170 likes | 889 Views
Setup a Cisco Switch with AAA Server. CS580 Winter 2005 Presented by: Chris Orona Kevork Tamamian Xuong Tsan. What is AAA Server?. AAA ( Authentication, Authorization, Accounting) For example: RADIUS (Remote Authentication Dial-In User Service)
E N D
Setup a Cisco Switch with AAA Server CS580 Winter 2005 Presented by: Chris Orona Kevork Tamamian Xuong Tsan
What is AAA Server? • AAA ( Authentication, Authorization, Accounting) For example: RADIUS (Remote Authentication Dial-In User Service) TACACS (Terminal Access Controller Access Control System)
TACACS • Specified in RFC 1492 • Uses port 49 (TCP or UDP) • XTACACS – TACACS extensions created by Cisco
TACACS server on a switch switch(config)# login tacacs switch(config)# tacacs-server host 192.20.22.7 switch(config)# tacacs-server key "I am cool" switch(config)# tacacs-server attempts 3 switch(config)# tacacs-server timeout 5
TACACS server cont.. TACACS Verification switch# show tacacs Enable use-tacacs:Enabled Login tacacs:Enabled tacacs-server last-resort:password tacacs-server hosts:192.20.27.7 tacacs-server key:I am cool tacacs-server login attempts:3 tacacs-server timeout:5 seconds tacacs-server directed-request:Disabled
TACACS+ • An new version of TACACS, however less compatible • Uses a separate server for AAA
TACACS+ packet • Major/Minor version • Packet Type • Authentication, Authorization, or Accounting • Flags • Whether encryption is set
Authentication • Enables the switch/router to ask for passwords on a remote server • Set up passwords for login and enable access • Backup with enable password in case server is down aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable
Authorization • Request authorization for events. Obtaining a shell, configuring, or certain commands • Again, have a backup command in case the server is down. aaa authorization exec default tacacs+ if-authenticated
Accounting • Log access and attempted access to a remote server • Can log inbound and/or outbound connections • Types of accounting • start-stop: records without waiting for the server • stop-only: only records when action is completed • wait-start: waits for log to be sent before allowing action aaa accounting exec default start-stop tacacs+ aaa accounting connection default start-stop tacacs+
ClearBox RADIUS and TACACS+ Server 2.4.5 • Available for Windows • Can authenticate against a Windows domain or SQL database (Access, SQL server, ODBC, etc.) • $399, or free trial version with limited password functionality.
Reference Links • http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007da46.html#15411 • http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080093c7c.shtml • http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml • http://www.informit.com/articles/article.asp?p=170744&seqNum=2 • http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=cisco+router+1601+support+tacacs&x=0&y=0&nv=Search+All+Cisco.com%23%23cisco.com&nv=Technical+Support%26Documentation%23%23cisco.com%23TSD&language=en&country=US&accessLevel=Guest&siteToSearch=cisco.com • http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html#16099 • Clearbox server: http://www.xperiencetech.com/