What is AAA on Cisco IOS?
Authentication, Authorization, and Accounting also know as AAA. You can configure your Cisco router to use AAA for user authentication, authorization, and accounting. Usually the AAA is used with external servers running the TACACS+, TACACS, or RADIUS protocol. In this example we are using external server running with TACACS+ protocol. After AAA implementation we don’t require separate password for Telnet, Http, Https, SSH, Console…Etc. All login attempts will be authenticated using the same credential by TACACS+ server and it also provides increased flexibility, control, scalability and multiple backup systems.
AAA Configuration steps on Cisco Router to authenticate with external TACACS+ Server:
1. Turn-on AAA on the Router using ‘aaa new-model’ command and specify the TACACS+ server and secret key
Cisco-Router(config)#tacacs-server host 10.9.0.67
Cisco-Router(config)#tacacs-server host 10.90.0.67
Cisco-Router(config)#tacacs-server key <tacacs-server-key>
Please note that the tacacs key must be the same as the secret tacacs key that you used when configuring the server. You can also configure a message banner to display when a user is trying to login into the server.
2. Create a local user accounts on the Router for fallback in case the TACACS+ server is down.
Cisco-Router(config)#username admin privilege 15 password cisco@123
3. Now we define how to login authenticate. We use the default group is TACACS+ and second is local database to authenticate login to the Router and if the TACACS+ fails we can use the use the local user accounts which we have created in earlier step.
4. Now we define for enable mode, we will use the default group TACACS+. We don’t use the local since locally defined user will have already had the privilege level defined to get in the enable mode.
5. Check authorization for all commands in config mode with TACACS+. The Command allows what all configuration commands are authorized for the user logged in for e.g., if the user types – config terminal, then user will be allowed to change the banner or interface descriptions, but prohibit him the other commands such as – shutdown or enable.
6. In the below command “if-authenticated” means that if we are authenticated we will immediately be dropped into exec (enable) mode
7. The recommended best practice from Cisco is that authorization be configured to each level of user access to network devices. So in this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user ( Step 2). This also requires the use of TACACS+.
8. We are also providing authorization for level 15 users against TACACS+. Incase TACACS+ is not available then the local user account is used. If authenticated the user will immediately be gets into exec or enable mode.
9. For accountability of the use of privileged commands on the router enable AAA Accounting for each level of commands.
10. This command provides accountability or tracking of user activity even if they have only logged in. Its optional, on may skip it
11. This command provides accounting of user with privilege level 15
Filed Under: Tacacs+/Radius
About the Author: