Cisco IOS Security Configuration Guide
Uploaded by
eugen_negruCisco IOS Security Configuration Guide
Uploaded by
eugen_negruCisco IOS
Security
Configuration Guide
Release 12.2
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
[Link]
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7811747=
Text Part Number: 78-11747-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco
Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare,
FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX,
the Networkers logo, Packet, PIX, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and
WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering
the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub,
FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter,
and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (0102R)
Cisco IOS Security Configuration Guide
Copyright © 2001–2006 Cisco Systems, Inc.
All rights reserved.
CONTENTS
About Cisco IOS Software Documentation xxv
Documentation Objectives xxv
Audience xxv
Documentation Organization xxv
Documentation Modules xxv
Master Indexes xxviii
Supporting Documents and Resources xxviii
New and Changed Information xxix
Document Conventions xxix
Obtaining Documentation xxx
World Wide Web xxx
Documentation CD-ROM xxxi
Ordering Documentation xxxi
Documentation Feedback xxxi
Obtaining Technical Assistance xxxi
[Link] xxxii
Technical Assistance Center xxxii
Contacting TAC by Using the Cisco TAC Website xxxii
Contacting TAC by Telephone xxxiii
Using Cisco IOS Software xxxv
Understanding Command Modes xxxv
Getting Help xxxvi
Example: How to Find Command Options xxxvii
Using the no and default Forms of Commands xxxix
Saving Configuration Changes xl
Filtering Output from the show and more Commands xl
Identifying Supported Platforms xli
Using Feature Navigator xli
Using Software Release Notes xli
Security Overview SC-1
About This Guide SC-1
Authentication, Authorization, and Accounting (AAA) SC-2
Cisco IOS Security Configuration Guide
iii
Contents
Security Server Protocols SC-2
Traffic Filtering and Firewalls SC-3
IP Security and Encryption SC-4
Other Security Features SC-4
Appendixes SC-5
Creating Effective Security Policies SC-6
The Nature of Security Policies SC-6
Two Levels of Security Policies SC-6
Tips for Developing an Effective Security Policy SC-7
Identifying Your Network Assets to Protect SC-7
Determining Points of Risk SC-7
Limiting the Scope of Access SC-7
Identifying Assumptions SC-8
Determining the Cost of Security Measures SC-8
Considering Human Factors SC-8
Keeping a Limited Number of Secrets SC-8
Implementing Pervasive and Scalable Security SC-9
Understanding Typical Network Functions SC-9
Remembering Physical Security SC-9
Identifying Security Risks and Cisco IOS Solutions SC-9
Preventing Unauthorized Access into Networking Devices SC-9
Preventing Unauthorized Access into Networks SC-11
Preventing Network Data Interception SC-12
Preventing Fraudulent Route Updates SC-12
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (AAA)
AAA Overview SC-15
In This Chapter SC-15
About AAA Security Services SC-15
Benefits of Using AAA SC-16
AAA Philosophy SC-17
Method Lists SC-17
Where to Begin SC-18
Overview of the AAA Configuration Process SC-19
Enabling AAA SC-19
Disabling AAA SC-20
What to Do Next SC-20
Cisco IOS Security Configuration Guide
iv
Contents
Configuring Authentication SC-21
In This Chapter SC-21
Named Method Lists for Authentication SC-21
Method Lists and Server Groups SC-22
Method List Examples SC-23
AAA Authentication General Configuration Procedure SC-24
AAA Authentication Methods Configuration Task List SC-24
Configuring Login Authentication Using AAA SC-25
Login Authentication Using Enable Password SC-27
Login Authentication Using Kerberos SC-27
Login Authentication Using Line Password SC-27
Login Authentication Using Local Password SC-27
Login Authentication Using Group RADIUS SC-28
Login Authentication Using Group TACACS+ SC-28
Login Authentication Using group group-name SC-28
Configuring PPP Authentication Using AAA SC-29
PPP Authentication Using Kerberos SC-30
PPP Authentication Using Local Password SC-30
PPP Authentication Using Group RADIUS SC-31
PPP Authentication Using Group TACACS+ SC-31
PPP Authentication Using group group-name SC-31
Configuring AAA Scalability for PPP Requests SC-32
Configuring ARAP Authentication Using AAA SC-32
ARAP Authentication Allowing Authorized Guest Logins SC-34
ARAP Authentication Allowing Guest Logins SC-34
ARAP Authentication Using Line Password SC-34
ARAP Authentication Using Local Password SC-34
ARAP Authentication Using Group RADIUS SC-35
ARAP Authentication Using Group TACACS+ SC-35
ARAP Authentication Using Group group-name SC-35
Configuring NASI Authentication Using AAA SC-36
NASI Authentication Using Enable Password SC-37
NASI Authentication Using Line Password SC-37
NASI Authentication Using Local Password SC-37
NASI Authentication Using Group RADIUS SC-38
NASI Authentication Using Group TACACS+ SC-38
NASI Authentication Using group group-name SC-38
Specifying the Amount of Time for Login Input SC-39
Enabling Password Protection at the Privileged Level SC-39
Cisco IOS Security Configuration Guide
v
Contents
Changing the Text Displayed at the Password Prompt SC-40
Configuring Message Banners for AAA Authentication SC-40
Configuring a Login Banner SC-41
Configuring a Failed-Login Banner SC-41
Configuring AAA Packet of Disconnect SC-42
Enabling Double Authentication SC-42
How Double Authentication Works SC-42
Configuring Double Authentication SC-43
Accessing the User Profile After Double Authentication SC-44
Enabling Automated Double Authentication SC-45
Non-AAA Authentication Methods SC-47
Configuring Line Password Protection SC-47
Establishing Username Authentication SC-48
Enabling CHAP or PAP Authentication SC-49
Enabling PPP Encapsulation SC-50
Enabling PAP or CHAP SC-50
Inbound and Outbound Authentication SC-51
Enabling Outbound PAP Authentication SC-51
Refusing PAP Authentication Requests SC-52
Creating a Common CHAP Password SC-52
Refusing CHAP Authentication Requests SC-52
Delaying CHAP Authentication Until Peer Authenticates SC-53
Using MS-CHAP SC-53
Authentication Examples SC-54
RADIUS Authentication Examples SC-55
TACACS+ Authentication Examples SC-56
Kerberos Authentication Examples SC-57
AAA Scalability Example SC-57
Login and Failed Banner Examples SC-58
AAA Packet of Disconnect Server Key Example SC-59
Double Authentication Examples SC-59
Configuration of the Local Host for AAA with Double Authentication Examples SC-60
Configuration of the AAA Server for First-Stage (PPP) Authentication and Authorization
Example SC-60
Configuration of the AAA Server for Second-Stage (Per-User) Authentication and Authorization
Examples SC-61
Complete Configuration with TACACS+ Example SC-62
Automated Double Authentication Example SC-65
MS-CHAP Example SC-67
Cisco IOS Security Configuration Guide
vi
Contents
Configuring Authorization SC-69
In This Chapter SC-69
Named Method Lists for Authorization SC-69
AAA Authorization Methods SC-70
Method Lists and Server Groups SC-71
AAA Authorization Types SC-72
AAA Authorization Prerequisites SC-72
AAA Authorization Configuration Task List SC-72
Configuring AAA Authorization Using Named Method Lists SC-73
Authorization Types SC-73
Authorization Methods SC-74
Disabling Authorization for Global Configuration Commands SC-74
Configuring Authorization for Reverse Telnet SC-75
Authorization Attribute-Value Pairs SC-75
Authorization Configuration Examples SC-76
Named Method List Configuration Example SC-76
TACACS+ Authorization Examples SC-77
RADIUS Authorization Example SC-78
Reverse Telnet Authorization Examples SC-78
Configuring Accounting SC-81
In This Chapter SC-81
Named Method Lists for Accounting SC-81
Method Lists and Server Groups SC-83
AAA Accounting Methods SC-84
AAA Accounting Types SC-84
Network Accounting SC-84
Connection Accounting SC-87
EXEC Accounting SC-89
System Accounting SC-90
Command Accounting SC-91
Resource Accounting SC-91
AAA Resource Failure Stop Accounting SC-91
AAA Resource Accounting for Start-Stop Records SC-93
AAA Accounting Enhancements SC-93
AAA Broadcast Accounting SC-94
AAA Session MIB SC-94
AAA Accounting Prerequisites SC-95
Cisco IOS Security Configuration Guide
vii
Contents
AAA Accounting Configuration Task List SC-95
Configuring AAA Accounting Using Named Method Lists SC-96
Accounting Types SC-96
Accounting Record Types SC-97
Accounting Methods SC-97
Suppressing Generation of Accounting Records for Null Username Sessions SC-98
Generating Interim Accounting Records SC-99
Generating Accounting Records for Failed Login or Session SC-99
Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records SC-99
Configuring AAA Resource Failure Stop Accounting SC-100
Configuring AAA Resource Accounting for Start-Stop Records SC-100
Configuring AAA Broadcast Accounting SC-101
Configuring Per-DNIS AAA Broadcast Accounting SC-101
Configuring AAA Session MIB SC-101
Monitoring Accounting SC-102
Troubleshooting Accounting SC-102
Accounting Attribute-Value Pairs SC-102
Accounting Configuration Examples SC-102
Configuring Named Method List Example SC-103
Configuring AAA Resource Accounting SC-105
Configuring AAA Broadcast Accounting Example SC-105
Configuring Per-DNIS AAA Broadcast Accounting Example SC-106
AAA Session MIB Example SC-106
SECURITY SERVER PROTOCOLS
Configuring RADIUS SC-109
In This Chapter SC-109
About RADIUS SC-109
RADIUS Operation SC-110
RADIUS Configuration Task List SC-111
Configuring Router to RADIUS Server Communication SC-112
Configuring Router to Use Vendor-Specific RADIUS Attributes SC-114
Configuring Router for Vendor-Proprietary RADIUS Server Communication SC-115
Configuring Router to Query RADIUS Server for Static Routes and IP Addresses SC-116
Configuring Router to Expand Network Access Server Port Information SC-116
Configuring AAA Server Groups SC-117
Configuring AAA Server Groups with Deadtime SC-118
Configuring AAA DNIS Authentication SC-119
Cisco IOS Security Configuration Guide
viii
Contents
Configuring AAA Server Group Selection Based on DNIS SC-119
Configuring AAA Preauthentication SC-121
Setting Up the RADIUS Profile for DNIS or CLID Preauthentication SC-122
Setting Up the RADIUS Profile for Call Type Preauthentication SC-123
Setting Up the RADIUS Profile for Preauthentication Enhancements for Callback SC-123
Setting Up the RADIUS Profile for a Remote Host Name Used for Large-Scale Dial-Out SC-124
Setting Up the RADIUS Profile for Modem Management SC-124
Setting Up the RADIUS Profile for Subsequent Authentication SC-124
Setting Up the RADIUS Profile for Subsequent Authentication Type SC-125
Setting Up the RADIUS Profile to Include the Username SC-125
Setting Up the RADIUS Profile for Two-Way Authentication SC-126
Setting Up the RADIUS Profile to Support Authorization SC-126
Configuring a Guard Timer SC-127
Specifying RADIUS Authentication SC-127
Specifying RADIUS Authorization SC-127
Specifying RADIUS Accounting SC-127
Configuring RADIUS Login-IP-Host SC-128
Configuring RADIUS Prompt SC-128
Configuring Suffix and Password in RADIUS Access Requests SC-129
