

the CSU.cfg file with vi (or a similar tool): 

$vi /opt/ciscosecure/config/CSU.cfg 

Find the key configuration in the CSU.cfg AAA server configuration file and review it for the NAS 

specification. In this example, this configuration is missing. 

NAS config_nas_config = 

{ 

{ 

"172.22.53.201", 

"", 

Step 4 

If the key is properly configured, it appears between the quotation marks following the IP address 

specification. In this case, the key is missing. Because it is not specified in the AAA server 

configuration file, users’ access is blocked. 

Update key specifications and restart the AAA server. Verify successful dialup operation. 

6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server 

Authentication) 



include output from relevant debug commands and other troubleshooting tools. See Table 6-3 for 


Symptom 

Single user failure; individual dial-in user unable to connect to NAS. See Tabl e6-3. 

Possible Cause User enters invalid password. See Table 6-3. 

Action 


Step 1 


authentication command executed on a NAS. This command results in a stream of diagnostic output. 

6-30 


Chapter 6 



The last line in the following output shows the AAA authentication request sent to AAA server for user 

dial_tac: 



(user=’dial_tac’) 

The NAS receives FAIL from AAA server for user: 




092857: Jan 27 22:19:08.185 CST: TAC+: ver=192 id=543609479 received AUTHEN status = FAIL 

092858: Jan 27 22:19:08.185 CST: AAA/AUTHEN (543609479): status = FAIL 

The user session is torn down and AAA process is freed: 

092859: Jan 27 22:19:10.185 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’ 

ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN 

priv=1 

Step 2 

Enter the tail command to assess warning and errors reported in the AAA server log file: 


In this case, the AAA server log reports an incorrect password for user dial_tac: 

Jan 27 22:19:08 coachella CiscoSecure: NOTICE - Authentication - Incorrect password; [NAS 

= 172.22.63.1, Port = tty51, User = dial_tac, Service = 1, Priv = 1] 

Jan 27 22:19:08 coachella CiscoSecure: INFO - Profile: user = dial_tac { 

Jan 27 22:19:08 coachella set server current-failed-logins = 1 

Note 

Following the failure, the current-failed-login counter increments. This counter 

is described in Table 6-3. 

Step 3 

If the user does not exist in the database (but should), create a new user, or provide feedback if password 

or login were entered incorrectly by the user. 

6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 



include output from relevant debug commands and other troubleshooting tools. See Tabl e6-3 for 


Symptom 

Single user failure; individual dial-in user unable to connect to NAS. See Tabl e6-3. 

Possible Cause User does not exist in the database. See Table 6-3. 

Action 


Step 1 


authentication command executed on a NAS. 


6-31


Chapter 6 


The following output fragment shows the AAA process starting on NAS. 

092794: Jan 27 22:15:39.132 CST: AAA/MEMORY: create_user (0x61D87A70) user=’’ ruser=’’ 

port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 

092795: Jan 27 22:15:39.132 CST: AAA/AUTHEN/START (3576082779): port=’tty51’ 

list=’INSIDE’ action=LOGIN service=LOGIN 

GETPASS is sent to AAA server for verification for user dial_test: 

092806: Jan 27 22:15:41.132 CST: AAA/AUTHEN/START (3285027777): Method=ADMIN (tacacs+) 

092807: Jan 27 22:15:41.132 CST: TAC+: send AUTHEN/START packet ver=192 id=32850=27777 


GETPASS 



(user=’dial_test’) 



The NAS then receives the authenticationFAIL message from the AAA server: 



FAIL 

092815: Jan 27 22:15:43.540 CST: AAA/AUTHEN (3285027777): status = FAIL 

The session is torn down and AAA process is freed: 

092816: Jan 27 22:15:45.540 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_test’ 

ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 

092817: Jan 27 22:15:45.540 CST: AAA: parse name=tty51 idb type=-1 tty=-1 

092818: Jan 27 22:15:45.540 CST: AAA: name=tty51 flags=0x11 type=5 shelf=0 slot 

Step 2 

Enter the following command to assess warning and errors reported in the AAA server log file: 


AAA server log file shows that the AAA server did not find user dial_test in cache (profile caching is 

enabled): 

Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Profile USER = dial_test not found in 

cache. 

The AAA server log file also shows that AAA server did not find user in the database; next, the AAA 

server conducts a search for the unknown_user account: 

Jan 27 22:15:41 coachella CiscoSecure: WARNING - User dial_test not found, using 

unknown_user 

AAA server finally again reports user not found after exhausting its search: 

Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Password: 

Jan 27 22:15:43 coachella CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (c3cd8bc1) 

Jan 27 22:15:43 coachella CiscoSecure: DEBUG - Authentication - User not found; 

[NAS = 172.22.63.1, Port = tty51, User = dial_test, Service = 1] 

Step 3 

Enter the following command to view a user profile in the database: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_test 

Error: Unable to find profile 

RC = 3 

6-32 


Chapter 6 



Step 4 

If the user does not exist in the database (but should), create a new user, or provide feedback if password 

or login were entered incorrectly by the user. 

6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server 

Authorization) 

This scenario focuses on a server-authorization failure for a dial-based connection and provides a 




Symptom Multiple users cannot start PPP. See Table 6-9. 

Possible Cause Group does not have service=ppp AVP assigned. See Table 6-9. 

Action 


Step 1 

Step 2 


authentication command executed on a NAS. The following output fragment shows the PPP service 

authorization request being initiated for user dial_tac; then, being denied by the AAA server: 

111802: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV service=ppp 

111803: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): send AV protocol=lcp 

111804: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): found list "default" 

111805: Feb 3 20:48:53.015 CST: As2 AAA/AUTHOR/LCP (153050196): Method=tacacs+(tacacs+) 

111806: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): user=dial_tac 

111807: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV service=ppp 

111808: Feb 3 20:48:53.015 CST: AAA/AUTHOR/TAC+: (153050196): send AV protocol=lcp 

111809: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR (153050196): Post authorization status = 

FAIL 

111810: Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR/LCP: Denied 



AAA server log file shows that the AAA server successfully authenticated the user, but that the PPP 

service request was denied due to an authorization failure: 

Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 

172.22.63.1, Port = Async2, User = dial_tac, Priv = 1] 

Feb 3 20:48:58 coachella CiscoSecure: DEBUG - AUTHORIZATION request (468d69de) 

Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authorization - Failed service; [ 

NAS = 172.22.63.1, user = dial_tac, port = Async2, input: service=ppp protocol=lcp 

output: ] 

Step 3 

Add service=ppp and related AVPs protocol=ip and protocol=lcp. 


6-33


Chapter 6 


6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server 






Symptom Network authorization fails. See Table 6-10. 

Possible Cause AVPs not assigned. See Table 6-10. 

Action 


Step 1 

Step 2 

Step 3 

Review the group profile. In this case, the group profile shows inacl=110 is assigned to the 

aaa_test_group profile: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g aaa_test_group 


group = aaa_test_group{ 



service=ppp { 

protocol=ip { 

inacl=110 

} 


} 

} 

} 


authentication command executed on a NAS. The following output fragment shows that noAAA 

authorization for service=net taking place. 

112037: Feb 3 21:18:04.994 CST: AAA/MEMORY: create_user (0x61DF0AE8) user=’dial_tac’ 

ruser=’’ port=’Async5’ rem_addr=’async/81560’ authen_type=PAP service=PPP priv=1 



The following log file fragment confirms that access is permitted with no AAA authentication. 

Feb 3 21:18:05 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 

172.22.63.1, Port = Async5, User = dial_tac, Priv = 1] 

Feb 3 21:18:05 coachella CiscoSecure: INFO - Profile: user = dial_tac { 

Feb 3 21:18:05 coachella set server current-failed-logins = 0 

Feb 3 21:18:05 coachella profile_cycle = 12 

Feb 3 21:18:05 coachella } 

Step 4 

Add aaa authorization network default group tacacs+ global command to the NAS configuration. 

6-34 


Chapter 6 



6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server 






Symptom No EXEC shell (terminal window after dial). See Table 6-16. 

Possible Cause User or group does not have service=shell AVP assigned. See Table 6-16. 

Action 


Step 1 


authentication command executed on a NAS. The following output fragment shows the request sent to 

AAA server to start service=shell: 

092730: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Port=’tty52’ 

list=’INSIDE’ service=EXEC 

092738: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Method=ADMIN 

(tacacs+) 

092739: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): user=dial_tac 

092740: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV service=shell 

The following output fragments illustrate notification of the failure from AAA server for service=shell: 

092741: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV cmd* 

092742: Jan 27 21:57:41.559 CST: AAA/AUTHOR (3818889333): Post authorization status = 

FAIL 

The following fragment illustrates the Authorization FAILED message being detected by the debug aaa 

authorization process: 

092743: Jan 27 21:57:41.559 CST: AAA/AUTHOR/EXEC: Authorization FAILED 

092744: Jan 27 21:57:43.559 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’ 

ruser=’’ port=’tty52’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 

Step 2 



In this case, the authentication succeeds for user dial_tac, as illustrated in the following csuslog file 

fragment: 

Jan 27 21:57:40 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 

172.22.63.1, Port = tty52, User = dial_tac, Priv = 1] 

However, the csuslog file also shows that the authorization failed service for user dial_tac because the 

service=shell AVP is not assigned: 

Jan 27 21:57:40 coachella CiscoSecure: DEBUG - 

Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075) 

Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 

172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ] 


6-35


Chapter 6 


Step 3 

Step 4 

Enter the following command to review the user profile. This profile shows that the AVP service=shell 

is not assigned to user dial_tac: 

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_tac 


user = dial_tac{ 



member = aaa_test_group 



} 

Assign service=shell AVP. 

6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server 


This scenarios focuses on a server-authorization failure for a dial-based connection using the RADIUS 

protocol and provides a statement of a symptom, suggests a specific problem, and summarizes 

diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting 

tools. See Table 6-9 for additional related problems. 

Symptom PPP session is not established. See Table 6-9. 

Possible Cause User or group does not have correct PPP reply attributes. See Table 6-9. 

Action 


Step 1 

Step 2 


authentication command executed on a NAS. The following fragment illustrates the Authorization 

FAILED message being detected by the debug aaa authorization process: 

*Apr 5 23:12:28.228: AAA/AUTHOR/EXEC: Authorization FAILED 

*Apr 5 23:12:30.228: AAA/MEMORY: free_user (0x612311BC) user='rad_dial' ruser='' 

port='tty4' rem_addr='408/3241933' authen_type=ASCII service=LOGIN priv=1 

*Apr 5 23:12:30.936: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown 

, call lasted 61 seconds 

*Apr 5 23:12:30.980: %LINK-3-UPDOWN: Interface Serial0:0, changed state to down 

Enter the tail command to assess warning and errors reported in the AAA server log file: 


In this case, the authorization fails for user rad_dial, as illustrated in the following csuslog file 

fragment: 

Apr 6 15:14:03 sleddog CiscoSecure: INFO - RADIUS: Servicing requests from NAS 

(172.23.84.35), sending host 

6-36 


Chapter 6 



However, the csuslog file also shows that the authorization failed service for user dial_tac because the 

service=shell AVP is not assigned: 

Jan 27 21:57:40 coachella CiscoSecure: DEBUG - 

Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075) 

Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 

172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ] 

Step 3 

Enter the following command to view a user profile in the database: 





set server current-failed-logins = 0 





7=1 

9,1="ip:inacl=110" 

} 

} 

} 

Note In this profile, the missing reply_attribute is 6=2. 

Step 4 

Add the following RADIUS AVP: Frame-Protocol=ppp (entered as 6=2 in AddProfile command 

input). 


