|
|
Configuring CiscoSecure Access Control Server (ACS) is the first part of a two-part process to develop an operational system. The second part is configuring the NAS so that it functions properly with the CiscoSecure ACS.
This chapter describes how to configure the NAS, including global and interface configuration; authentication, authorization, and accounting on the NAS; and other commands.
The following sections are included:
For complete information about a specific Cisco IOS software release or more detailed configurations, see the publication Router Products Configuration Guide or the Configuration Fundamentals Configuration Guide. (See the appendix "References and Recommended Reading.")
The first steps in configuring the NAS are to enable TACACS+, specify the list of CiscoSecure ACSes that will provide AAA services for the NAS, and configure the encryption key that is used to encrypt the data transfer between the NAS and the CiscoSecure ACS.
To begin global configuration, enter the following commands, using the correct IP address of the CiscoSecure ACSs and your own encryption key:
Router(config)# aaa new-model Router(config)# tacacs-server host 144.1.12.100 Router(config)# tacacs-server host 144.1.200.250 Router(config)# tacacs-server key arachnid
The word "arachnid" is the encryption key shared between the NAS and the CiscoSecure ACS. The encryption key should be kept secret to protect the privacy of passwords sent between the CiscoSecure ACS and the NAS during the authentication process.
To specify multiple CiscoSecure ACSs for backup purposes, edit the CSU.cfg file and repeat the tacacs-server host command for the additional server(s).
With TACACS+, NAS login passwords must contain the following:
The authentication configuration builds a set of authentication lists, each of which can be used for different purposes within the NAS. The syntax of the command is as follows:
aaa authentication loginlist_name method1 [method2] [method3] [method4]aaa authentication PPPlist_name method1 [method2] [method3] [method4]
As you can see, the AAA server requires an authentication for PPP in addition to an authentication for login before it will work properly.
Each of these command lines supports several arguments. A list_name and one authentication method are required. Two or more authentication methods are optional.
Each of the possible authentication methods is listed in Table 7-1.
In the following example, system administrators must use TACACS+ authentication; if a CiscoSecure ACS is not available, use the NAS's local user database password. However, all other users can only use TACACS+:
aaa authentication login default tacacs+ aaa authentication login admin tacacs+ local
When using the local method, the system administrator will utilize the local user database for TACACS+ authentication.
To configure TACACS+ authentication at login on all lines on a 16-port NAS, enter the following commands:
line console 0login authentication adminline aux 0login authentication adminline vty 0 4login authentication defaultline 1 16login authentication default
 | Caution If you do not include the local method for system administrator logins, you will no longer be able to log in to your NAS unless you have a functioning CiscoSecure ACS appropriately configured with usernames and passwords. The addition of the local method ensures that you will still be able to log in to the router if the router cannot contact a CiscoSecure ACS. The NAS will test the local method only if it cannot contact a CiscoSecure ACS. |
NAS ports may be excluded from using CiscoSecure ACS by creating a separate authentication method list that does not include TACACS+ as an authentication method. Depending on your needs, you create a separate authentication method list to fixed ports that do not need AAA services, or for all the vty ports.
In the following example, only the first two vty ports and the console are enabled for AAA services in the NAS configuration:
aaa new-model aaa authentication login admin tacacs+ local aaa authentication login no_tacacs line tacacs-server host 144.251.1.1 tacacs-server key arachnid ! The console and VTY lines 0 & 1 use TACACS+ line console 0 login authentication admin line vty 0 1 login authentication admin ! VTY Lines 2 - 4 do not use TACACS+ line vty 2 4 login authentication no_tacacs
The NAS can use a CiscoSecure ACS to authorize specific commands by individual users. To authorize specific commands, you must use the following command syntax to specify which commands and actions will require authorization checks:
aaa authorization {network | connection | exec | commands level} methods
The four items that can be checked for authorization are listed in Table 7-2.