Monitoring and Maintaining RADIUS SC-129
RADIUS Attributes SC-129
Vendor-Proprietary RADIUS Attributes SC-130
RADIUS Tunnel Attributes SC-130
RADIUS Configuration Examples SC-130
RADIUS Authentication and Authorization Example SC-131
RADIUS Authentication, Authorization, and Accounting Example SC-131
Vendor-Proprietary RADIUS Configuration Example SC-132
RADIUS Server with Server-Specific Values Example SC-133
Multiple RADIUS Servers with Global and Server-Specific Values Example SC-133
Multiple RADIUS Server Entries for the Same Server IP Address Example SC-134
RADIUS Server Group Examples SC-134
Multiple RADIUS Server Entries Using AAA Server Groups Example SC-134
AAA Server Group Selection Based on DNIS Example SC-135
AAA Preauthentication Examples SC-136
RADIUS User Profile with RADIUS Tunneling Attributes Example SC-137
Guard Timer Examples SC-138
L2TP Access Concentrator Examples SC-138
L2TP Network Server Examples SC-139
Cisco IOS Security Configuration Guide
ix
Contents
Configuring TACACS+ SC-141
In This Chapter SC-141
About TACACS+ SC-141
TACACS+ Operation SC-142
TACACS+ Configuration Task List SC-143
Identifying the TACACS+ Server Host SC-144
Setting the TACACS+ Authentication Key SC-145
Configuring AAA Server Groups SC-145
Configuring AAA Server Group Selection Based on DNIS SC-146
Specifying TACACS+ Authentication SC-147
Specifying TACACS+ Authorization SC-147
Specifying TACACS+ Accounting SC-148
TACACS+ AV Pairs SC-148
TACACS+ Configuration Examples SC-148
TACACS+ Authentication Examples SC-148
TACACS+ Authorization Example SC-150
TACACS+ Accounting Example SC-151
TACACS+ Server Group Example SC-151
AAA Server Group Selection Based on DNIS Example SC-151
TACACS+ Daemon Configuration Example SC-152
Configuring Kerberos SC-153
In This Chapter SC-153
About Kerberos SC-153
Kerberos Client Support Operation SC-155
Authenticating to the Boundary Router SC-155
Obtaining a TGT from a KDC SC-156
Authenticating to Network Services SC-156
Kerberos Configuration Task List SC-157
Configuring the KDC Using Kerberos Commands SC-157
Adding Users to the KDC Database SC-158
Creating SRVTABs on the KDC SC-158
Extracting SRVTABs SC-159
Configuring the Router to Use the Kerberos Protocol SC-159
Defining a Kerberos Realm SC-160
Copying SRVTAB Files SC-160
Specifying Kerberos Authentication SC-161
Enabling Credentials Forwarding SC-161
Opening a Telnet Session to the Router SC-162
Cisco IOS Security Configuration Guide
x
Contents
Establishing an Encrypted Kerberized Telnet Session SC-162
Enabling Mandatory Kerberos Authentication SC-163
Enabling Kerberos Instance Mapping SC-163
Monitoring and Maintaining Kerberos SC-164
Kerberos Configuration Examples SC-164
Kerberos Realm Definition Examples SC-164
SRVTAB File Copying Example SC-164
Kerberos Configuration Examples SC-164
Encrypted Telnet Session Example SC-174
TRAFFIC FILTERING AND FIREWALLS
Access Control Lists: Overview and Guidelines SC-177
In This Chapter SC-177
About Access Control Lists SC-177
What Access Lists Do SC-177
Why You Should Configure Access Lists SC-178
When to Configure Access Lists SC-178
Basic Versus Advanced Access Lists SC-179
Overview of Access List Configuration SC-179
Creating Access Lists SC-179
Assigning a Unique Name or Number to Each Access List SC-180
Defining Criteria for Forwarding or Blocking Packets SC-181
Creating and Editing Access List Statements on a TFTP Server SC-182
Applying Access Lists to Interfaces SC-182
Finding Complete Configuration and Command Information for Access Lists SC-182
Cisco IOS Firewall Overview SC-185
About Firewalls SC-185
The Cisco IOS Firewall Solution SC-185
The Cisco IOS Firewall Feature Set SC-186
Creating a Customized Firewall SC-186
Other Guidelines for Configuring Your Firewall SC-190
Configuring Lock-and-Key Security (Dynamic Access Lists) SC-193
In This Chapter SC-193
About Lock-and-Key SC-194
Benefits of Lock-and-Key SC-194
When to Use Lock-and-Key SC-194
How Lock-and-Key Works SC-195
Cisco IOS Security Configuration Guide
xi
Contents
Compatibility with Releases Before Cisco IOS Release 11.1 SC-195
Risk of Spoofing with Lock-and-Key SC-196
Router Performance Impacts with Lock-and-Key SC-196
Prerequisites to Configuring Lock-and-Key SC-196
Configuring Lock-and-Key SC-197
Lock-and-Key Configuration Guidelines SC-198
Dynamic Access Lists SC-198
Lock-and-Key Authentication SC-198
The autocommand Command SC-199
Verifying Lock-and-Key Configuration SC-200
Maintaining Lock-and-Key SC-200
Displaying Dynamic Access List Entries SC-200
Manually Deleting Dynamic Access List Entries SC-201
Lock-and-Key Configuration Examples SC-201
Lock-and-Key with Local Authentication Example SC-201
Lock-and-Key with TACACS+ Authentication Example SC-202
Configuring IP Session Filtering (Reflexive Access Lists) SC-203
In This Chapter SC-203
About Reflexive Access Lists SC-203
Benefits of Reflexive Access Lists SC-204
What Is a Reflexive Access List? SC-204
How Reflexive Access Lists Implement Session Filtering SC-204
With Basic Access Lists SC-204
With Reflexive Access Lists SC-205
Where to Configure Reflexive Access Lists SC-205
How Reflexive Access Lists Work SC-205
Temporary Access List Entry Characteristics SC-205
When the Session Ends SC-206
Restrictions on Using Reflexive Access Lists SC-206
Prework: Before You Configure Reflexive Access Lists SC-206
Choosing an Interface: Internal or External SC-207
Reflexive Access Lists Configuration Task List SC-208
External Interface Configuration Task List SC-208
Internal Interface Configuration Task List SC-208
Defining the Reflexive Access List(s) SC-209