6-37


Chapter 6 


6-38 


APPENDIX 

A 

AAA Device Configuration Listings 

This appendix provides the following configuration listings: 

• A.1.1 Example Local-Based Router AAA Configuration 

• A.1.2 Example Server-Based TACACS+ NAS Configuration 

• A.1.3 Example Server-Based RADIUS NAS Configuration 

• A.4.1 CSU.cfg Listing 

• A.4.2 CSConfig.ini Listing 

• A.4.3 Oracle User Environment Variable 

• A.4.4 listener.ora Listing 

A.1 Sample Cisco IOS Configuration Listings 

The following listing represents the complete running configuration for the router and NAS used to 

illustrate AAA implementation in this solution guide. Listings are included for TACACS+ and RADIUS 

configurations. 


A-1


Appendix A 


A.1.1 Example Local-Based Router AAA Configuration 

The following example of a local-based router configuration includes both dial-in and EXEC shell 

access configurations. 

maui-rtr-03#show running-config 

Building configuration... 

Current configuration: 

! 

! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr 

! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr 

! 

version 12.0 

service timestamps debug datetime msec localtime show-timezone 

service timestamps log datetime msec localtime show-timezone 

service password-encryption 

! 

hostname maui-rtr-03 

! 

no logging console 

aaa new-model 



aaa authorization exec default local 


aaa authorization commands 15 default local 


aaa accounting exec default start-stop group tacacs+ 


enable secret 5 xxxxxxxxxxxxxxxxx 

! 

username admin privilege 15 password 7 xxxxxxxxxxxx 

! 

! 

! 

clock timezone cst -6 

clock summer-time CST recurring 

ip subnet-zero 

ip domain-name maui-onions.com 

ip name-server x.x.x.x 

ip name-server x.x.x.x 

! 

! 

! 

! 

! 

! 

! 

interface Loopback0 

ip address 172.22.255.3 255.255.255.255 


! 

interface ATM1/0 

no ip address 


shutdown 

no atm ilmi-keepalive 

! 

interface Serial2/0 

ip address 10.10.10.1 255.255.255.0 


! 

A-2 


Appendix A 




no ip address 


shutdown 

! 


no ip address 


shutdown 

! 


no ip address 


shutdown 

! 

interface Ethernet3/0 

ip address 172.22.241.3 255.255.255.0 


ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5 

! 


no ip address 


shutdown 

! 


no ip address 


shutdown 

! 


no ip address 


shutdown 

! 

interface FastEthernet4/0 

ip address 172.22.80.1 255.255.255.0 


ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5 

half-duplex 

! 

router eigrp 69 

network 172.22.0.0 

! 

ip default-gateway 172.22.53.1 

ip classless 




! 

snmp-server engineID local 00000009020000D0BB7F5054 

snmp-server community cisco xx 

snmp-server community rules xx 

snmp-server trap-source Loopback0 

snmp-server contact 

snmp-server enable traps isdn call-information 

snmp-server enable traps isdn layer2 

snmp-server enable traps config 

snmp-server enable traps envmon 

tacacs-server host 172.22.53.201 key biteme 

tacacs-server key ciscorules 

! 

line con 0 



A-3


Appendix A 





transport input none 

line aux 0 

line vty 0 4 

! 

ntp clock-period 17179912 

ntp source Loopback0 

ntp update-calendar 

ntp server 172.22.255.1 

end 

A-4 


Appendix A 



A.1.2 Example Server-Based TACACS+ NAS Configuration 

The following example of a server-based NAS configuration includes both dial-in and EXEC shell 

access configurations for TACACS+ implementations: 

maui-nas-03#show running-config 



maui-nas-03#sh run 



! 

version 12.0 




! 

hostname maui-nas-03 

! 

aaa new-model 



aaa authentication ppp default if-needed group tacacs+ local 





aaa accounting exec default stop-only group tacacs+ 


aaa accounting network default start-stop group tacacs+ 

! 

username admin privilege 15 password 7 xxxxxxxxxxxxx 

username diallocal access-class 110 password 7 xxxxxxxxxxx 

username diallocal autocommand ppp 

spe 1/0 1/7 

firmware location system:/ucode/mica_port_firmware 

spe 2/0 2/7 


! 

! 

resource-pool disable 

! 

! 

! 

! 

! 

clock timezone CST -6 



no ip domain-lookup 


ip name-server 172.22.53.210 

! 

isdn switch-type primary-ni 

isdn voice-call-failure 0 

partition flash 2 24 8 

! 

! 

! 

controller T1 0 


A-5


Appendix A 


framing esf 

clock source line primary 

linecode b8zs 

pri-group timeslots 1-24 

! 


clock source line secondary 1 

! 



! 



! 



! 



! 



! 



! 

! 


ip address 172.22.87.3 255.255.255.255 


no ip route-cache 

no ip mroute-cache 

! 


ip address 172.22.83.1 255.255.255.0 




! 

interface Ethernet0 

no ip address 




shutdown 

! 

interface Serial0 

no ip address 





shutdown 

no fair-queue 

clockrate 2015232 

! 


no ip address 




shutdown 

no fair-queue 


A-6 


Appendix A 



! 


no ip address 




shutdown 

no fair-queue 


! 


no ip address 




shutdown 

no fair-queue 


! 

interface Serial0:23 

description "PRI D channel" 

ip unnumbered Dialer1 





timeout absolute 240 0 

dialer rotary-group 1 

dialer-group 5 


isdn switch-type primary-5ess 

isdn incoming-voice modem 

no fair-queue 

compress stac 

no cdp enable 

! 

interface FastEthernet0 

ip address 172.22.80.3 255.255.255.0 




duplex auto 

speed auto 

! 














no fair-queue 

no cdp enable 




! 

interface Dialer1 


A-7


Appendix A 


no ip address 





no logging event link-statustimeout absolute 240 0 


dialer idle-timeout 300 either 




no fair-queue 

compress stac 

no cdp enable 


ppp multilink 

! 


network 172.22.0.0 

! 

ip local pool default 172.22.83.2 172.22.83.254 


ip classless 



! 



tacacs-server host 172.22.53.204 


snmp-server engineID local 0000000902000050546B87BC 

snmp-server community xxxxxxxxx RO 

snmp-server community xxxxxxxxx RW 


banner login ^CC 

Welcome to maui-nas-03 

Maui-onions Lab 

Learning Rack ISG 

^C 

! 

line con 0 





line 1 192 

session-timeout 15 






refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C 

modem InOut 





line aux 0 

line vty 0 4 

! 

end 

A-8 


Appendix A 



A.1.3 Example Server-Based RADIUS NAS Configuration 

The following example of a server-based NAS configuration includes both dial-in and EXEC shell 

access configurations for RADIUS implementations: 

maui-nas-03#show running-config 



maui-nas-03#sh run 



! 

version 12.0 




! 

hostname maui-nas-03 

! 

aaa new-model 

aaa authentication login default group radius local 


aaa authentication ppp default if-needed group radius local 

aaa authorization exec default group radius if-authenticated 



aaa accounting exec default stop-only group radius 

aaa accounting network default start-stop group radius 

! 

username admin privilege 15 password 7 xxxxxxxxxxxxx 

username diallocal access-class 110 password 7 xxxxxxxxxxx 

username diallocal autocommand ppp 

spe 1/0 1/7 


spe 2/0 2/7 


! 

! 

resource-pool disable 

! 

! 

! 

! 

! 

clock timezone CST -6 



no ip domain-lookup 


ip name-server 172.22.53.210 

! 

isdn switch-type primary-ni 

isdn voice-call-failure 0 

partition flash 2 24 8 

! 

! 

! 


framing esf 

clock source line primary 


A-9


Appendix A 


linecode b8zs 

pri-group timeslots 1-24 

! 



! 



! 



! 



! 



! 



! 



! 

! 


ip address 172.22.87.3 255.255.255.255 




! 


ip address 172.22.83.1 255.255.255.0 




! 

interface Ethernet0 

no ip address 




shutdown 

! 


no ip address 





shutdown 

no fair-queue 


! 


no ip address 




shutdown 

no fair-queue 


! 


A-10 


Appendix A 



no ip address 




shutdown 

no fair-queue 


! 


no ip address 




shutdown 

no fair-queue 


! 

interface Serial0:23 

description "PRI D channel" 

ip unnumbered Dialer1 





timeout absolute 240 0 

dialer rotary-group 1 



isdn switch-type primary-5ess 

isdn incoming-voice modem 

no fair-queue 

compress stac 

no cdp enable 

! 

interface FastEthernet0 

ip address 172.22.80.3 255.255.255.0 




duplex auto 

speed auto 

! 














no fair-queue 

no cdp enable 




! 

interface Dialer1 

no ip address 



A-11


Appendix A 





no logging event link-statustimeout absolute 240 0 


dialer idle-timeout 300 either 




no fair-queue 

compress stac 

no cdp enable 


ppp multilink 

! 


network 172.22.0.0 

! 

ip local pool default 172.22.83.2 172.22.83.254 


ip classless 



! 



tacacs-server host 172.22.53.204 


snmp-server engineID local 0000000902000050546B87BC 

snmp-server community xxxxxxxxx RO 

snmp-server community xxxxxxxxx RW 


banner login ^CC 

Welcome to maui-nas-03 

Maui-onions Lab 

Learning Rack ISG 

^C 

! 

line con 0 





line 1 192 

session-timeout 15 






refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C 

modem InOut 





line aux 0 

line vty 0 4 

! 

end 

A-12 


Appendix A 


A.2 Router AAA Command Implementation Descriptions 

A.2 Router AAA Command Implementation Descriptions 

Configurations addressed in this section focus on router administration configurations. Router 

administration configurations cause functions to run within the router shell. Examples include 

commands executed from a the router console, commands executed with a VTY connection, and a 

shell-initiated session established using a modem. Each is an example of an EXEC function. Table A-1 

provides commands relevant for a router in a Cisco IOS AAA environment. 

Table A-1 

Cisco IOS Commands Required to Set AAA for a Router 

Cisco IOS Command 

tacacs-server key secret-key 

aaa new-model 

aaa authentication login default group 

tacacs+ 


if-authenticated 


group tacacs+ if-authenticated 

aaa accounting exec default start-stop group 

tacacs+ 

aaa accounting commands 15 default 

stop-only group tacacs+ 

aaa accounting system default stop-only 

group tacacs+ 

ip tacacs source-interface FastEthernet0/0/0 

Description/Application Comment 

Specifies encryption key; must be the same in AAA server. 

Enables AAA. Forces an implicit login authentication default 

against all lines/console interfaces and an implicit 

ppp authentication pap default against all PPP interfaces. 

Causes router to forward all login requests to AAA server. 

Use default list for authorization to verify service=shell attribute is 

assigned to user and download appropriate shell attributes assigned 

in AAA server. 

Use command authorization for privilege level 15 commands that 

must be assigned to router users for successful operation of these 

commands. 

Logs EXEC shell information for user profile in start-stop 

TACACS+ format. 

Sends TACACS+ accounting stop record at the end of a privilege 

level 15 command. 

Performs accounting for all system level events not associated with 

users, such as reloads in stop-start TACACS+ format. 

Specifies this interface IP address for management in the AAA 

server. 


Enables HTTP server access. 

ip http authentication aaa Forces AAA authentication and authorization at privilege level 15. 

tacacs-server host IP-address 

Specifies AAA server. 

A.3 NAS AAA Command Implementation Descriptions 

Configurations addressed in this section focus on AAA withPPP. These configurations differ from 

router administration configurations. PPP is a network level function and is separate from router shell 

functions. You can configure PPP to be initiated automatically or you can initiate PPP with a terminal 

window after dialing in to a NAS. Table A-2 lists commands relevant for a NAS providing PPP access 

a Cisco IOS AAA environment. 

Note 

The following table lists Cisco IOS configuration commands required to support both 

TACACS+ and RADIUS AAA implementations. 


