This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
43
Chapter 5
CHAPTER 5
AAA Access Control
AAA stands for authentication, authorization, accounting. This chapter will cover
the authentication and authorization aspects of AAA, leaving the accounting details
for Chapter 11. AAA access control provides much greater scalability and functional-
ity than the basic access control methods discussed in Chapter 3. AAA can use local
router configuration, TACACS+, RADIUS, and Kerberos for authentication and can
utilize a TACACS+ or RADIUS for authorization.
TACACS+ and RADIUS can be used both for authentication and authorization,
while Kerberos can be used only for authentication. Cisco-only networks usually
choose TACACS+ because of its enhanced features. TACACS+, however, is propri-
etary to Cisco. Networks using equipment from multiple vendors usually choose
RADIUSfor its interoperability. Finally, organizations with existing Kerberos access
servers can configure their routers to use those servers to control access to Cisco
routers.
Enabling AAA
To use any of these authentication and authorization methods, you must first enable
AAA on the router. The general steps for enabling AAA are:
1.
Turn on AAA with the aaa new-model command.
2.
Configure security protocol information if using an access control server (ACS).
3.
Define methods that specify the type and order of authentication with the aaa
authentication command.
4.
Apply the authentication methods to each line and/or enable access.

5.
Configure AAA authorization, if needed, with the aaa authorization command.
,ch05.23747 Page 43 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
44
|
Chapter 5: AAA Access Control
Local Authentication
Assume that the router configuration has the following users:
username jdoe password 7 09464A061C480713181F13253920
username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37
To take advantage of the AAA accounting features, you can enable AAA but use
these locally defined usernames for access. To do so:
1.
Enable AAA with aaa new-model.
2.
Make the default AAA authentication method local using the aaa authentication
command.
3.
Apply the default AAA authentication method to each line:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Router(config)#aaa authentication login default local
Router(config)#line vty 0 4
Router(config-line)#login authentication default
Router(config-line)#exit
Router(config)#line aux 0
Router(config-line)#login authentication default

Router(config-line)#exit
Router(config)#line con 0
Router(config-line)#login authentication default
Router(config-line)#^Z
Router#
While AAA and local authentication provide greater accountability than non-AAA
methods, local AAA authentication is not scalable, and all local passwords are stored
in the configuration file using the weak Vigenere ciphers.
TACACS+ Authentication
TACACS+ is Cisco’s proprietary and recommended access control protocol.
TACACS+ has the benefits of running over TCP, encrypting the entire contents of
packets between the ACSand the router, supporting multiple protocols, and provid-
ing authentication and authorization support. TACACS+, however, is proprietary,
and if your ACSserver needs to serve non-Cisco equipment, you may have difficulty.
If you are going to implement an ACSserver for your Cisco routers only, TACACS+
is definitely the choice to make. Configuring TACACS+ on a router is fairly straight-
forward, but since the packets are encrypted, both the router and the server must be
preconfigured with an encryption key.
,ch05.23747 Page 44 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
TACACS+ Authentication
|
45
To configure a router to use a TACACS+ server, assuming that the server is config-
ured with the key MyTACACSkey, you must:
1.
Enable AAA with the aaa new-model command.
2.
Tell the router what TACACS+ server to use with the tacacs-server host command.

3.
Tell the router what the TACACS+ server key is with the tacacs-server key
command.
4.
Define the default AAA authentication method to be TACACS+ with the locally
configured users as a backup in case the TACACS+ server isn’t available.
5.
Configure each line to use the default AAA authentication method.
Here is example of setting the AUX and VTY ports to use the TACACS+ server
130.
218.12.10
:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Router(config)#tacacs-server host 130.218.12.10
Router(config)#tacacs-server key MyTACACSkey
Router(config)#aaa authentication login default group tacacs+ local
Router(config)#line aux 0
Router(config-line)#login authentication default
Router(config-line)#exit
Router(config)#line vty 0 4
Router(config-line)#login authentication default
Router(config-line)#^Z
Router#
IOSVersions 12.0.5(T) and later use the aaa authentication login
default group tacacs+ enable command. Earlier versions leave out the
keyword group and use the aaa authentication login default tacacs+
enable command.
The router is now set up to use the TACACS+ server