Mixing Reflexive Access List Statements with Other Permit and Deny Entries SC-209
Nesting the Reflexive Access List(s) SC-210
Setting a Global Timeout Value SC-211
Cisco IOS Security Configuration Guide
xii
Contents
Reflexive Access List Configuration Examples SC-211
External Interface Configuration Example SC-211
Internal Interface Configuration Example SC-213
Configuring TCP Intercept (Preventing Denial-of-Service Attacks) SC-215
In This Chapter SC-215
About TCP Intercept SC-215
TCP Intercept Configuration Task List SC-216
Enabling TCP Intercept SC-216
Setting the TCP Intercept Mode SC-217
Setting the TCP Intercept Drop Mode SC-217
Changing the TCP Intercept Timers SC-217
Changing the TCP Intercept Aggressive Thresholds SC-218
Monitoring and Maintaining TCP Intercept SC-219
TCP Intercept Configuration Example SC-219
Configuring Context-Based Access Control SC-221
In This Chapter SC-221
About Context-Based Access Control SC-221
What CBAC Does SC-222
Traffic Filtering SC-222
Traffic Inspection SC-222
Alerts and Audit Trails SC-223
Intrusion Detection SC-223
What CBAC Does Not Do SC-224
How CBAC Works SC-224
How CBAC Works—Overview SC-224
How CBAC Works—Details SC-225
When and Where to Configure CBAC SC-227
The CBAC Process SC-227
Supported Protocols SC-228
CBAC Supported Protocols SC-228
RTSP and H.323 Protocol Support for Multimedia Applications SC-229
Restrictions SC-231
FTP Traffic and CBAC SC-231
IPSec and CBAC Compatibility SC-231
Memory and Performance Impact SC-231
CBAC Configuration Task List SC-232
Picking an Interface: Internal or External SC-232
Configuring IP Access Lists at the Interface SC-234
Cisco IOS Security Configuration Guide
xiii
Contents
Basic Configuration SC-234
External Interface SC-236
Internal Interface SC-236
Configuring Global Timeouts and Thresholds SC-236
Half-Open Sessions SC-238
Defining an Inspection Rule SC-238
Configuring Application-Layer Protocol Inspection SC-238
Configuring Generic TCP and UDP Inspection SC-241
Applying the Inspection Rule to an Interface SC-242
Configuring Logging and Audit Trail SC-242
Other Guidelines for Configuring a Firewall SC-243
Verifying CBAC SC-244
RTSP with RDT SC-245
RTSP with TCP Only (Interleaved Mode) SC-245
RTSP with SMIL SC-246
RTSP with RTP (IP/TV) SC-246
H.323 V2 SC-247
Monitoring and Maintaining CBAC SC-247
Debugging Context-Based Access Control SC-248
Generic Debug Commands SC-248
Transport Level Debug Commands SC-249
Application Protocol Debug Commands SC-249
Interpreting Syslog and Console Messages Generated by CBAC SC-250
Denial-of-Service Attack Detection Error Messages SC-250
SMTP Attack Detection Error Messages SC-250
Java Blocking Error Messages SC-251
FTP Error Messages SC-251
Audit Trail Messages SC-251
Turning Off CBAC SC-252
CBAC Configuration Examples SC-252
Ethernet Interface Configuration Example SC-253
ATM Interface Configuration Example SC-253
Remote Office to ISP Configuration Example SC-255
Remote Office to Branch Office Configuration Example SC-257
Two-Interface Branch Office Configuration Example SC-260
Multiple-Interface Branch Office Configuration Example SC-263
Configuring Cisco IOS Firewall Intrusion Detection System SC-271
In This Chapter SC-271
About the Firewall Intrusion Detection System SC-271
Cisco IOS Security Configuration Guide
xiv
Contents
Interaction with Cisco IOS Firewall Default Parameters SC-272
Compatibility with Cisco Secure Intrusion Detection SC-273
Functional Description SC-273
When to Use Cisco IOS Firewall IDS SC-274
Memory and Performance Impact SC-275
Cisco IOS Firewall IDS Signature List SC-275
Cisco IOS Firewall IDS Configuration Task List SC-280
Initializing Cisco IOS Firewall IDS SC-281
Initializing the Post Office SC-281
Configuring and Applying Audit Rules SC-283
Verifying the Configuration SC-285
Monitoring and Maintaining Cisco IOS Firewall IDS SC-285
Cisco IOS Firewall IDS Configuration Examples SC-286
Cisco IOS Firewall IDS Reporting to Two Directors Example SC-286
Adding an ACL to the Audit Rule Example SC-287
Disabling a Signature Example SC-287
Adding an ACL to Signatures Example SC-288
Dual-Tier Signature Response Example SC-288
Configuring Authentication Proxy SC-291
In This Chapter SC-291
About Authentication Proxy SC-291
How the Authentication Proxy Works SC-292
Secure Authentication SC-294
Operation with JavaScript SC-294
Operation Without JavaScript SC-294
Using the Authentication Proxy SC-295
When to Use the Authentication Proxy SC-296
Applying the Authentication Proxy SC-297
Operation with One-Time Passwords SC-298
Compatibility with Other Security Features SC-298
NAT Compatibility SC-298
CBAC Compatibility SC-299
VPN Client Compatibility SC-299
Compatibility with AAA Accounting SC-299
Protection Against Denial-of-Service Attacks SC-300
Risk of Spoofing with Authentication Proxy SC-300
Comparison with the Lock-and-Key Feature SC-300
Restrictions SC-301
Prerequisites to Configuring Authentication Proxy SC-301
Cisco IOS Security Configuration Guide
xv
Contents
Authentication Proxy Configuration Task List SC-301
Configuring AAA SC-302
Configuring the HTTP Server SC-303
Configuring the Authentication Proxy SC-303
Verifying the Authentication Proxy SC-304
Checking the Authentication Proxy Configuration SC-305
Establishing User Connections with JavaScript SC-305
Establishing User Connections Without JavaScript SC-306
Monitoring and Maintaining the Authentication Proxy SC-307
Displaying Dynamic ACL Entries SC-307
Deleting Authentication Proxy Cache Entries SC-308
Authentication Proxy Configuration Examples SC-308