A-13

A.3 NAS AAA Command Implementation Descriptions 

Appendix A 


Table A-2 

Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) 

IOS Command 

aaa new-model 

aaa authentication login default group 

tacacs+ 



group radius 


group tacacs+ 

aaa authorization exec default group radius 







radius if-authenticated 


tacacs+ 

aaa accounting network default start-stop 

group tacacs+ 


radius 

aaa accounting network default start-stop 

group radius 


Enables authentication, authorization, and accounting. Forces an 

implicit login authentication default against all lines/console 

interfaces and an implicit ppp authentication pap default against 

all ppp interfaces. 

Causes router to forward all login requests to a TACACS+ server. 

Causes router to forward all login requests to a RADIUS server. 

Use default list for PPP authentication; the if-needed keyword 

allows clients using “Terminal Window after Dial” option to 

successfully authenticate to RADIUS server and negotiate PPP, 

without using Windows dialup networking username and password 

combination. 

Use default list for PPP authentication; the if-needed keyword 

allows clients using “Terminal Window after Dial” option to 

successfully authenticate to TACACS+ server and negotiate PPP, 

without using Windows dialup networking username and password 

combination. 

Use default list to verify authorization. 

Use default list for authorization to verify service=shell attribute is 

assigned to user and download appropriate shell attributes assigned 


Use default list for authorization to verify service=-ppp attribute is 

assigned to user or group and download appropriate PPP attributes 

assigned in AAA server. Command specifies that authorization is 

only permitted if user or group is properly authenticated through 

TACACS+. 

Use default list for authorization to verify Service-Type=Framed 

attribute is assigned to user or group and download appropriate PPP 

attributes assigned in AAA server. Command specifies that 

authorization is only permitted if user or group is properly 

authenticated through RADIUS. 


TACACS+ format. 

Logs all network related services requests, such as PPP in 

stop-start TACACS+ format. 


RADIUS format. 

Logs all network related services requests, such as PPP in 

stop-start RADIUS format. 

A-14 


Appendix A 


A.4 CiscoSecure for UNIX Configuration Listings 

Table A-2 

Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) 

IOS Command 

tacacs-server host IP-address key secret-key 

radius-server host IP-address auth-port 1645 

acct-port 1646 key secret-keys 


Specifies AAA server. Specifies encryption key; must be the same 


Specifies RADIUS AAA server IP address by using default UDP 

Port 1645 for authentication and authorization and UDP Port 1646 

for accounting. 


This section provides the following listings: 

• A.4.1 CSU.cfg Listing 

• A.4.2 CSConfig.ini Listing 

• A.4.4 listener.ora Listing 

• A.4.3 Oracle User Environment Variable 

For a complete description of AAA server files, go to: 

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx 


A-15


Appendix A 


A.4.1 CSU.cfg Listing 

# cd /opt/ciscosecure/config 

# ls 

CSConfig.ini CSU.cfg CSU.cfg.sav 

# cat CSU.cfg 

LIST config_license_key = {"a73dc113d300a5ba3459"}; 

STRING config_update_log_filename = "/opt/ciscosecure/logfiles/passwd_chg.log"; 

/* store accounting records here when database fails */ 

/* default = /var/log/CSAccountingLog */ 

STRING config_acct_filename = "/var/log/CSAccountingLog"; 

/* AAA Server Metrics */ 

/* default = 0 (disable) */ 

NUMBER config_metrics_enable = 0; /* 1 to enable, 0 to disable */ 

/* default = 8 seconds */ 

NUMBER config_metrics_log_interval = 8; /* in seconds */ 

/* Callerid as Username */ 

/* default = 1 (enable) */ 

NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */ 

/* Use default user profile when user/callerid can't be found */ 


NUMBER config_defaultuser_enable = 1; /* 1 to enable, 0 to disable */ 

/* AAA Server MaxSessions Configuration */ 


NUMBER config_maxsessions_enable = 0; /* 1 to enable, 0 to disable */ 

/* default = 24 hours */ 

NUMBER config_maxsessions_session_timeout = 1440; /* in minutes */ 

/* default = 60 minutes */ 

NUMBER config_maxsessions_purge_interval = 60; /* in minutes */ 

/* AAA Server Distributed MaxSessions Configuration */ 


NUMBER config_distmaxsessions_enable = 0; /* 1 to enable, 0 to disable */ 

/* default = 0 (disabled) */ 

NUMBER config_dms_periodic_stats_interval = 0; /* 0 to disable, otherwise inte 

rval in seconds */ 

/* Cryptocard challenge lookahead */ 

/* default = 0, which is same as 1, do only 1 challenge, don't look ahead */ 

/* the maximum number of challenge look ahead is 20 */ 

NUMBER config_cryptocard_challenge_lookahead = 0; 

/* Group Profile Cache Timeout; 0 == no timeout */ 

/* default = 5 seconds */ 

NUMBER config_cache_group_timeout = 5; /* in seconds */ 

/* Per-user accounting function */ 


NUMBER config_acct_fn_enable = 1; /* 1 to enable, 0 to disable */ 

/* Extended Radius support */ 

NUMBER config_hex_string_support_enable = 0; /* 1 to enable, 0 to disable */ 

STRING config_server_ip_address = "172.23.25.41"; 

NUMBER config_token_cache_absolute_timeout = 86400; 

NUMBER config_system_logging_level = 0x80; 

NUMBER config_logging_configuration = 0xffffffff; 

NUMBER config_warning_period = 20; 

NUMBER config_expiry_period = 60; 

A-16 


Appendix A 



NUMBER config_local_timezone = -8; /* set this for your timezone */ 

NUMBER config_use_host_timezone = 0; 

/* set value to 1 to always use system time 

*/ 

NUMBER config_record_write_frequency = 5; /* update frequency in seconds */ 

NUMBER config_max_failed_authentication = 10; /* nmbr of authen fails accepted * 

/ 

/* before account is disabled. * 

/ 

NAS config_nas_config = { 

{ 

"", /* NAS name can go here */ 

"ciscorules", /* NAS/CiscoSecure secret key */ 

"", /* message_catalogue_filename */ 

1, /* username retries */ 

2, /* password retries */ 

1 /* trusted NAS for SENDPASS */ 

} 

}; 

AUTHEN config_external_authen_symbols = { 

{ 

"./libskey.so", 

"skey" 

} 

, 

{ 

"./libpap.so", 

"pap" 

} 

, 

{ 

"./libchap.so", 

"chap" 

} 

, 

{ 

"./libarap.so", 

"arap" 

} 

}; 

AUTHOR config_external_author_symbols = { 

{ 

"./libargs.so", 

"process_input_arguments", 

"process_input_arguments_ok", 

"process_input_arguments_fail", 

"process_output_arguments", 

"process_output_arguments_ok", 

"process_output_arguments_fail" 

} 

}; 

/* 

* Sample of pre/post process configuration. 

* 

AUTHOR config_external_author_symbols = { 

{ 

"./libcustomerprovided.so", 

"customer_function" 

} 

}; 

* 


A-17


Appendix A 


* end sample 

*/ 

ACCT config_external_acct_symbols = { 

{ 

"./libacctmember.so", 

"acct_member_fn" 

} 

}; 

ADMIN config_external_admin_symbols = { 

"./libadmin.so" 

}; 

DB config_external_database_symbols = { 

{ 

"./libdb.so", 

"", 

"" 

} 

}; 

PARSER config_external_parser_symbols = { 

"./libt+.so" 

}; 

EVENT config_external_event_symbols = { 

{ 

"./libdb.so", 

"", 

"" 

} 

}; 

DMS config_external_dms_symbols = { 

"./libCiscoDMS.so" 

}; 

# 

# 

A-18 


Appendix A 



A.4.2 CSConfig.ini Listing 

# 

#cat CSConfig.ini 

############################################################ 

# 

# $Archive: $ 

# 

# (C) Copyright 1996 Cisco Systems. All rights reserved. 

# 

# This is CiscoSecure DBServer main initialization file. 

# 

# $Log: $ 

# 

# $NoKeyWords: $ 

# 

############################################################ 

; 

; 1 2 3 4 5 6 7 8 

;2345678901234567890123456789012345678901234567890123456789012345678901234567890 

; 

;------------------------------------------------------------------------------- 

[System] 

; Location where the system is installed 

RootDir=/opt/ciscosecure 

; Location of the default profile (default= $RootDir/config/DefaultProfile) 

DefaultProfile=/opt/ciscosecure/config/DefaultProfile 

;------------------------------------------------------------------------------- 

[System Error] 

SysErrorFileDir = /opt/ciscosecure/logfiles 

; DBServer gets the default path for System error handler here 

; if it was not specified at command line with option 

; [-LOGPATH path] when starting the DBServer deamon. 

; DBServer must have sufficient access privilege to create this 

: path and the log file if it does not already exist. 

; log levels are 1 thru 10 where Minor=1, Moderate=5, Severe=8, Catastrophic=10 

; (note: Catastrophic errors will shutdown the daemon) 

MinLogLevel = 8 

;------------------------------------------------------------------------------- 

[SessionMgr] 

; Session Manager configurables, purge interval is in minutes 

MaxSessions=1000 

PurgeInterval=60 

;------------------------------------------------------------------------------- 

[AccountingMgr] 

;If this parameter=enable then log acct packets into cs_accounting_log database 

table 

LogRawAccountingPacketToDB = enable 

;If we are logging accounting records then this parameter decides whether to buffer the 

records 

; in memory and then save them to the database using a background process. Enabl 

ing this will 

; increase burst authentication performance. 

;If enabled the DBServer will create enough buffers to match the value of 2 less 

than 

; the number of database connections available. 


A-19


Appendix A 


; NOTE: There is a risk of losing records that are in memory in the event of the 

DBServer going 

; down ungracefully. 

BufferAccountingPackets = enable 

;This parameter decides the size of each accounting packet buffer. Legal values 

are from 5 to 1000 

AccountingBufferSize = 500 

; if parameter=enable then dbserver will process user max session info and save 

in memory, 

; if disabled then ArchiveMaxSessionInfoToDB will also be disabled. 

ProcessInMemoryMaxSessionInfo = enable 

; If this parameter=enable then log user max session info into cs_user_accounting 

database table 

; Note that if the BufferAccountingPackets parameter is enabled AND 

ProcessInMemoryMaxSessionInfo 

; is enabled then max session info records will be buffered as well. 

ArchiveMaxSessionInfoToDB = enable 

; This is how often (in minutes) the system checks for accounting sessions to 

; purge. 

; NOTE: The purge interval is actually dependant upon a system background task 

; that is not guaranteed to run more frequently than 60 minutes. This 

; value is therefore not accurate to the minute and should not be set to 

; less than 60. 

AcctPurgeInterval=60 

; This is how long (in minutes) a session can be considered 

; active before it is purged. 

; NOTE: This value is dependent on the AcctPurgeInterval setting and is not 

; accurate to the minute. It is not intended to be set to less than 60. 

AcctPurgeTimeOut=1440 

;------------------------------------------------------------------------------- 

[DBServer] 

DBServerName = CSdbServer 

Protocol=TCP 

MaxPacketSize = 4096 

; Each DBServer process should have it's own unique name. 

; Do not put the hostname here in case more than one instance 

; of the DBServer is running on the same machine 

;The following is for internal use only by the DBServer 

;Date format expected from the client application such as the GUI, 

;to be used for parsing date/time string. The dbserver will reject 

;inputs that contains other date/time format. This format will also 

;be used to return date/time strings. 

;Examples, "d MMM yyyy" => "12 Feb 1997", "EEE MMM d hh:mm:ss z yyyy" => "Tue Ap 

r 1 09:26:55 PST 1997" 

DateFormat = "d MMM yyyy" 

DateTimeFormat = "EEE MMM d hh:mm:ss z yyyy" 

;------------------------------------------------------------------------------- 

[ValidClients] 

100 = sleddog 

; Add list of trusted clients above ^^^^ in the format: 

; ClientID = Client's Host Name 

; CGI stub's clientID=100, and it's host name 

; For example 100 = localhost or 100 = 192.92.182.2 

; 101 = 192.92.190.5 

; 

A-20 


Appendix A 



;if ValidateClients=true, then we only allow the clients with ids listed 

;above to connect to the dbserver 

ValidateClients = false 

;if FastAdminValidateClients = true, then we only allow the clients with ids 

;listed below to connect to the FastAdmin 

FastAdminValidateClients = false 

;------------------------------------------------------------------------------- 

[Protocol TCP] 

HostName = sleddog 

Port = 9900 

; Name of host server 

; Daemon port number 

;Port=5001 

;------------------------------------------------------------------------------- 

[Workers Pool] 

; Maximum numbers of connection workers in pool, beyond which 

; newly added workers will be ignored (or deleted). 

