5. AAA Configuration

AAA stands for authentication, authorization and accounting. This subsystem is implemented when it is necessary to provide an identification of a user, determine what commands the user has authority to execute and track all user’s actions.

Important

Changes in the AAA settings do not apply to sessions that have already been created!

5.1. Local User Configuration

There is one default local user in the system named admin with the password admin in the group admin with all configuration commands available to it.

Commands to manage users are listed below.

user USERNAME group <guest|operator|admin> encryption <md5|sha-256|sha-512> password PASSWORD

Add a new user to the specified group. The password is entered in plain text and will be hashed using the encryption algorithm.

user USERNAME group <guest|operator|admin> password PASSWORD_HASH

Add a new user to the specified group. The password is entered in a hashed form in the Modular Crypt Format: ($<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]). The MD5 ($1$), SHA-256 ($5$), and SHA-512 ($6$) algorithms are supported.

user USERNAME group <guest|operator|admin>

Move the user to the specified group.

To configure the password for Enable Mode, use the following commands:

enable encryption <md5|sha-256|sha-512> password PASSWORD
enable password PASSWORD_HASH

Note

For RADIUS and TACACS+ Enable Mode configuration is applied on the servers.

5.2. RADIUS and TACACS+ Configuration

First, set the settings for RADIUS or TACACS+ servers to which vCGNAT will connect:

aaa radius id (0-99) A.B.C.D auth-port (1-65535) acct-port (1-65535) secret SECRET

Set connection to the RADIUS server.

Keys

Argument

Description

id

(0-99)

Set the ID of the RADIUS server

HOST

A.B.C.D or hostname

RADIUS server IP address or hostname

auth-port

(1-65535)

RADIUS authentication port. The defaul is 1812

acct-port

(1-65535)

RADIUS accounting port. The default is 1813

secret

SECRET

A password which vCGNAT will use to connect to RADIUS server

The attribute cisco-avpair (9,1) is used:

shell:priv-lvl=

For privilege level

shell:cmd=

To forbidden an individual command (all commands whose beginning coincides with the specified one will be forbidden)

The password configuration for Enable Mode is done by creating user $enab15$ on the RADIUS server.

test    Cleartext-Password := "test"
        cisco-avpair := "shell:priv-lvl=7", cisco-avpair := "shell:cmd=show interface"

$enab15$ Cleartext-Password := "enable"
aaa tacacs+ id (0-99) HOST port (1-65535) secret SECRET

Set a connection to the TACACS+ server.

Keys

Argument

Description

id

(0-99)

Set the ID of the TACACS+ server

HOST

A.B.C.D or hostname

TACACS+ server IP address or hostname

port

(1-65535)

TACACS+ server port. The default is 49

secret

SECRET

A password which vCGNAT will use to connect to TACACS+ server

Note

You can add several RADIUS or TACACS+ servers to increase fault tolerance of the system. In that case, vCGNAT will connect to the server which comes with the highest ID number.

aaa server <radius|tacacs+> id (0-99) set-id (0-99)

Change the server ID. If the server with the new ID already exists, servers are swapped.

no aaa <radius|tacacs+> [id (0-99)]

Remove all connections to RADIUS or TACACS+ servers or specified by ID.

5.3. Accounting

aaa accounting <console|ssh> {local|radius|tacacs+}

Set the type of connection (via SSH or console) and the location where users’ actions will be sent to. Logs contain the beginning/end of the session and all commands entered by the user with the authorization result.

Pay attention: radius and tacacs+ here mean two groups of servers. For example, if you add two RADIUS and three TACACS servers, and specify local radius tacacs+ in the accounting, then the vCGANT will sent logs to the local, and to the RADIUS server with the highest ID in the group of the RADIUS servers, and to the TACACS server with the highest ID in the group of the TACACS servers.

no aaa accounting <console|ssh>

Disable accounting.

5.4. Authentication

aaa authentication <console|ssh> {local|radius|tacacs+}

Set a type of connection (via SSH or console) and a method for authentication. You can specify several methods and the vCGNAT will use the first of the specified. radius and tacacs+ methods mean two groups of servers. For example, if you specify for authentication radius tacacs and add several RADIUS and TACACS servers, then the vCGNAT will first try to connect to the RADIUS server with higher ID and so on, and then, if all RADIUS servers are not available, proceed to TACACS servers.

Pay attention to two things:

  1. The local server is always available, so the following servers will not be polled.

  2. Denied access is interpreted as a successful response, so the next server will not be polled.

During authentication, a privilege level (priv-lvl) is requested from the same source that allowed access. According to the received privilege level, the operator role is set:

admin

=15

operator

>=7; <15

guest

<7

no aaa authentication <console|ssh>

Disable remote authentication.

5.5. Authorization

aaa authorization <console|ssh> {local|radius|tacacs+}

Set a type of connection (via SSH or console) and a method for authorization. You can specify several methods and the vCGNAT will use the first of the specified. radius and tacacs+ methods mean two groups of servers. For example, if you specify for authorization radius tacacs and add several RADIUS and TACACS servers, then the vCGNAT will first try to connect to the RADIUS server with higher ID and so on, and then, if all RADIUS servers are not available, proceed to TACACS servers.

Pay attention to two things:

  1. The local server is always available, so the following servers will not be polled.

  2. Denied access is interpreted as a successful response, so the next server will not be polled.

Some important points

When the local authorization has been implemented at the user’s privilege level, individual commands cannot be allowed/forbidden.

RADIUS authorization allows only to prohibit commands (you need to choose a higher privilege level initially).

If the session has not been authenticated through RADIUS, RADIUS authorization will not be available and other methods will be used in that order.

TACACS+ authorization allows you to configure any access rights. It is not necessary to use TACACS+ authentication before using authorization.

no aaa authorization <console|ssh>

Disable remote authorization.

5.6. Show Commands

show aaa server debug

Display debug information for all configured connections. The output is as follows:

nfware# show aaa server debug
Radius server #0: 192.168.1.10 auth-port:1812 acct-port:1813
Accept: 0
Reject: 0
Connection error: 0

Tacacs+ server #0: 192.168.1.11:49
Accept: 95
Reject: 0
Connection error: 0
show aaa server radius

Display information about RADIUS connections: IP address or hostname, auth-port and acct-port.

show aaa server tacacs+

Display information about TACACS+ connections: IP address or hostname and port.

show aaa sessions

Display information about all sessions. The output includes: Username, TTY, Remote IP, Authenticator, Start Time, Last Activity, ID.

show aaa sessions username [USERNAME]

Display information about sessions for the specified user.

clear aaa session SESSION_ID

Clear the specified session.