Authentication Proxy Configuration Example SC-309
AAA Configuration Example SC-309
HTTP Server Configuration Example SC-309
Authentication Proxy Configuration Example SC-309
Interface Configuration Example SC-309
Authentication Proxy, IPSec, and CBAC Configuration Example SC-310
Router 1 Configuration Example SC-311
Router 2 Configuration Example SC-311
Authentication Proxy, IPSec, NAT, and CBAC Configuration Example SC-314
Router 1 Configuration Example SC-314
Router 2 Configuration Example SC-315
AAA Server User Profile Example SC-317
CiscoSecure ACS 2.3 for Windows NT SC-318
CiscoSecure ACS 2.3 for UNIX SC-319
TACACS+ Server SC-320
Livingston Radius Server SC-320
Ascend Radius Server SC-321
Configuring Port to Application Mapping SC-323
In This Chapter SC-323
About Port to Application Mapping SC-323
How PAM Works SC-324
System-Defined Port Mapping SC-324
User-Defined Port Mapping SC-325
Host-Specific Port Mapping SC-326
PAM and CBAC SC-326
When to Use PAM SC-326
PAM Configuration Task List SC-326
Cisco IOS Security Configuration Guide
xvi
Contents
Configuring Standard ACLs SC-327
Configuring PAM SC-327
Verifying PAM SC-327
Monitoring and Maintaining PAM SC-328
PAM Configuration Examples SC-328
Mapping an Application to a Non-Standard Port Example SC-328
Mapping an Application with a Port Range Example SC-328
Invalid Port Mapping Entry Example SC-328
Mapping an Application to a Port for a Specific Host Example SC-329
Mapping an Application to a Port for a Subnet Example SC-329
Overriding a System-Defined Port Mapping Example SC-329
Mapping Different Applications to the Same Port Example SC-329
IP SECURITY AND ENCRYPTION
IP Security and Encryption Overview SC-333
IPSec Network Security SC-333
IPSec Encryption Technology SC-333
Certification Authority Interoperability SC-334
Internet Key Exchange Security Protocol SC-334
Configuring IPSec Network Security SC-335
In This Chapter SC-336
About IPSec SC-336
Supported Standards SC-336
List of Terms SC-337
Supported Hardware, Switching Paths, and Encapsulation SC-339
Supported Hardware SC-339
Supported Switching Paths SC-339
Supported Encapsulation SC-340
Restrictions SC-340
Overview of How IPSec Works SC-341
Nesting of IPSec Traffic to Multiple Peers SC-342
Prerequisites SC-342
IPSec Configuration Task List SC-342
Ensuring That Access Lists Are Compatible with IPSec SC-343
Setting Global Lifetimes for IPSec Security Associations SC-343
How These Lifetimes Work SC-344
Creating Crypto Access Lists SC-344
Cisco IOS Security Configuration Guide
xvii
Contents
Crypto Access List Tips SC-345
Defining Mirrror Image Crypto Access Lists at Each IPSec Peer SC-347
Using the any Keyword in Crypto Access Lists SC-348
Defining Transform Sets SC-348
Creating Crypto Map Entries SC-350
About Crypto Maps SC-350
Load Sharing SC-351
How Many Crypto Maps Should You Create? SC-351
Creating Crypto Map Entries to Establish Manual Security Associations SC-352
Creating Crypto Map Entries that Use IKE to Establish Security Associations SC-353
Creating Dynamic Crypto Maps SC-354
Applying Crypto Map Sets to Interfaces SC-357
Monitoring and Maintaining IPSec SC-358
IPSec Configuration Example SC-359
Configuring Certification Authority Interoperability SC-361
In This Chapter SC-361
About CA Interoperability SC-362
Supported Standards SC-362
Restrictions SC-363
Prerequisites SC-363
About Certification Authorities SC-363
Purpose of CAs SC-363
Implementing IPSec Without CAs SC-364
Implementing IPSec with CAs SC-365
Implementing IPSec with Multiple Root CAs SC-366
How CA Certificates Are Used by IPSec Devices SC-366
About Registration Authorities SC-366
CA Interoperability Configuration Task Lists SC-367
Managing NVRAM Memory Usage SC-367
Configuring the Routers Host Name and IP Domain Name SC-368
Generating an RSA Key Pair SC-369
Declaring a Certification Authority SC-369
Configuring a Root CA (Trusted Root) SC-370
Authenticating the CA SC-371
Requesting Your Own Certificates SC-371
Saving Your Configuration SC-372
Monitoring and Maintaining Certification Authority Interoperability SC-372
Requesting a Certificate Revocation List SC-372
Querying a Certificate Revocation List SC-373
Cisco IOS Security Configuration Guide
xviii
Contents
Deleting RSA Keys from Your Router SC-373
Deleting a Peer’s Public Keys SC-374
Deleting Certificates from the Configuration SC-374
Viewing Keys and Certificates SC-375
What to Do Next SC-375
CA Interoperability Configuration Examples SC-376
Multiple CAs Configuration Examples SC-378
Configuring Internet Key Exchange Security Protocol SC-379
In This Chapter SC-379
About IKE SC-380
Supported Standards SC-380
List of Terms SC-381
IKE Aggressive Mode Behavior SC-382
IKE Configuration Task List SC-383
Enabling or Disabling IKE SC-383
Ensuring That Access Lists Are Compatible with IKE SC-384
Creating IKE Policies SC-384
Why Do You Need to Create These Policies? SC-384
What Parameters Do You Define in a Policy? SC-385
How Do IKE Peers Agree upon a Matching Policy? SC-385
Which Value Should You Select for Each Parameter? SC-386
Creating Policies SC-387
Additional Configuration Required for IKE Policies SC-387
Manually Configuring RSA Keys SC-388
Generating RSA Keys SC-389
Setting ISAKMP Identity SC-389
Specifying RSA Public Keys of All the Other Peers SC-390
Configuring Preshared Keys SC-391
Configuring Mask Preshared Keys SC-391
Configuring Preshared Keys Using a AAA Server SC-392
Configuring Internet Key Exchange Mode Configuration SC-393
Configuring Internet Key Exchange Extended Authentication (Xauth) SC-394
Configuring Tunnel Endpoint Discovery (TED) SC-395