MaxInPool=50 

;------------------------------------------------------------------------------- 

[Database] 

DataSource = ORACLE 

DriverType = JDBC-Weblogic-Oracle 

; Specify the rdbms installed and the driver type 

; (ODBC or JDBC) that interfaces with the rdbms. 

; Driver=ODBC or Driver=JDBC, then go to the [ODBC] 

; or [JDBC] section to fill in the URL info. 

# Oracle with ODBC 

;DataSource = ORACLE 

;DriverType = ODBC-Visigenic-Oracle 

# Oracle with JDBC 

;DataSource = ORACLE 

;DriverType = JDBC-Weblogic-Oracle 

# SQLAnywhere with ODBC 

;DataSource = SQLAnywhere 

;DriverType = ODBC-SQLAnywhere 

# Sybase with ODBC 

;DataSource = SYBASE 

;DriverType = ODBC-Visigenic-Sybase 

# Sybase with JDBC 

;DataSource = SYBASE 

;DriverType = JDBC-Weblogic-Sybase 

# Test with some other DB that we did not qualify 

;DataSource = OtherDB 

;DriverType = ODBC-Visigenic 

# names of data dictionary 

ProfileAttr = cs_profile_attr_dict 

ProfileCol = cs_profile_col_dict 

UserAcct = cs_user_account_attr_dict 

;------------------------------------------------------------------------------- 

[SQLAnywhere] 

;this is the bundle database 

ConnectionLicense = 12 


A-21


Appendix A 


Username = DBA 

Password = SQL 

;------------------------------------------------------------------------------- 

[OtherDB] 

;number of open connections allowed to the data source(based on db license) 


Username = csecure 

Password = csecure 

;------------------------------------------------------------------------------- 

[ORACLE] 


ConnectionLicense=4 



;------------------------------------------------------------------------------- 

[SYBASE] 





;------------------------------------------------------------------------------- 

[ODBC-SQLAnywhere] 

;ODBC driver information 

Manager = sun.jdbc.odbc.JdbcOdbcDriver 

Driver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=;Start="dbeng50 -u 

d" 

;Property below is required for internal use only: connection usage property 

PrepareStatement = 0 

;------------------------------------------------------------------------------- 

[ODBC-Visigenic-Oracle] 



Driver = jdbc:odbc:Oracle 



;------------------------------------------------------------------------------- 

[ODBC-Visigenic-Sybase] 



Driver = jdbc:odbc:SybaseDBLib 



;------------------------------------------------------------------------------- 

[JDBC-Weblogic-Oracle] 

;JDBC driver information 

Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManager 

Driver=jdbc:weblogic:oracle:ciscosj 



;------------------------------------------------------------------------------- 

[JDBC-Weblogic-Sybase] 

;JDBC driver information 

Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManager 

Driver=jdbc:weblogic:sybase 



A-22 


Appendix A 



;------------------------------------------------------------------------------- 

[ProfileCaching] 

EnableProfileCaching = OFF 

;Polling period in minutes for cs_trans_log table 

; Interval in seconds can be specified by fraction. 

; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds. 

; Setting to 0 disbles polling. 

DBPollInterval = 30 

;------------------------------------------------------------------------------- 

A.4.3 Oracle User Environment Variable 

#su - oracle 

Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 

$env 

HOME=/export/home/oracle 

HZ=100 

LD_LIBRARY_PATH=/opt/oracle/product/7.3.4/lib:/usr/openwin/lib:/usr/dt/lib:/usr/ 

lib 

LOGNAME=oracle 

ORACLE_DOC=/doc 

ORACLE_HOME=/opt/oracle/product/7.3.4 

ORACLE_SID=ciscosj 

ORACLE_TERM=xsun5 

ORAENV_ASK=NO 

PATH=/usr/bin::/opt/oracle/product/7.3.4:/opt/oracle/product/7.3.4/bin:/usr/ccs/ 

bin: 

SHELL=/bin/sh 

TERM=ansi 

TMPDIR=/var/tmp 

TNS_ADMIN=/opt/oracle/product/7.3.4/network/admin 

TZ=GMT-8 


A-23


Appendix A 


A.4.4 listener.ora Listing 

$cd $ORACLE_HOME/ 

$ls 

bin jdbc nlsrtl3 orainst precomp sqlplus 

book22 lib ocommon otrace rdbms svrmgr 

dbs network oracore3 plsql slax 

$cd network/admin 

$ls 

csmgen.tcl listener.ora tcl7.4 tnsnames.ora 

csmman.man sqlnet.fdf tk4.0 

$cat listener.ora 

# 

# Installation Generated Net V2 Configuration 

# Version Date: Sep-16-97 

# Filename: Listener.ora 

# 

LISTENER = 

(ADDRESS_LIST = 

(ADDRESS= (PROTOCOL= IPC)(KEY= ciscosj)) 

(ADDRESS= (PROTOCOL= IPC)(KEY= PNPKEY)) 

(ADDRESS= (PROTOCOL= TCP)(Host= sleddog)(Port= 1521)) 

) 

SID_LIST_LISTENER = 

(SID_LIST = 

(SID_DESC = 

(GLOBAL_DBNAME= sleddog.) 

(ORACLE_HOME= /opt/oracle/product/7.3.4) 

(SID_NAME = ciscosj) 

) 

) 

STARTUP_WAIT_TIME_LISTENER = 0 

CONNECT_TIMEOUT_LISTENER = 10 

TRACE_LEVEL_LISTENER = OFF 

$ls 

csmgen.tcl listener.ora tcl7.4 tnsnames.ora 

csmman.man sqlnet.fdf tk4.0 

$cat tnsnames.ora 

# 

# Installation Generated NetV2 Configuration 

# Version Date: Sep-30-97 

# Filename: Tnsnames.ora 

# 

ciscosj = 

(DESCRIPTION = 

(ADDRESS = (PROTOCOL= TCP)(Host= sleddog)(Port= 1521)) 

(CONNECT_DATA = (SID = ciscosj)) 

) 

A-24 


Appendix A 


A.5 CiscoSecure Log Files 


$CSUBASE/logfiles/cs_install.log 

$CSUBASE/logfiles/cs_shutdown.log 

$CSUBASE/logfiles/cs_startup.log 

$CSUBASE/logfiles/csdblog_ 

$CSUBASE/logfiles/passwd_chg.log 

$CSUBASE/ns-home/CSUServer/logs/access 

$CSUBASE/ns-home/CSUServer/logs/errors 

$CSUBASE/ns-home/admserver/errors 

$CSUBASE/ns-home/admserver/access 

$CSUBASE/ns-home-httpd-csuserver/logs 


A-25


Appendix A 


A-26 


APPENDIX 

B 

AAA Impact on Maintenance Tasks 

Most BootFlash images do not recognize all Cisco IOS aaa commands. As a result, invoking a 

BootFlash image can lead to a password recovery situation unless the Cisco IOS fragments listed in this 

appendix are used to disable AAA. One example of a situation requiring the inclusion of this 

configuration is a software image upgrade for a Cisco AS5200 access server. 

Include the following Cisco IOS commands to disable AAA authentication and authorization on the 

console and VTY ports of a NAS: 




line con 0 




line vty 0 4 




Note 

Refer to “4.6 Implementing Server-Based TACACS+ Router Authorization” for related 

implementation information. 


B-1

Appendix B 

AAA Impact on Maintenance Tasks 

B-2 


APPENDIX 

C 

Server-Based AAA Verification Diagnostic 

Output 

This appendix is organized into the following sections: 

• C.1 Server-Based TACACS+ Dialup Authentication Diagnostics 

• C.2 Server-Based TACACS+ Dialup Authorization Diagnostics 

• C.3 Server-Based RADIUS Dialup Authentication Diagnostics 

• C.4 Server-Based RADIUS Dialup Authorization Diagnostics 

• C.5 Server-Based TACACS+ Router Authentication Diagnostics 

• C.6 Server-Based TACACS+ Router Authorization Diagnostics 

Diagnostic examples present captured output from debug command (router) and tail command (AAA 

server) listings. 

Note 

Output fragments provided here are excerpted from the applicable debug command output 

or AAA server csuslog file—unless otherwise noted. Diagnostic content is gathered from 

the AAA server by using the tail -f /var/log/csuslog command. Pertinent portions of 

output are included as fragments of complete listings. 

C.1 Server-Based TACACS+ Dialup Authentication Diagnostics 

The following test results for “4.1 Implementing Server-Based TACACS+ Dialup Authentication” 

provide relevant NAS and AAA server log output: 

1. Authentication login is successful for user tac_dial. 

2. PAP authentication request for user tac_dial. 

3. Creation of user tac_dial, service=ppp. 

4. Authentication PASS received from AAA server. 

Note 

Use these debug commands: debug aaa authentication and 

debug ppp authentication. 


C-1

C.2 Server-Based TACACS+ Dialup Authorization Diagnostics 

Appendix C 

Server-Based AAA Verification Diagnostic Output 


authentication process. Specific output fragments are differentiated with brief explanatory notes to help 


Note 


1. Authentication login is successful for user tac_dial. 

AAA server csuslog output: 

Feb 4 10:40:13 coachella CiscoSecure: DEBUG - AUTHENTICATION START request 

(8d2d325f) 

Feb 4 10:40:13 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; 

[NAS = 172.22.63.1, Port = Async3, User = tac_dial, Priv = 1] 

2. PAP authentication request for user tac_dial. 


113288: Feb 4 10:40:13.696 CST: As3 PAP: I AUTH-REQ id 1 len 23 from "tac_dial" 

113289: Feb 4 10:40:13.696 CST: As3 PAP: Authenticating peer tac_dial 

3. Creation of user tac_dial, service=ppp. 


113290: Feb 4 10:40:13.696 CST: AAA: parse name=Async3 idb type=10 tty=3 

113291: Feb 4 10:40:13.696 CST: AAA: name=Async3 flags=0x11 type=4 shelf=0 slot=0 


113292: Feb 4 10:40:13.696 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1 

113293: Feb 4 10:40:13.696 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 


113294: Feb 4 10:40:13.696 CST: AAA/MEMORY: create_user (0x61E09254) user='tac_dial' 

ruser='' port='Async3' rem_addr='async/81560' authen_type=PAP service=PPP priv=1 

113295: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): port='Async3' list='' 

action=LOGIN service=PPP 

4. Authentication PASS received from AAA server. 



113297: Feb 4 10:40:13.696 CST: AAA/AUTHEN (2368549471): status = UNKNOWN 

113298: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): Method=tacacs+ 

(tacacs+) 

113299: Feb 4 10:40:13.696 CST: TAC+: send AUTHEN/START packet ver=193 id=2368549471 

113300: Feb 4 10:40:13.900 CST: TAC+: ver=193 id=2368549471 received AUTHEN status = 

PASS 


The following test results for “4.2 Implementing Server-Based TACACS+ Dialup Authorization” 

provide relevant NAS and AAA server log output: 

1. User dialtest is authorized EXEC shell access to the NAS. 

2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs. 

3. User dialtest is authorized EXEC shell access to NAS. 

4. User dialtest is assigned the addr-pool=default AVP through network authorization. 

C-2 


Appendix C 



5. User dialtest is assigned the inacl=110 AVP through network authorization. 

6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110AVPs. 

Note 

Use this debug command: debug aaa authorization. 