| Keyword | Authorization Check |
| network | Check authorization for all network activities including SLIP, PPP, PPP network control protocols, and ARAP. |
| connection | Check authorization for outbound Telnet and rlogin. |
| exec | Determine if the user is allowed to run an EXEC shell when logging into the NAS. This keyword might cause the CiscoSecure ACS to return user profile information such as autocommand information. |
| commands level | Check authorization for all commands at the specified privilege level level. Valid levels are 1 through 15. Level 1 is normal user EXEC commands. Level 15 is normal privileged level. |
The methods you can specify are listed in Table 7-3.
| Method | Meaning |
|---|---|
| tacacs+ | Requests authorization information from the CiscoSecure ACS. |
| if-authenticated | Allows the user to access the requested function if the user is authenticated. Note that you are either authenticated or not, so this should be the last method in the list. |
| none | No authorization is performed. |
| local | Uses the local database for authorization. |
Using the command syntax specified above, you can configure the NAS to restrict the set of commands that an individual user can execute. To require that all commands at privilege level 1 be authorized, enter the following command:
aaa authorization commands 1 tacacs+
| Caution When you enter this command in your NAS, you will be permitted to execute only NAS commands that are allowed by your CiscoSecure ACS. Therefore, make sure you have configured an authenticated user who is authorized to run commands on the CiscoSecure ACS. |
To require that the system administrator be authorized at level 15, enter the following command:
aaa authorization commands 15 tacacs+ if-authenticated
This command uses TACACS+ authorization level 15, but if problems arise you can switch off the CiscoSecure ACS and the authorization will then be granted to anyone who is authenticated.
The NAS must be specifically configured to send accounting records to the CiscoSecure ACS. Several types of accounting records are available. Use the following command syntax to configure accounting on the NAS:
aaa accounting {system | network | connection | exec | command level} {start-stop | wait-start | stop-only} tacacs+
The first set of keywords allows you to specify accounting of the events listed in Table 7-4.
You can specify when accounting records are to be sent by using the second set of keywords, which are listed in Table 7-5.
Use the following commands to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at level 1 and level 15:
aaa accounting system start-stop tacacs+ aaa accounting network start-stop tacacs+ aaa accounting connection start-stop tacacs+ aaa accounting exec stop-only tacacs+ aaa accounting command 1 stop-only tacacs+ aaa accounting command 15 wait-start tacacs+
To add NASs to the network, edit the CSU.cfg file and repeat the aaa commands for each additional NAS.
You can use the following sample configuration for quick, easy NAS setup or modify it to meet special needs:
version 11.2 service udp-small-servers service tcp-small-servers ! hostname akron ! aaa new-model aaa authentication login default tacacs+ local aaa authentication ppp default tacacs+ enable password cisco ! chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNE CT \c ! interface Ethernet0 ip address 200.200.200.102 255.255.255.0 no mop enabled ! interface Async1 ip unnumbered Ethernet0 encapsulation ppp async dynamic address async dynamic routing async mode interactive peer default ip address pool tokencard PPP authentication chap pap no cdp enable ! router rip network 200.200.200.0 network 100.0.0.0 ! ip local pool tokencard 200.200.200.125 200.200.200.129 no ip classless ! tacacs-server host 200.200.200.100 tacacs-server key fortknox123 ! line con 0 autoselect ppp line 1 exec-timeout 0 30 autoselect during-login autoselect ppp script dialer usr* modem InOut modem autoconfigure type usr_sportster transport input all telnet transparent stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line 2 16 autoselect arap arap enable script dialer cisco-default modem InOut rxspeed 28800 txspeed 28800 flowcontrol hardware line aux 0 line vty 0 4 ! end akron#
You can use other commands to tailor the operation of the NAS with the TACACS+ protocol. See the publications Router Products Command Reference or Configuration Fundamentals Command Reference for a detailed list of commands. (See the appendix "References and Recommended Reading" for more reading.)
|
|