TED Versions SC-396
TED Restrictions SC-397
Clearing IKE Connections SC-398
Troubleshooting IKE SC-398
What To Do Next SC-398
Cisco IOS Security Configuration Guide
xix
Contents
IKE Configuration Examples SC-398
Creating IKE Policies Examples SC-399
Configuring Preshared Keys Using a AAA Server Example SC-399
Configuring IKE Extended Authentication (Xauth) Examples SC-400
Configuring Xauth with Static Crypto Map Example SC-400
Configuring Xauth with Dynamic Crypto Map Example SC-400
OTHER SECURITY FEATURES
Configuring Passwords and Privileges SC-405
In This Chapter SC-405
Protecting Access to Privileged EXEC Commands SC-405
Setting or Changing a Static Enable Password SC-406
Protecting Passwords with Enable Password and Enable Secret SC-406
Setting or Changing a Line Password SC-407
Encrypting Passwords SC-407
Configuring Multiple Privilege Levels SC-408
Setting the Privilege Level for a Command SC-408
Changing the Default Privilege Level for Lines SC-409
Displaying Current Privilege Levels SC-409
Logging In to a Privilege Level SC-409
Recovering a Lost Enable Password SC-409
Password Recovery Process SC-410
Password Recovery Procedure 1 SC-411
Password Recovery Procedure 2 SC-412
Recovering a Lost Line Password SC-414
Configuring Identification Support SC-415
Passwords and Privileges Configuration Examples SC-416
Multiple Levels of Privileges Examples SC-416
Allowing Users to Clear Lines Examples SC-416
Defining an Enable Password for System Operators Examples SC-416
Disabling a Privilege Level Example SC-417
Username Examples SC-417
Neighbor Router Authentication: Overview and Guidelines SC-419
In This Chapter SC-419
About Neighbor Authentication SC-419
Benefits of Neighbor Authentication SC-419
Protocols That Use Neighbor Authentication SC-420
Cisco IOS Security Configuration Guide
xx
Contents
When to Configure Neighbor Authentication SC-420
How Neighbor Authentication Works SC-420
Plain Text Authentication SC-421
MD5 Authentication SC-421
Key Management (Key Chains) SC-422
Finding Neighbor Authentication Configuration Information SC-423
Configuring IP Security Options SC-425
In This Chapter SC-425
IPSO Configuration Task List SC-425
Configuring Basic IP Security Options SC-426
Enabling IPSO and Setting the Security Classifications SC-426
Specifying How IP Security Options Are Processed SC-426
Configuring Extended IP Security Options SC-427
Configuring Global Default Settings SC-428
Attaching ESOs to an Interface SC-428
Attaching AESOs to an Interface SC-428
Configuring the DNSIX Audit Trail Facility SC-428
Enabling the DNSIX Audit Trail Facility SC-429
Specifying Hosts to Receive Audit Trail Messages SC-429
Specifying Transmission Parameters SC-429
IPSO Configuration Examples SC-430
Example 1 SC-430
Example 2 SC-431
Example 3 SC-431
Configuring Unicast Reverse Path Forwarding SC-433
In This Chapter SC-433
About Unicast Reverse Path Forwarding SC-433
How Unicast RPF Works SC-434
Access Control Lists and Logging SC-435
Per-Interface Statistics SC-435
Implementing Unicast RPF SC-437
Security Policy and Unicast RPF SC-438
Where to Use Unicast RPF SC-438
Routing Table Requirements SC-441
Where Not to Use Unicast RPF SC-441
Unicast RPF with BOOTP and DHCP SC-442
Restrictions SC-442
Related Features and Technologies SC-443
Cisco IOS Security Configuration Guide
xxi
Contents
Prerequisites to Configuring Unicast RPF SC-444
Unicast RPF Configuration Task List SC-444
Configuring Unicast RPF SC-444
Verifying Unicast RPF SC-446
Troubleshooting Tips SC-446
HSRP Failure SC-446
Dropped Boot Requests SC-446
Monitoring and Maintaining Unicast RPF SC-447
Unicast RPF Configuration Examples SC-448
Unicast RPF on a Leased-Line Aggregation Router Example SC-448
Unicast RPF on the Cisco AS5800 Using Dialup Ports Example SC-448
Unicast RPF with Inbound and Outbound Filters Example SC-449
Unicast RPF with ACLs and Logging Example SC-449
Configuring Secure Shell SC-451
In This Chapter SC-451
About Secure Shell SC-451
How SSH Works SC-452
SSH Server SC-452
SSH Integrated Client SC-452
Restrictions SC-452
Related Features and Technologies SC-453
Prerequisites to Configuring SSH SC-453
SSH Configuration Task List SC-454
Configuring SSH Server SC-454
Verifying SSH SC-455
Troubleshooting Tips SC-456
Monitoring and Maintaining SSH SC-456
SSH Configuration Examples SC-456
SSH on a Cisco 7200 Series Router Example SC-457
SSH on a Cisco 7500 Series Router Example SC-458
SSH on a Cisco 1200 Gigabit Switch Router Example SC-460
APPENDIXES
RADIUS Attributes Overview 465
In This Appendix 465
RADIUS Attributes Overview 465
IETF Attributes Versus VSAs 465
Cisco IOS Security Configuration Guide
xxii
Contents
RADIUS Packet Format 466
RADIUS Packet Types 467
RADIUS Files 467
Dictionary File 467
Clients File 468
Users File 468
Supporting Documentation 469
RADIUS IETF Attributes 469
Supported RADIUS IETF Attributes 469
Comprehensive List of RADIUS Attribute Descriptions 472
Vendor-Proprietary RADIUS Attributes 481
Supported Vendor-Proprietary RADIUS Attributes 481
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions 486
RADIUS Vendor-Specific Attributes (VSA) 493
RADIUS Disconnect-Cause Attribute Values 499
TACACS+ Attribute-Value Pairs SC-503
How to Use This Appendix SC-503
TACACS+ Authentication and Authorization AV Pairs SC-503
TACACS+ Accounting AV Pairs SC-512
INDEX
Cisco IOS Security Configuration Guide
xxiii
Contents
Cisco IOS Security Configuration Guide
xxiv
About Cisco IOS Software Documentation
This chapter discusses the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation from Cisco Systems.