Note 


1. User dialtest is authorized EXEC shell access to the NAS. 


Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (365f23d3) 

Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS 

= 172.23.84.35, user = dialtest, port = tty8, input: service=shell cmd* output: ] 

2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs. 


Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (74e5f744) 


= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip 

addr-pool*default output: inacl=110] 

Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (78655fcd) 


= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=lcp output: 

] 

Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (cae30c69) 


= 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip output: 

addr-pool=default inacl=110] 

3. User dialtest is authorized EXEC shell access to NAS. 


*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): Port='tty8' list='' 

service=EXEC 

*Apr 6 00:12:29.932: AAA/AUTHOR/EXEC: As8 (912204755) user='dialtest' 

*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): send AV service=shell 

*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): send AV cmd* 

*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): found list "default" 

*Apr 6 00:12:29.932: As8 AAA/AUTHOR/EXEC (912204755): Method=tacacs+ (tacacs+) 

*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): user=dialtest 

*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): send AV service=shell 

*Apr 6 00:12:29.932: AAA/AUTHOR/TAC+: (912204755): send AV cmd* 

*Apr 6 00:12:30.136: As8 AAA/AUTHOR (912204755): Post authorization status = 

PASS_ADD 


C-3

C.3 Server-Based RADIUS Dialup Authentication Diagnostics 

Appendix C 


4. User dialtest is assigned the addr-pool=default AVP through network authorization. 


*Apr 6 00:12:31.480: AAA/AUTHOR/PPP: As8 (1961228100) user='dialtest' 

*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV service=ppp 

*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV protocol=ip 

*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): send AV addr-pool*default 

*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): found list "default" 

*Apr 6 00:12:31.480: As8 AAA/AUTHOR/PPP (1961228100): Method=tacacs+ (tacacs+) 

*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): user=dialtest 

*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV service=ppp 

*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV protocol=ip 

*Apr 6 00:12:31.480: AAA/AUTHOR/TAC+: (1961228100): send AV addr-pool*default 

*Apr 6 00:12:31.684: As8 AAA/AUTHOR (1961228100): Post authorization status = 

PASS_ADD 

5. User dialtest is assigned the inacl=110 AVP through network authorization. 


*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV service=ppp 

*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV protocol=ip 

*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV addr-pool*default 

*Apr 6 00:12:31.684: AAA/AUTHOR/Async8: PPP: Processing AV inacl=110 

6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs. 


*Apr 6 00:33:05.860: As9 AAA/AUTHOR/IPCP: Says use pool default 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Pool returned 172.23.25.37 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV service=ppp 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV protocol=ip 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr-pool=default 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV inacl=110 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Processing AV addr*172.23.25.37 

*Apr 6 00:33:05.864: As9 AAA/AUTHOR/IPCP: Authorization succeeded 

C.3 Server-Based RADIUS Dialup Authentication Diagnostics 

The following test results for “4.3 Implementing Server-Based RADIUS Dialup Authentication” 

provide relevant NAS output: 

1. User rad_dial successfully passes authentication on port Async 5). 

2. User rad_dial successfully passes authentication. 

Note 

Use these debug commands: debug aaa authentication and debug ppp 

authentication. 


authentication process. Specific output fragments are differentiated with brief explanatory notes to help 

identify relevant information. 

C-4 


Appendix C 


C.4 Server-Based RADIUS Dialup Authorization Diagnostics 

Note 


1. User rad_dial successfully passes authentication on port Async 5). 


00:38:42: AAA/MEMORY: create_user (0x61619F48) user='rad_dial' ruser='' port='Async5' 

rem_addr='65004/65301' authen_type=PAP service=PPP priv=1 

00:38:42: AAA/AUTHEN/START (3896270890): port='Async5' list='' action=LOGIN 

service=PPP 

00:38:42: AAA/AUTHEN/START (3896270890): using "default" list 

00:38:42: AAA/AUTHEN (3896270890): status = UNKNOWN 

00:38:42: AAA/AUTHEN/START (3896270890): Method=radius (radius) 

00:38:42: AAA/AUTHEN (3896270890): status = PASS 

2. User rad_dial successfully passes authentication. 


Apr 6 16:18:19 danvers CiscoSecure: INFO - Profile: user = rad_dial { 

Apr 6 16:18:19 danvers set server current-failed-logins = 0 

Apr 6 16:18:19 danvers profile_cycle = 9 


The following test results for “4.4 Implementing Server-Based RADIUS Dialup Authorization” provide 

relevant NAS server log output: 

1. User rad_dial is authorized for protocol=lcp. 

2. User rad_dial is authorized for IPCP. 

3. Input access-list is verified as 110 while the output access-list is shown as not set. 

Note 

Use these commands: debug aaa authorization and show caller user rad_dial 

detail. 


authorization process. Specific output fragments are differentiated with brief explanatory notes to you 

identify relevant information. 


C-5


Appendix C 


Note 


1. User rad_dial is authorized for protocol=lcp. 


01:02:17: AAA/MEMORY: create_user (0x61504AC4) user='rad_dial' ruser='' port='As 

ync6' rem_addr='65004/65301' authen_type=PAP service=PPP priv=1 

01:02:17: As6 AAA/AUTHOR/LCP: Authorize LCP 

01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Port='Async6' list='' service=NET 

01:02:17: AAA/AUTHOR/LCP: As6 (3341570658) user='rad_dial' 

01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV service=ppp 

01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV protocol=lcp 

01:02:17: As6 AAA/AUTHOR/LCP (3341570658): found list "default" 

01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Method=radius (radius) 


2. User rad_dial is authorized for IPCP. 


01:02:17: As6 AAA/AUTHOR/LCP: Processing AV service=ppp 

01:02:17: As6 AAA/AUTHOR/FSM: (0): Can we start IPCP? 

01:02:17: As6 AAA/AUTHOR/FSM (2347737596): Port='Async6' list='' service=NET 

01:02:17: AAA/AUTHOR/FSM: As6 (2347737596) user='rad_dial' 

01:02:17: As6 AAA/AUTHOR/FSM (2347737596): send AV service=ppp 

01:02:17: As6 AAA/AUTHOR/FSM (2347737596): send AV protocol=ip 

01:02:17: As6 AAA/AUTHOR/FSM (2347737596): found list "default" 

01:02:17: As6 AAA/AUTHOR/FSM (2347737596): Method=radius (radius) 


01:02:17: As6 AAA/AUTHOR/FSM: We can start IPCP 

01:02:17: As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5 

01:02:17: As6 AAA/AUTHOR/IPCP: Processing AV service=ppp 

01:02:17: As6 AAA/AUTHOR/IPCP: Processing AV inacl=110 

01:02:17: As6 AAA/AUTHOR/IPCP: Authorization succeeded 

01:02:17: As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5 

01:02:18: As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5 

01:02:18: As6 AAA/AUTHOR/IPCP: Processing AV service=ppp 

01:02:18: As6 AAA/AUTHOR/IPCP: Processing AV inacl=110 

01:02:18: As6 AAA/AUTHOR/IPCP: Authorization succeeded 

01:02:18: As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5 

01:02:18: As6 AAA/AUTHOR/IPCP: Start. Her address 172.22.83.5, we want 172.22.8 3.5 

3. Input access-list is verified as 110 while the output access-list is shown as not set. 

C-6 


Appendix C 


C.5 Server-Based TACACS+ Router Authentication Diagnostics 

Output from show caller user rad_dial detail from NAS: 

User: rad_dial, line tty 116, service Async 


Timeouts: Absolute Idle Idle 

Session Exec 

Limits: 04:00:00 - 00:48:00 

Disconnect in: 03:58:30 - - 

TTY: Line 116, running PPP on As116 

Location: PPP: 172.22.83.37 

DS0: (slot/unit/channel)=0/0/20 

Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits 

Status: Ready, Active, No Exit Banner, Async Interface Active 

HW PPP Support Active, Modem Detected 

Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out 

Modem Callout, Modem RI is CD, 

Line usable as async interface, Modem Autoconfigure 

Integrated Modem 

Modem State: Ready, Modem Configured 

User: rad_dial, line As116, service PPP 


Timeouts: 

Absolute Idle 

Limits: - - 

Disconnect in: - - 

PPP: LCP Open, PAP ( peer, ACCM, AuthProto, MagicNumber, PCompression, ACCompression 

C.5 Server-Based TACACS+ Router Authentication Diagnostics 

Appendix C 



Feb 24 11:10:27.101 CST: AAA/MEMORY: create_user (0x61F74900) user='' ruser='' 


Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): port='tty2' list='' 


Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): using "default" list 

Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): Method=tacacs+ (tacacs+) 

Feb 24 11:10:27.105 CST: TAC+: send AUTHEN/START packet ver=192 id=2925282821 

Feb 24 11:10:27.305 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETUSER 

Feb 24 11:10:27.305 CST: AAA/AUTHEN (2925282821): status = GETUSER 

Feb 24 11:10:30.549 CST: AAA/AUTHEN/CONT (2925282821): continue_login 

(user='(undef)') 

Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): status = GETUSER 

Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+) 

Feb 24 11:10:30.549 CST: TAC+: send AUTHEN/CONT packet id=2925282821 

Feb 24 11:10:30.749 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETPASS 

Feb 24 11:10:30.749 CST: AAA/AUTHEN (2925282821): status = GETPASS 

Feb 24 11:10:33.981 CST: AAA/AUTHEN/CONT (2925282821): continue_login 

(user='rtr_test') 

Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): status = GETPASS 

Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+) 

Feb 24 11:10:33.981 CST: TAC+: send AUTHEN/CONT packet id=2925282821 

Feb 24 11:10:34.181 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = PASS 

Feb 24 11:10:34.181 CST: AAA/AUTHEN (2925282821): status = PASS 

Feb 24 11:10:34.381 CST: TAC+: (2248458861): received author response status = 

PASS_ADD 

2. User rtr_test successfully logs in. 



[NAS = 172.22.255.3, Port = tty2, User = rtr_test, Priv = 1 

C-8 


Appendix C 


C.6 Server-Based TACACS+ Router Authorization Diagnostics 


The following test results illustrate three separate user types as described in “4.6 Implementing 

Server-Based TACACS+ Router Authorization”, belonging to three separate user groups: rtr_low, 

rtr_tech, andrtr_super. The example output is provided in the following sections: 

• C.6.1 Test Results for rtr_low Group 

• C.6.2 Test Results for rtr_tech Group 

• C.6.3 Test Results for rtr_super Group 

Note 

Use this debug command: debug aaa authorization. 