130.218.12.10
for authentica-
tion. There is an important item to note when using the aaa authentication login
command. The command tells the router to attempt to authenticate a user through
TACACS+ first, and to use the locally configured enable password only if it fails to
reach the server. If the TACACS+ server is unreachable for some reason, the router
use the local enable password. If the TACACS+ server is reachable, but rejects users
because they didn’t authenticate themselves correctly, the router does not default to
the enable password, but denies the users access.
TACACS+ Enable Password
You can also use TACACS+ for the enable password. If TACACS+ is already config-
ured on your router, this can be done with the command:
aaa authentication enable default group tacacs+ enable
,ch05.23747 Page 45 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
46
|
Chapter 5: AAA Access Control
Otherwise, you need to:
1.
Enable AAA, if not already enabled, with the aaa new-model command.
2.
Tell the router what TACACS+ server to use with the tacacs-server host
command.
3.
Tell the router what the TACACS+ server key is.
4.
Configure the enable password to use the TACACS+ server first and then the
locally configured enable password in case the TACACS+ server is unavailable:

Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Router(config)#tacacs-server host 130.218.12.10
Router(config)#tacacs-server key MyTACACSkey
Router(config)#aaa authentication enable default group tacacs+ enable
Router(config-line)#^Z
Router#
Cisco provides a free Unix-based TACACS+ server that you can
download from This free server
hasn’t been updated since 1998, and if you are not comfortable using
a free solution, you may want to look at Cisco’s commercial access
control servers.
HTTP Authentication with TACACS+
If you are running the HTTP service on your router (not recommended), you can use
TACACS+ for HTTP authentication. Assuming that TACACS+ is already set up on
your router, you can enable HTTP authentication through TACACS+ by:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip http authentication aaa
Router(config)#^Z
TACACS+ Authorization
In addition to authentication, TACACS+ provides very granular control over user
authorization. Most configuration is done on the TACACS+ server. Using
TACACS+, you can specify what a user can and cannot do. Once this information is
configured on the server, you then tell the router to use the TACACS+ server to
authorize every command at a specific level.
EXEC authorization
EXEC is what Cisco calls the command-line shell on its routers. You can use
TACACS+ to configure which users are authorized to use the EXEC prompt to exe-

cute commands. Without access to an EXEC prompt, even users who are successfully
,ch05.23747 Page 46 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
RADIUS Authentication
|
47
authenticated will be unable to start a shell and will be disconnected. Most TACACS+
daemons have a default deny stance, so before you enable EXEC authorization, make
sure your TACACS+ server is set up to allow at least one user EXEC access.
To use TACACS+ for EXEC authorization, enter the command:
Router(config)#aaa authorization exec default group tacacs+ if-authenticated
The final if-authenticated is a fail-safe that allows successfully authenticated users to
start an EXEC a shell if the TACACS+ server is unavailable. This keeps you from
being locked out of the router if the network or TACACS+ server is down.
Command authorization
In addition to using TACACS+ to authorize EXEC (shell) access, you can use it to
specify what commands a user can and cannot run. This is done on a per-privilege-
level basis, and again, most TACACS+ servers default to no authorization. There-
fore, before you turn it on, make sure that the TACACS+ server is set up to allow at
least one user authorization to necessary commands such as enable and configure.
Command authorization is set using aaa authorization commands:
Router(conf)#aaa authorization commands 1 default group tacacs+ if-authenticated
This line configures the router to use the TACACS+ server to authorize all com-
mands that are run at level 1. To configure the router to use the TACACS+ server,
authorize all level 15 commands you would use:
Router(conf)#aaa authorization commands 15 default group tacacs+ if-authenticated
The final if-authenticated is a fail-safe that tells the router, if the TACACS+ server is
unavailable, to allow authenticated users to successfully run any command at their
current run level. This prevents you from being locked out of the router if the

TACACS+ server is unreachable.
RADIUS Authentication
RADIUSis an access control server protocol developed by Livingston Enterprises
and is documented in RFC 2865. While there are proprietary extensions to RADIUS,
it is much more interoperable between different vendors than Cisco’s TACACS+.
However, Cisco still recommends the use of TACACS+ instead of RADIUS for the
following reasons:
• RADIUS uses UDP, while TACACS+ uses TCP.
• RADUISencrypts only the password inside access request packets, while
TACACS+ encrypts the entire payload.
• RADUIScombines the authentication and authorization features, while
TACACS+ provides methods to separate these two functions.
• TACACS+ has multiprotocol support built in.
,ch05.23747 Page 47 Friday, February 15, 2002 2:53 PM