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands necessary to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the tasks,
the relationship between tasks, or the Cisco IOS software commands necessary to perform particular
tasks. The Cisco IOS software documentation set is also intended for those users experienced with
Cisco IOS software who need to know about new features, new configuration options, and new software
characteristics in the current Cisco IOS software release.
Documentation Organization
The Cisco IOS software documentation set consists of documentation modules and master indexes. In
addition to the main documentation set, there are supporting documents and resources.
Documentation Modules
The Cisco IOS documentation modules consist of configuration guides and corresponding command
reference publications. Chapters in a configuration guide describe protocols, configuration tasks, and
Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a
command reference publication provide complete Cisco IOS command syntax information. Use each
configuration guide in conjunction with its corresponding command reference publication.
Cisco IOS Security Configuration Guide
xxv
About Cisco IOS Software Documentation
Documentation Organization
Figure 1 shows the Cisco IOS software documentation modules.
Note The abbreviations (for example, FC and FR) next to the book icons are page designators,
which are defined in a key in the index of each document to help you with navigation. The
bullets under each module list the major technology areas discussed in the corresponding
books.
Figure 1 Cisco IOS Software Documentation Modules
IPC IP1R
Cisco IOS
IP
FC Cisco IOS Configuration Cisco IOS P2C Cisco IOS P3C Cisco IOS
Configuration Guide IP Command AppleTalk and Apollo Domain,
Fundamentals Reference, Novell IPX Banyan VINES,
Configuration Volume 1 of 3: Configuration DECnet, ISO
Guide Addressing Guide CLNS, and XNS
and Services Configuration
IP3R Guide
IP2R Cisco IOS
Cisco IOS Cisco IOS Cisco IOS Cisco IOS
IP Command
Configuration IP Command AppleTalk and Apollo Domain,
Reference,
Fundamentals Reference, Novell IPX Banyan VINES,
Volume 2 of 3:
FR Command
Routing
Volume 3 of 3: P2R Command P3R DECnet, ISO
Reference Multicast Reference CLNS, and XNS
Protocols
Command
Reference
Module FC/FR: Module IPC/IP1R/IP2R/IP3R: Module P2C/P2R: Module P3C/P3R:
• Cisco IOS User • IP Addressing and Services • AppleTalk • Apollo Domain
Interfaces • IP Routing Protocols • Novell IPX • Banyan VINES
• File Management • IP Multicast • DECnet
• System Management • ISO CLNS
• XNS
WC Cisco IOS IC Cisco IOS MWC Cisco IOS SC Cisco IOS
Wide-Area Interface Mobile Security
Networking Configuration Wireless Configuration
Configuration Guide Configuration Guide
Guide Guide
Cisco IOS Cisco IOS Cisco IOS Cisco IOS
Wide-Area Interface Mobile Security
Networking Command Wireless Command
WR Command IR Reference MWR Command SR Reference
Reference Reference
Module WC/WR: Module IC/IR: Module MWC/MWR: Module SC/SR:
• ATM • LAN Interfaces • General Packet • AAA Security Services
• Broadband Access • Serial Interfaces Radio Service • Security Server Protocols
• Frame Relay • Logical Interfaces • Traffic Filtering and Firewalls
• SMDS • IP Security and Encryption
• X.25 and LAPB • Passwords and Privileges
• Neighbor Router Authentication
47953
• IP Security Options
• Supported AV Pairs
Cisco IOS Security Configuration Guide
xxvi
About Cisco IOS Software Documentation
Documentation Organization
DC Cisco IOS TC Cisco IOS
BC Cisco IOS
Dial Terminal Bridging and
Technologies Services IBM Networking
Configuration Configuration Configuration
Guide Guide Guide
B1R B2R
Cisco IOS
Cisco IOS Cisco IOS
Cisco IOS Bridging
DR Dial TR Terminal and IBM Bridging
Technologies and IBM
Services Networking
Command Networking
Command Command
Reference Command
Reference Reference,
Volume 1 of 2 Reference,
Volume 2 of 2
Module DC/DR: Module TC/TR: Module BC/B1R: Module BC/B2R:
• Preparing for Dial Access • ARA • Transparent • DSPU and SNA
• Modem and Dial Shelf Configuration • LAT Bridging Service Point
and Management • NASI • SRB • SNA Switching
• ISDN Configuration • Telnet • Token Ring Services
• Signalling Configuration • TN3270 Inter-Switch Link • Cisco Transaction
• Dial-on-Demand Routing • XRemote • Token Ring Route Connection
Configuration • X.28 PAD Switch Module • Cisco Mainframe
• Dial-Backup Configuration • Protocol Translation • RSRB Channel Connection
• Dial-Related Addressing Services • DLSw+ • CLAW and TCP/IP
• Virtual Templates, Profiles, and • Serial Tunnel and Offload
Networks Block Serial Tunnel • CSNA, CMPC,
• PPP Configuration • LLC2 and SDLC and CMPC+
• Callback and Bandwidth Allocation • IBM Network • TN3270 Server
Configuration Media Translation
• Dial Access Specialized Features • SNA Frame Relay
• Dial Access Scenarios Access
• NCIA Client/Server
• Airline Product Set
VC Cisco IOS QC Cisco IOS XC Cisco IOS
Voice, Video, Quality of Switching
and Fax Service Services
Configuration Solutions Configuration
Guide Configuration Guide
Guide
Cisco IOS Cisco IOS Cisco IOS
Voice, Video, Quality of Switching
and Fax Service Services
VR Command QR Solutions XR Command
Reference Command Reference
Reference
47954
Module VC/VR: Module QC/QR: Module XC/XR:
• Voice over IP • Packet Classification • Cisco IOS
• Call Control Signalling • Congestion Management Switching Paths
• Voice over • Congestion Avoidance • NetFlow Switching
Frame Relay • Policing and Shaping • Multiprotocol Label Switching
• Voice over ATM • Signalling • Multilayer Switching
• Telephony Applications • Link Efficiency • Multicast Distributed Switching
• Trunk Management Mechanisms • Virtual LANs
• Fax, Video, and • LAN Emulation
Modem Support
Cisco IOS Security Configuration Guide
xxvii
About Cisco IOS Software Documentation
Documentation Organization
Master Indexes
Two master indexes provide indexing information for the Cisco IOS software documentation set:
an index for the configuration guides and an index for the command references. Individual books also
contain a book-specific index.