C.6.1 Test Results for rtr_low Group 

Test results follow for each Cisco IOS command summarized in Table 4-1, including relevant router 

output and AAA server log output: 

1. User rtr_dweeb is authorized EXEC shell access. 

2. User rtr_dweeb enters enable mode. 

3. User rtr_dweeb fails debug all command. 

4. User rtr_dweeb fails debug ip packet command. 

5. User rtr_dweeb fails clear ip cache command. 

6. User rtr_dweeb fails reload command. 

7. User rtr_dweeb fails show running-config command. 

8. User rtr_dweeb fails write terminal command. 

9. User rtr_dweeb fails copy running-config startup-config command. 

10. User rtr_dweeb fails write memory command. 

11. User rtr_dweeb fails configure terminal command. 





C-9


Appendix C 


Note 


1. User rtr_dweeb is authorized EXEC shell access. 


Feb 18 11:44:36.115 CST: AAA/MEMORY: create_user (0x61F883B4) user='' ruser='' p 

ort='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1 

Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Port='tty3' 

list=''service=EXEC 

Feb 18 11:44:42.135 CST: AAA/AUTHOR/EXEC: tty3 (1279405337) user='rtr_dweeb' 

Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV service=shell 

Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV cmd* 

Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): found list "default" 

Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Method=tacacs+ (tacacs+) 

Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): user=rtr_dweeb 

Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV service=shell 

Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV cmd* 

Feb 18 11:44:42.335 CST: AAA/AUTHOR (1279405337): Post authorization status = 

PASS_ADD 

Feb 18 11:44:42.335 CST: AAA/AUTHOR/EXEC: Authorization successful 



[NAS = 172.22.255.3, Port = tty3, User = rtr_dweeb, Priv = 1] 

Feb 18 11:44:41 coachella CiscoSecure: DEBUG - 

Feb 18 11:44:42 coachella CiscoSecure: DEBUG - AUTHORIZATION request (4c422d19) 

Feb 18 11:44:42 coachella CiscoSecure: DEBUG - Authorization - Request authorized; 

[NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd* output: 

] 

2. User rtr_dweeb enters enable mode. 


Feb 18 11:44:45.651 CST: AAA/MEMORY: free_user (0x61CC44D4) user='' ruser='' 

port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15 

3. User rtr_dweeb fails debug all command. 


Feb 18 11:44:49.875 CST: tty3 AAA/AUTHOR/CMD (2800178490): Port='tty3' list='' 

service=CMD 

Feb 18 11:44:49.875 CST: AAA/AUTHOR/CMD: tty3 (2800178490) user='rtr_dweeb' 

Feb 18 11:44:49.875 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV service=shell 

Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd=debug 

Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=all 

Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg= 

Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): found list "default" 

Feb 18 11:44:49.879 CST: tty3 AAA/AUTHOR/CMD (2800178490): Method=tacacs+ (tacacs+) 



Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd=debug 

Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=all 

Feb 18 11:44:49.879 CST: AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg= 

Feb 18 11:44:50.079 CST: AAA/AUTHOR (2800178490): Post authorization status = FAIL 

C-10 


Appendix C 




Feb 18 11:44:49 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a6e7553a) 

Feb 18 11:44:49 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 

172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug 

cmd-arg=all cmd-arg= output: ] 

4. User rtr_dweeb fails debug ip packet command. 



service=CMD 




Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=ip 

Feb 18 11:44:55.447 CST: tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=packet 







Feb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=ip 

Feb 18 11:44:55.447 CST: AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=packet 




Feb 18 11:44:55 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f39c4398) 


172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug 

cmd-arg=ip cmd-arg=packet cmd-arg= output: ] 

5. User rtr_dweeb fails clear ip cache command. 


Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):Port='tty3' 

list=''service=CMD 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/CMD:tty3 (3223867754) user='rtr_dweeb' 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV service=shell 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd=clear 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=ip 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=cache 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg= 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):found list "default" 

Feb 18 11:45:00.483 CST:tty3 AAA/AUTHOR/CMD (3223867754):Method=tacacs+(tacacs+) 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):user=rtr_dweeb 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV service=shell 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd=clear 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=ip 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=cache 

Feb 18 11:45:00.483 CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg= 

Feb 18 11:45:00.687 CST:AAA/AUTHOR (3223867754):Post authorization status = FAIL 


Feb 18 11:45:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (c028516a) 


172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=clear 

cmd-arg=ip cmd-arg=cache cmd-arg= output: ] 


C-11


Appendix C 


6. User rtr_dweeb fails reload command. 



service=CMD 



Feb 18 11:45:03.911 CST: tty3 AAA/AUTHOR/CMD (410330894): send AV cmd=reload 






Feb 18 11:45:03.911 CST: AAA/AUTHOR/TAC+: (410330894): send AV cmd=reload 




Feb 18 11:45:03 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1875270e) 


172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=reload 

cmd-arg= output: ] 

7. User rtr_dweeb fails show running-config command. 



service=CMD 



Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV cmd=show 

Feb 18 11:45:08.891 CST: tty3 AAA/AUTHOR/CMD (2227741892): send AV 

cmd-arg=running-config 






Feb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV cmd=show 

Feb 18 11:45:08.891 CST: AAA/AUTHOR/TAC+: (2227741892): send AV 





Feb 18 11:45:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (84c8a4c4) 


172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell 

cmd=showcmd-arg=running-config cmd-arg= output: ] 

C-12 


Appendix C 



8. User rtr_dweeb fails write terminal command. 



service=CMD 



Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd=write 

Feb 18 11:45:12.079 CST: tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd-arg=terminal 






Feb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd=write 

Feb 18 11:45:12.079 CST: AAA/AUTHOR/TAC+: (2744233862): send AV cmd-arg=terminal 




Feb 18 11:45:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a391af86) 


172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=write 

cmd-arg=terminal cmd-arg= output: ] 

9. User rtr_dweeb fails copy running-config startup-config command. 



service=CMD 



Feb 18 11:45:17.631 CST: tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd=copy 




cmd-arg=startup-config 






Feb 18 11:45:17.631 CST: AAA/AUTHOR/TAC+: (1138992853): send AV cmd=copy 








Feb 18 11:45:17 coachella CiscoSecure: DEBUG - AUTHORIZATION request (43e3a6d5) 



cmd=copycmd-arg=running-config cmd-arg=startup-config cmd-arg= output: ] 


C-13


Appendix C 


10. User rtr_dweeb fails write memory command. 



service=CMD 




Feb 18 11:45:20.915 CST: tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd-arg=memory 







Feb 18 11:45:20.915 CST: AAA/AUTHOR/TAC+: (1068431717): send AV cmd-arg=memory 




Feb 18 11:45:20 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3faef965) 



cmd=writecmd-arg=memory cmd-arg= output: ] 

11. User rtr_dweeb fails configure terminal command. 



service=CMD 



Feb 18 11:45:32.399 CST: tty3 AAA/AUTHOR/CMD (530570549): send AV cmd=configure 







Feb 18 11:45:32.399 CST: AAA/AUTHOR/TAC+: (530570549): send AV cmd=configure 





Feb 18 11:45:32 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1f9fdd35) 


172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=configure 


C.6.2 Test Results for rtr_tech Group 

Tests results follow for each of the Cisco IOS commands summarized in Tabl e4-1, including relevant 

router output and AAA server log output: 

1. User rtr_techie is authorized EXEC shell access. 

2. User rtr_techie enters enable mode. 

3. User rtr_techie is denied the debug all command. 

C-14 


Appendix C 



4. User rtr_techie is permitted debug ip packet command. 

5. User rtr_techie is permitted clear ip cache command. 

6. User rtr_techie is denied reload command. 

7. User rtr_techie is permitted show running-config command. 

8. User rtr_techie is permitted write terminal command. 

9. User rtr_techie is permitted copy running-config starting config command. 

10. User rtr_techie is permitted write memory command. 

11. User rtr_techie is denied configure terminal command. 




Note 


1. User rtr_techie is authorized EXEC shell access. 


Feb 18 14:27:32.388 CST: AAA/MEMORY: create_user (0x61CC44D8) user='' ruser='' 


Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Port='tty3' 

list=''service=EXEC 

Feb 18 14:27:36.984 CST: AAA/AUTHOR/EXEC: tty3 (3820424789) user='rtr_techie' 

Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV service=shell 

Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV cmd* 

Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): found list "default" 

Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Method=tacacs+ (tacacs+) 

Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): user=rtr_techie 




PASS_ADD 




[NAS = 172.22.255.3, Port = tty3, User = rtr_techie, Priv = 1] 


Feb 18 14:27:36 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e3b70e55) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd* 

output: ] 

2. User rtr_techie enters enable mode. 


Feb 18 14:27:39.776 CST: AAA/MEMORY: free_user (0x61F5DEC0) user='' ruser='' 



service=CMD 


C-15


Appendix C 


3. User rtr_techie is denied the debug all command. 


Feb 18 14:27:43.976 CST: AAA/AUTHOR/CMD: tty3 (438698848) user='rtr_techie' 














Feb 18 14:27:43 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1a260360) 

Feb 18 14:27:43 coachella CiscoSecure: DEBUG - Authorization - Failed command line; 

[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug 


4. User rtr_techie is permitted debug ip packet command. 


Feb 18 14:27:47.668 CST: tty3 AAA/AUTHOR/CMD (3962222355): Port='tty3' 

















PASS_ADD 


Feb 18 14:27:47 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ec2ab713) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug 


C-16 


Appendix C 



5. User rtr_techie is permitted clear ip cache command. 



service=CMD 



Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd=clear 


Feb 18 14:27:51.760 CST: tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=cache 






Feb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd=clear 


Feb 18 14:27:51.760 CST: AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=cache 



PASS_ADD 


Feb 18 14:27:51 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3c7067fe) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=clear 

cmd-arg=ip cmd-arg=cache cmd-arg= output: ] 

6. User rtr_techie is denied reload command. 



service=CMD 













Feb 18 14:27:54 coachella CiscoSecure: DEBUG - AUTHORIZATION request (9f4d7922) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=reload 



C-17


Appendix C 


7. User rtr_techie is permitted show running-config command. 



service=CMD 
















PASS_ADD 


Feb 18 14:27:57 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e999072a) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=show 

cmd-arg=running-config cmd-arg= output: ] 

8. User rtr_techie is permitted write terminal command. 



service=CMD 














PASS_ADD 


Feb 18 14:28:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (540355c9) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write 


C-18 


Appendix C 



9. User rtr_techie is permitted copy running-config starting config command. 



service=CMD 




















PASS_ADD 


Feb 18 14:28:05 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ff2bf207) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=copy 

cmd-arg=running-config cmd-arg=startup-config cmd-arg= output: ] 

10. User rtr_techie is permitted write memory command. 



service=CMD 













Feb 18 14:28:08.325 CST: AAA/AUTHOR (192752980): Post authorization status = PASS_ADD 


Feb 18 14:28:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b7d2d54) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write 

cmd-arg=memory cmd-arg= output: ] 


C-19


Appendix C 


11. User rtr_techie is denied configure terminal command. 



service=CMD 















Feb 18 14:28:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b55b3b42) 


[NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell 

cmd=configure cmd-arg=terminal cmd-arg= output: ] 

C.6.3 Test Results for rtr_super Group 

Tests results follow for each of the Cisco IOS commands summarized in Tabl e4-1, including relevant 

router output and AAA server log output: 

1. User rtr_geek is authorized EXEC shell access. 

2. User rtr_geek enters enable mode. 

3. User rtr_geek is denied debug all command. 

4. User rtr_geek is permitted debug ip packet command. 

5. User rtr_geek is permitted reload command. 

6. User rtr_geek is permitted show running-config command. 

7. User rtr_geek is permitted write terminal command. 

8. User rtr_geek is permitted copy running-config startup-config command. 

9. User rtr_geek is permitted write memory command. 

10. User rtr_geek is permitted configure terminal command. 




C-20 


Appendix C 



Note 


1. User rtr_geek is authorized EXEC shell access. 


Feb 22 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): user=rtr_geek 





Feb 22 15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, port tty3 

Feb 22 15:26:16.822 CST: AAA/ACCT/EXEC: Found list "default" 

Feb 22 15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, Port tty3, 

task_id=310 start_time=951254776 timezone=CST service=shell 

Feb 22 15:26:16.822 CST: AAA/ACCT: user rtr_geek, acct type 0 (2751112696): 


Feb 22 15:26:17.022 CST: TAC+: (2751112696): received acct response status = SUCCESS 



[NAS = 172.22.255.3, Port = tty3, User = rtr_geek, Priv = 1] 


Feb 22 15:26:16 coachella CiscoSecure: INFO - Profile: user = rtr_geek { 

Feb 22 15:26:16 coachella set server current-failed-logins = 0 

Feb 22 15:26:16 coachella profile_cycle = 2 

Feb 22 15:26:16 coachella } 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd*output: ] 

2. User rtr_geek enters enable mode. 


Feb 22 15:26:22.562 CST: AAA/MEMORY: free_user (0x61F55834) user='' ruser='' 



service=CMD 

3. User rtr_geek is denied debug all command. 



service=CMD 

Feb 22 15:26:46.502 CST: AAA/AUTHOR/CMD: tty3 (32101230) user='rtr_geek' 














service=CMD 


C-21


Appendix C 



Feb 22 15:26:46 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1e9d36e) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug 


4. User rtr_geek is permitted debug ip packet command. 



















PASS_ADD 


Feb 22 15:26:53 coachella CiscoSecure: DEBUG - AUTHORIZATION request (61e8673b) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug 


5. User rtr_geek is permitted reload command. 

Note 

Be sure to save your running configuration by using the appropriate write or copy 

running-config command before using the reload command. 















