Let’s look at a couple of troubleshooting scenarios relating to AAA in this article.
You have been the network administrator for your organization for a few years running. Before now, you have not had to worry about security and so you have not implemented any security features on your network devices except enable passwords and VTY passwords. However, a recent security attack on your network has resulted in management requiring you to implement more stringent security policies. Therefore, you thought to implement AAA on your cisco devices and you came up with the script shown below:
aaa new-model aaa authentication login VTY_AUTHENTICATION local aaa authorization exec VTY_AUTHORIZATION local aaa authentication login default group radius aaa authorization exec default group radius username admin secret admin123@
You copy this script and paste it on one of your routers to test. According to this script, what authentication and authorization will apply to users that log in via the VTY lines?
John is the network security administrator for his organization and, in order to comply with a security regulation, he wants to enable AAA features in his network environment, beginning with the network devices. The network devices are currently only running with basic network connectivity configuration (e.g., IP addresses, routing protocols). He creates a script to be applied to his devices but wants to test it first in his lab environment. He copies the entire script and pastes it into his test router. This is the script he created:
aaa authentication login VTY_AUTHENTICATION local aaa authorization exec VTY_AUTHORIZATION local aaa authentication login default group radius aaa authorization exec default group radius username admin secret admin123@ line vty 0 4 login authentication VTY_AUTHENTICATION authorization exec VTY_AUTHORIZATION
Looking at the script above, what method will be used to verify (authentication and authorization) users that connect remotely?
Matt stumbled on an online blog which discussed AAA on Cisco devices and he decides to try it out. He created the following script and successfully applied it on his test router:
aaa new-model aaa authentication login default local aaa authorization exec default local username admin secret admin123@
He logs out of his router’s console and tries to log back in. From the configuration above, what authentication and authorization will apply to him?
The senior network administrator of your organization wants to test your understanding of AAA and so he asks you this question: “When you enable AAA on a router using only the ‘aaa new-model‘ command, without configuring any other AAA features, what is the default behavior for authentication/authorization on the lines?”
In these scenarios, we have explored the internal workings of AAA on Cisco devices. I believe these troubleshooting scenarios really help us to understand a technology because, when things go wrong, we begin to think like the router does so as to understand how the router sees things. Great!
I hope you are enjoying these series; I certainly am. Until the next part, put your troubleshooting skills to use.
These are the types of questions that look too simple to be true and you keep looking at it to make sure you got it right. Well, there are no tricks here (or maybe not). The names “VTY_AUTHENTICATION” and “VTY_AUTHORIZATION” were used just to test your focus.
Remember that, when AAA method lists are configured, the default method list will be applied to lines that do not have an explicitly applied method list and, even though we have configured VTY authentication and authorization method lists in the above scenario (only the names point to the fact that they are for VTY lines), they have not been applied on the VTY lines. Therefore, remote users will be authenticated via the “group radius” method on the default method list. Easy enough, right?
C’mon, I wasn’t going to make it that easy. If you said “VTY_AUTHENTICATION” for authentication and “VTY_AUTHORIZATION” for authorization, I’m afraid you are wrong. Look at the configuration again. Something is missing; what is it?
Yes, the “aaa new-model” command is missing. Without that command, AAA features cannot be configured on the router. It means that, when John pastes this configuration into the router, he is going to get errors all the way (although the username configuration will be accepted).
After the previous scenarios, I’m sure you have become more cautious with these questions. That’s a good thing, right? *grin*
For authentication, the default method list will apply to the console. Therefore, Matt can log in with the admin username. However, for authorization, the default method list will NOT apply to the console; i.e., there will be no console authorization. This is because, without the “aaa authorization console” command, authorization will not be effective (even if applied) on the console line.
This scenario tests your understanding of the foundations of AAA. When AAA is enabled on a router, it changes the way the router (or device in general) deals with authentication.
Username and password authentication using the local database is immediately enabled on the VTY lines even though there is no explicit method list for that. This means that, if you do not have users in your local database, remote connections will fail.
Authorization will NOT use the local database by default. Therefore, even if you have users configured in your local database with privilege levels, those privilege levels will not be used. Look at the snippet below for an example of this behavior.
From the above, you can see that, although the “cisco” username has a privilege level of 15, that user is placed at user EXEC mode upon login and, since this router does not have an enable secret/password configured, the user cannot escalate his privilege level.
The console is unaffected by the above points. This means that there is no authentication or authorization applied to the console line. This will be your saving grace if you forget to add users to your local database.