PASS_ADD 

C-22 


Appendix C 




Feb 22 15:27:16 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ce542a7b) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=reload 


6. User rtr_geek is permitted show running-config command. 



service=CMD 












Feb 22 15:27:34.455 CST: AAA/AUTHOR/TAC+: (150984379): send AV cmd-arg=running-config 




Feb 22 15:27:34 coachella CiscoSecure: DEBUG - AUTHORIZATION request (8ffd6bb) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=show 

cmd-arg=running-config cmd-arg= output: ] 

7. User rtr_geek is permitted write terminal command. 



service=CMD 














PASS_ADD 


Feb 22 15:27:39 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b398d061) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write 



C-23


Appendix C 


8. User rtr_geek is permitted copy running-config startup-config command. 























PASS_ADD 


Feb 22 15:27:44 coachella CiscoSecure: DEBUG - AUTHORIZATION request (92cec67d) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=copy 

cmd-arg=running-config cmd-arg=startup-config cmd-arg= output: ] 

9. User rtr_geek is permitted write memory command. 



service=CMD 














PASS_ADD 


Feb 22 15:27:52 coachella CiscoSecure: DEBUG - AUTHORIZATION request (bd048283) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write 

cmd-arg=memory cmd-arg= output: ] 

C-24 


Appendix C 



10. User rtr_geek is permitted configure terminal command. 



service=CMD 














PASS_ADD 


Feb 22 15:27:56 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f2feb350) 


[NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=configure 



C-25


Appendix C 


C-26 


INDEX 

A 


BootFlash considerations B-1 

case study overview (figure) 1-2 

Cisco IOS 12.0(7)T command descriptions A-13 

defined 1-1 

disabling B-1 

example configuration (NAS) A-5, A-9 

example configuration (router) A-2 

overview 1-1 

security checklist (table) 1-12 

task checklist (table) 1-14 

aaa accounting command A-13, A-14 

aaa authentication command A-13, A-14 

aaa authorization command A-13, A-14 

aaa new-model key command A-13, A-14 


creating a user profile (RADIUS authentication) 4-7 

creating a user profile (RADIUS authorization) 4-9 

creating a user profile (TACACS+ authentication) 4-3 

creating a user profile (TACACS+ authorization) 4-5 

negotiation process (flow diagram) 6-3 

restarting 3-10 

software version used in case study xii 

verifying user configuration (RADIUS 

authentication) 4-8, 4-9 

verifying user configuration (TACACS+ 

authentication) 4-3 


authorization) 4-5 

AAA servers 

in network context 1-2 

access list 

dialup PPP filtering 1-11 

troubleshooting problems 6-14, 6-17 

verification, show caller user command 

(server-based) 4-10, C6 

verification, show line command (local-based) 2-8 

accounting 

configuring EXEC and command level 

(TACACS+) 5-4 

configuring NAS (TACACS+) 5-2 

configuring router (TACACS+) 5-4 

defined 1-1 

dial-based accounting (server) 5-1, 5-4 

monitored dialup PPP events 1-11 

monitored router administration events 1-11 

records policies 1-11 

server-based dial implementation 5-1 

server-based router implementation 5-4 

session timeout output example 5-3 

SQL query 5-2, 5-5 

TACACS+ dial implementation 5-1 

TACACS+ implementation (local-based) 2-12 

TACACS+ router implementation 5-4 

TACACS+ verification tests (local-based) 2-13 

TACACS+ verification tests (server-based) 5-2 

verifying from AAA server 5-2, 5-5 

acknowledgements xv 

AddProfile command 

adding basic user profile 3-11 

adding group profiles (TACACS+ authentication) 4-11 

adding group profiles (TACACS+ authorization) 4-17, 

4-18 

adding user profiles (RADIUS authentication) 4-7 

adding user profiles (RADIUS authorization) 4-9 

adding user profiles (TACACS+ authentication) 4-3 


1

Index 

adding user profiles (TACACS+ authorization) 4-5 

administrative control 

authorization policy 1-11 

creating, router example 4-13 

privilege level 15 1-11 

attribute-value pair 

See AVPs 

audience 

defined xi 


configuring NAS (RADIUS) 4-7 


general process (flow diagram) 6-3 

RADIUS implementation 4-6 

RADIUS verification tests (server-based) C4 

RADIUS vs. TACACS+ 1-5 

server-based implementation 4-2, 4-6, 4-10 

TACACS+ dialup, verifying by using csuslog 4-4 

TACACS+ implementation (local-based) 2-2, 2-8 

TACACS+ implementation (server-based) 4-2, 4-10 

TACACS+ verification tests (local-based) 2-3, 2-9 

TACACS+ verification tests (server-based) C1, C7 

verifying PPP user authentication 4-4 

authentication, authorization, and accounting 

See AAA 

authorization 

configuring NAS (RADIUS) 4-9 


configuring routers 4-13 

defined 1-1 

general process (flow diagram) 6-3 

RADIUS implementation 4-8 

RADIUS verification tests (server-based) C5 

RADIUS vs. TACACS+ 1-5 

server-based implementation 4-4, 4-8, 4-13 

TACACS+ dialup, verifying by using csuslog 4-5 

TACACS+ implementation (local-based) 2-5, 2-10 

TACACS+ implementation (server-based) 4-4, 4-13 

TACACS+ router, verifying by using csuslog 4-16, 

4-18, 4-19 

TACACS+ verification tests (local-based) 2-6, 2-11 

TACACS+ verification tests (server-based) C2, C9 

verifying access list 4-10 

verifying PPP user authorization 4-5 

verifying RADIUS authorization 4-9 

autocommand ppp negotiate command 1-11 

AVPs 

adding group profiles (TACACS+ authentication) 4-11 

adding group profiles (TACACS+ authorization) 4-16, 

4-17, 4-18 

defined 1-6 

dial access devices 1-11 

EXEC disabled implementation 6-6 

EXEC shell enabled (TACACS+) 6-5 

privilege level 15 enabled (TACACS+) 6-5 

RADIUS, user profile 4-7, 4-9 

RADIUS examples (table) 1-6 

TACACS+, user profile 4-3, 4-5 

TACACS+ authentication, group profile 4-11 

TACACS+ authorization, group profile 4-16, 4-17, 4-18 

TACACS+ examples (table) 1-6 

B 

BootFlash images 

AAA considerations B-1 

C 

case study 

hardware xii 

objectives xi 

overview 1-1 

purpose xi 

software xii 

CCO 

accessing xiii 

2 


Index 

definition xiii 

CD-ROM 

documentation xiv 

Challenge Handshake Authentication Protocol 

See CHAP 

CHAP 

ISDN authentication 1-10 

checklists 

AAA implementation tasks (table) 1-14 

AAA security (table) 1-12 

AAA service definition (table) 1-10 

general service definition (table) 1-9 

network services 1-9 

Cisco 7206 VXR xii 

Cisco AS5300 xii 


Cisco Connection Online 

See CCO 

Cisco IOS 12.0(7)T xii 

aaa accounting command A-13, A-14 

aaa authentication command A-13, A-14 

aaa authorization command A-13, A-14 

AAA command descriptions (NAS) A-13 

AAA command descriptions (router) A-13 

aaa new-model command A-13, A-14 

autocommand ppp negotiate command 1-11 

disabling AAA B-1 

example configurations A-1 

ip http command A-13 

ip tacacs command A-13 

local-based router example A-2 

radius-server host command A-15 

server-based NAS example A-5, A-9 

tacacs-server host command A-13, A-15 

tacacs-server key command A-13 

version used in case study xii 

CiscoSecure for UNIX 

See CSU 

commands 

Cisco IOS 12.0(7)T (AAA) A-13 

configurations 

Cisco IOS 12.0(7)T, NAS example A-5, A-9 

Cisco IOS 12.0(7)T, router example A-2 

CSU example A-15 

example CSConfig.ini listing A-19 

example CSU.cfg listing A-16 

examples, Cisco IOS 12.0(7)T A-1 

local router A-2 

RADIUS A-9 

TACACS+ A-5 

conventions 

command syntax xiii 

document xiii 

CSConfig.ini 

example file listing A-19 

CSU 

configuring CSU logging 3-9 

configuring debugging level 3-10 

creating csuslog file 3-9 

example configuration listings A-15 

example CSConfig.ini listing A-19 

example CSU.cfg listing A-16 

installation process 3-2 

installing 3-5 

log files listed A-25 

minimum system specifications xii 

pkgadd command 3-6 

restarting AAA server 3-10 

restarting syslog daemon 3-10 


verifying Oracle account information 3-4 

version 2.3(3) xii 

CSU.cfg 

example file listing A-16 

csuslog 

configuring logging 3-9 

creating file 3-9 

TACACS+ dialup authentication 4-4 


3

Index 

D 

TACACS+ dialup authorization 4-5 

TACACS+ router authorization 4-16, 4-18, 4-19 

using tail command (TACACS+ dialup 


using tail command (TACACS+ PPP 


using tail command (TACACS+ router 

authorization) 4-16, 4-18, 4-19 

using the tail command C1 

database 

verifying instance 3-3 

Data Encryption Standard 

See DES 

debug command 

summary of relevant commands 6-7 

using to troubleshoot AAA problems 6-7 

debug output 

accounting (server-based) 5-3, 5-5 

accounting, TACACS+ (local-based) 2-13 

authentication, RADIUS (server-based) C4 

authentication, TACACS+ (local-based) 2-3, 2-10 

authentication, TACACS+ (server-based) C1, C7 

authorization, RADIUS (server-based) C5 

authorization, TACACS+ (local-based) 2-6, 2-11 

authorization, TACACS+ (server-based) C3, C9 

DES 

password support policy 1-13 

router policy 1-10 

diagnostics 

using debug command output C1 

directory environment variable 

verifying 3-3 

disconnect cause codes 

idle timeouts 5-2, 5-3 

listed (table) 5-6 

E 

encryption 

RADIUS 1-4 

TACACS+ 1-5 

F 

flow diagram 

general authentication and authorization 6-3 

TACACS+, authentication and authorization 4-14 

G 

groups 

defining administrative control 4-13 

H 

hardware 

case study xii 

Cisco 7206 VXR xii 



Sun UltraSPARC xii 

I 

implementation 

AAA task checklist (table) 1-14 

interoperability 

RADIUS attribute support 1-6 

IP addresses 

static address policy 1-13 

ip http command A-13 

ip tacacs command A-13 

ISDN 

CHAP authentication 1-10 

4 


Index 

L 

listener.ora 

configuration listing A-24 

local-based access 

compared with server-based access 1-6 

defined 1-6 

local-based configuration 

implementation overview 2-1 

TACACS+, accounting 2-12 

TACACS+, authentication 2-2, 2-8 

TACACS+, authorization 2-5, 2-10 

verification test results (TACACS+ accounting) 2-13 

verification test results (TACACS+ 


verification test results (TACACS+ authorization) 2-6, 

2-11 

M 

management policy 

TACACS+ vs. RADIUS comparison 1-5 

MD5 

RFC link 1-2 

multiprotocol support 

TACACS+ vs. RADIUS comparison 1-5 

N 

NAS 

versions used in case study xii 

NAS profile 

RADIUS 4-7 

network environment 

equipment summary 1-13 

network services 

AAA checklist (table) 1-10 

accounting policy 1-11 

authentication policy 1-10 

O 

authorization policy 1-11 

checklist 1-9 

definitions and policies 1-10 

dialup/shell AAA policy 1-10 

general checklist (table) 1-9 

objectives 

case study xi 

online documentation 

See CCO 

Oracle 

accounting records policy 1-11 

confirming tnsnames service 3-4 

creating tablespace 3-2 

DB Client 7.3(4) xii 

DB Server 7.3(4) xii 

installation reference 3-2 

listener (lsnrctl) 3-3 

listener.ora listing A-24 

Server Manager (svrmgrl) 3-3 


user environment variable A-23 

verifying account information 3-4 

verifying database instance 3-3 

verifying SMON operation 3-3 

verifying software directory environment variable 3-3 

OS Solaris 2.5(1) xii 

overview 

AAA case study 1-1 

P 

PAP 

PPP authentication 1-10 

Password Authentication Protocol 

See PAP 


5

Index 

passwords 

authentication policies 1-13 

authentication policy 1-10 

authorization policies 1-13 

local access policy 1-10 

planning 

pre-deployment summary 1-9 

site preparation xi 

Point-to-Point Protocol 

See PPP 

policies 

accounting 1-11 

accounting, PPP 1-11 

accounting, router administration 1-11 

authentication 1-10 

authorization 1-11 

dialup/shell AAA 1-10 

privilege level 15 authorization 1-13 

router, administrative control 1-11 

router management 1-5 

security considerations 1-12 

PPP 

PAP authentication 1-10 

verifying TACACS+ authorization 4-5 

verifying TACACS+ user authentication 4-4 

privilege level 

TACACS+ support 1-2 

privilege level 15 

accounting 1-11, 1-12 

command authorization policy 1-13 

local administration 1-12 

router authorization policy 1-11 

router command authorization A-13 

privilege level 15 commands 4-13 

configuring accounting 5-4 

problems 


AAA behavior configured incorrectly in NAS 6-9 

AAA behavior configured incorrectly in router 6-20 

connection between NAS and AAA server down 6-12 

connection between router and AAA server 

down 6-23 

group profile password type does not match type in 

NAS 6-13 

incorrect AAA configuration in router 6-21, 6-24 

maximum number of users exceeded 6-12, 6-23 

shell initiated PPP session fails 6-9, 6-13 

TACACS+ key incorrect in router or AAA 

server 6-23 

TACACS+ or RADIUS key incorrect in NAS or AAA 

server 6-12 

user account disabled due to too many failed 

logins 6-10, 6-22 

user account password or profile expired 6-11, 6-22 

user enters invalid username or password 6-9, 6-20 

user enters password incorrectly 6-10, 6-22 

user exceeds the maximum number of concurrent 

sessions 6-11, 6-22 

user name not in server database 6-10, 6-22 

user profile configured incorrectly 6-10, 6-22 

user workstation configured incorrectly 6-11 

authorization 

AAA authorization configured incorrectly in 

NAS 6-16 

AAA behavior incorrectly configured 6-26, 6-28 

AAA configuration error 6-25, 6-27 

access list assigned to user 6-14, 6-17 

authorization failed service 6-25, 6-27 

autocommand ppp negotiate assigned to user 6-26, 

6-28 

AVPs not assigned 6-14, 6-17 

does not have PPP service assigned 6-16 

feature is not supported on console ports 6-28 

group lacks shell service assigned 6-16 

Idle-Timeout RADIUS AVP not configured on group 

profile 6-18 

idletime TACACS+ AVP not configured on group 

profile 6-18 

Lack of service=shell AVP 6-28 

user client configuration error 6-13 

6 


Index 

user exceeds the maximum number of concurrent 

sessions 6-19 

user or group does not have User-Service-Type AVP 

assigned 6-19 

user or group profile lacks proper AVP 6-18 

user or group profile restricted 6-18 

user or lacks service=shell AVP assigned 6-19 

user profile configured incorrectly 6-28 

user profile lacks appropriate enable level to perform 

command 6-25 

user profile lacks appropriate enable privilege level to 

perform command 6-27 

user profile lacks appropriate privilege level to 

perform command 6-25, 6-27 

user profile restricted 6-14 

profiles 

assigning user to group profile (TACACS+ 


assigning user to group profile (TACACS+ 

authorization) 4-16, 4-17, 4-18 

creating basic user 3-11 

group, configuring router access 4-13 

group, verifying (TACACS+ authentication) 4-11 

group, verifying (TACACS+ authorization) 4-16, 4-17, 

4-18 

group configuration, TACACS+ 4-14 

group permissions (table) 4-13 

user, defining access privileges 6-5 

user, RADIUS 4-7, 4-9 

user, TACACS+ 4-3, 4-5 

user, verifying (TACACS+ authentication) 4-12 

user, verifying (TACACS+ authorization) 4-16, 4-17, 

4-18 

user, verifying basic 3-11 

user configuration (RADIUS authentication) 4-7 

user configuration (RADIUS authorization) 4-9 

user configuration (TACACS+ authentication) 4-3 

user configuration (TACACS+ authorization) 4-5 

purpose 

case study xi 

R 

RADIUS 

authentication tests (server-based) C4 

authorization tests (server-based) C5 

AVP examples (table) 1-6 

compared with TACACS+ 1-4 

compared with TACACS+ (table) 1-4 

configuring authentication (server-based) 4-6 

configuring authorization (server-based) 4-8 

creating user profiles (authentication) 4-7 

debug output, server-based authentication C4 

debug output, server-based authorization C5 

encryption 1-4 

example configuration (NAS) A-9 

interoperability 1-6 

NAS profile, creating 4-7 

negotiation process (flow diagram) 6-4 

RFC link 1-2 

See also AVPs 

See also troubleshooting 

technology overview 1-3 

troubleshooting scenario, authorization 6-36 

troubleshooting symptom list, authentication 6-10 

troubleshooting symptom list, authorization 6-15 

verifying access list assignment 4-10 

radius-server host command A-15 

Remote Authentication Dial-in User Service 

See RADIUS 

Requests for Comments 

See RFCs 

RFCs 

reference links 1-2 

router 

administration, command and control policy 1-11 

administrative control, creating 4-13 

authorization, controlling 4-13 

management, RADIUS vs. TACACS+ 1-5 


7

Index 

S 

scenario 

case study description 1-8 

case study overview (figure) 1-2 

scenarios 

troubleshooting examples 6-29 

security 

policy considerations 1-12 

server-based access 

compared with local-based access 1-7 

defined 1-7 

server-based configuration 

implementation overview (authentication and 


verification test results (RADIUS authentication) C4 

verification test results (RADIUS authorization) C5 

verification test results (TACACS+ authentication) C1, 

C7 

verification test results (TACACS+ authorization) C2, 

C9 

verifying user (RADIUS authentication) 4-8, 4-9 

verifying user (TACACS+ authentication) 4-3 

verifying user (TACACS+ authorization) 4-5 

show caller user command 

access list verification output (server-based) 4-10, C6 

session timeout disconnect example 5-3 

show line command 

verification output (local-based) 2-8 

site preparation xi 

SMON 

verifying operation on Oracle server 3-3 

software 

case study listing xii 

software components 

Cisco IOS 12.0(7)T xii 

Oracle DB Client 7.3(4) xii 

Oracle DB Server 7.3(4) xii 

OS Solaris 2.5(1) xii 

SQL*Plus Release 3.3.4.0.1 xii 

SQL*Plus 

Release 3.3.4.0.1 xii 

sqlplus 

verifying account information 3-4 

symptom list, troubleshooting AAA 

dial-based local authentication 6-9 

dial-based local authorization 6-13 

dial-based server authentication 6-10 

dial-based server authorization 6-15 

router-based local authentication 6-19 

router-based local authorization 6-24 

router-based server authentication 6-21 

router-based server authorization 6-26 

syslog daemon 

restarting 3-10 

T 

tablespace 

installing (Oracle) 3-2 

size requirements 3-2 

TAC 

contacting xiv 

TACACS 

RFC link 1-2 

TACACS+ 

accounting tests (local-based) 2-13 

assigning user to group profile (authentication) 4-11 

assigning user to group profile (authorization) 4-16, 

4-17, 4-18 

authentication and authorization (figure) 4-14 

authentication tests (local-based) 2-3, 2-9 

authentication tests (server-based) C1, C7 

authorization tests (local-based) 2-6, 2-11 

authorization tests (server-based) C2, C9 

AVP examples (table) 1-6 

compared with RADIUS 1-4 

compared with RADIUS (table) 1-4 

configuring accounting (local-based) 2-12 

8 


Index 

configuring authentication (local-based) 2-2, 2-8 

configuring authentication (server-based) 4-2, 4-10 

configuring authorization (local-based) 2-5, 2-10 

configuring authorization (server-based) 4-4, 4-13 

configuring dial accounting (server-based) 5-1, 5-2 

configuring router accounting (server-based) 5-4 

creating user profiles (authentication) 4-3 

debug output, server-based authentication 

debug output, server-based authorization 

encryption 1-5 

example configuration (NAS) A-5 

multiprotocol support 1-5 

C1, C7 

C3, C9 

negotiation process, EXEC disabled (flow 

diagram) 6-6 

negotiation process, EXEC enabled (flow diagram) 6-5 

privilege level support 1-2 

RFC link 1-2 

router management 1-5 

See also AVPs 

See also troubleshooting 

service control 1-3 

technology overview 1-2 

troubleshooting scenario, authentication 6-29, 6-30, 6-31 

troubleshooting scenario, authorization 6-33, 6-34, 6-35 

troubleshooting symptom list, authentication 6-10, 6-21 

troubleshooting symptom list, authorization 6-15, 6-24, 

6-26 

tacacs-server host command A-13, A-15 

tacacs-server key command A-13 

tail command 

reading the csuslog file C1 

verifying dialup authentication with csuslog 

(TACACS+) 4-4 

verifying PPP authorization with csuslog 

(TACACS+) 4-5 

verifying router authorization with csuslog 

(TACACS+) 4-16, 4-18, 4-19 

Technical Assistance Center 

See TAC 

technology 

AAA overview 1-1 

Terminal Access Controller Access Control System Plus 

See TACACS+ 

tnsnames service 

verifying with tnsping utility 3-4 

tnsping 

using to verify tnsnames service 3-4 

troubleshooting 

diagnostic overview 6-1 

example scenarios 6-29 

methodology overview 6-7 

RADIUS authorization scenario 6-36 

See also problems 

See also RADIUS 

See also symptom list, troubleshooting AAA 

See also TACACS+ 

TACACS+ authentication scenario 6-29, 6-30, 6-31 

TACACS+ authorization scenario 6-33, 6-34, 6-35 

U 

UNIX 

version used in case study xii 

user 

creating profiles (RADIUS authentication) 4-7 

creating profiles (RADIUS authorization) 4-9 

creating profiles (TACACS+ authentication) 4-3 

creating profiles (TACACS+ authorization) 4-5 

user environment variable 

Oracle, listed A-23 

V 

verification 

accounting, TACACS+ (local-based) 2-13 

accounting, TACACS+ (server-based) 5-2 

authentication, RADIUS (server-based) C4 

authentication, TACACS+ (local-based) 2-3, 2-9 


9

Index 

authentication, TACACS+ (server-based) 

authorization, RADIUS (server-based) 

C5 

C1, C7 

authorization, TACACS+ (local-based) 2-6, 2-11 

authorization, TACACS+ (server-based) 

C2, C9 

verification tests 

debug output, RADIUS authentication 

(server-based) C4 

debug output, RADIUS authorization 

(server-based) C5 

debug output, TACACS+ (local-based) 2-6, 2-11, 2-13 

debug output, TACACS+ (server-based 

accounting) 5-3, 5-5 

debug output, TACACS+ authentication 

(server-based) C1, C7 

debug output, TACACS+ authorization 

(server-based) C3, C9 

SQL query (accounting) 5-2, 5-5 

ViewProfile command 

verifying basic user configuration 3-11 

verifying user configuration (RADIUS 






10

Cisco AAA Implementation Case Study.pdf

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?