The master indexes provide a quick way for you to find a command when you know the command name
but not which module contains the command. When you use the online master indexes, you can click
the page number for an index entry and go to that page in the online document.
Supporting Documents and Resources
The following documents and resources support the Cisco IOS software documentation set:
• Cisco IOS Command Summary (three volumes)—This publication explains the function and syntax
of the Cisco IOS software commands. For more information about defaults and usage guidelines,
refer to the Cisco IOS command reference publications.
• Cisco IOS System Error Messages—This publication lists and describes Cisco IOS system error
messages. Not all system error messages indicate problems with your system. Some are purely
informational, and others may help diagnose problems with communications lines, internal
hardware, or the system software.
• Cisco IOS Debug Command Reference—This publication contains an alphabetical listing of the
debug commands and their descriptions. Documentation for each command includes a brief
description of its use, command syntax, usage guidelines, and sample output.
• Dictionary of Internetworking Terms and Acronyms—This Cisco publication compiles and defines
the terms and acronyms used in the internetworking industry.
• New feature documentation—The Cisco IOS software documentation set documents the mainline
release of Cisco IOS software (for example, Cisco IOS Release 12.2). New software features are
introduced in early deployment releases (for example, the Cisco IOS “T” release train for 12.2,
12.2(x)T). Documentation for these new features can be found in standalone documents called
“feature modules.” Feature module documentation describes new Cisco IOS software and hardware
networking functionality and is available on [Link] and the Documentation CD-ROM.
• Release notes—This documentation describes system requirements, provides information about
new and changed features, and includes other useful information about specific software releases.
See the section “Using Software Release Notes” in the chapter “Using Cisco IOS Software” for
more information.
• Caveats documentation—This documentation provides information about Cisco IOS software
defects in specific software releases.
• RFCs—RFCs are standards documents maintained by the Internet Engineering Task Force (IETF).
Cisco IOS software documentation references supported RFCs when applicable. The full text of
referenced RFCs may be obtained on the World Wide Web at [Link]
• MIBs—MIBs are used for network monitoring. For lists of supported MIBs by platform and
release, and to download MIB files, see the Cisco MIB website on [Link] at
[Link]
Cisco IOS Security Configuration Guide
xxviii
About Cisco IOS Software Documentation
New and Changed Information
New and Changed Information
The following is new or changed information since the last release of the Cisco IOS Security
Configuration Guide:
• A new chapter titled “Configuring Secure Shell” has been added to the section “Other Security
Features.” This chapter describes SSH, which consists of a protocol and application that provide a
secure replacement to the Berkeley r-tools.
• The “RADIUS Attributes” appendix has been expanded to include attribute information such as a
RADIUS packet format description and RADIUS files. For more information, refer to the RADIUS
Attributes appendix at the end of the book.
• The chapter titled “Configuring Cisco Encryption Technology” has been deleted from the section
“IP Security and Encryption.” This functionality is no longer supported. For information regarding
CET configuration, refer to Cisco IOS Security Configuration Guide release 12.1 or earlier.
Document Conventions
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.
The Cisco IOS documentation set uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Command syntax descriptions use the following conventions:
Convention Description
boldface Boldface text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Cisco IOS Security Configuration Guide
xxix
About Cisco IOS Software Documentation
Obtaining Documentation
Nested sets of square brackets or braces indicate optional or required choices within optional or
required elements. For example:
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Examples use the following conventions:
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
boldface screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in
equipment damage or loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to materials not
contained in this manual.
Timesaver Means the described action saves time. You can save time by performing the action
described in the paragraph.
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
The most current Cisco documentation is available on the World Wide Web at the following website:
[Link]
Translated documentation is available at the following website:
[Link]
Cisco IOS Security Configuration Guide
xxx
About Cisco IOS Software Documentation
Documentation Feedback
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships
with your product. The Documentation CD-ROM is updated monthly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or through an
annual subscription.
Ordering Documentation
Cisco documentation can be ordered in the following ways:
• Registered Cisco Direct Customers can order Cisco product documentation from the Networking
Products MarketPlace:
[Link]
• Registered [Link] users can order the Documentation CD-ROM through the online
Subscription Store:
[Link]
• Nonregistered [Link] users can order documentation through a local account representative by
calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by
calling 800 553-NETS(6387).
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical
comments electronically. Click Feedback in the toolbar and select Documentation. After you complete
the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@[Link].
To submit your comments by mail, use the response card behind the front cover of your document, or
write to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides [Link] as a starting point for all technical assistance. Customers and partners can
obtain documentation, troubleshooting tips, and sample configurations from online tools. For
[Link] registered users, additional troubleshooting tools are available from the TAC website.
Cisco IOS Security Configuration Guide
xxxi
About Cisco IOS Software Documentation
Obtaining Technical Assistance
[Link]
[Link] is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information and resources at anytime, from anywhere in the world. This highly
integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
[Link] provides a broad range of features and services to help customers and partners streamline
business processes and improve productivity. Through [Link], you can find information about Cisco
and our networking solutions, services, and programs. In addition, you can resolve technical issues with
online technical support, download and test software packages, and order Cisco learning materials and
merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on [Link] to obtain additional personalized information
and services. Registered users can order products, check on the status of an order, access technical
support, and view benefits specific to their relationships with Cisco.
To access [Link], go to the following website:
[Link]
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product
or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC
website:
[Link]
P3 and P4 level problems are defined as follows:
• P3—Your network performance is degraded. Network functionality is noticeably impaired, but
most business operations continue.
• P4—You need information or assistance on Cisco product capabilities, product installation, or basic
product configuration.
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for [Link], go to the following website:
[Link]
If you cannot resolve your technical issue by using the TAC online resources, [Link] registered
users can open a case online by using the TAC Case Open tool at the following website:
[Link]
Cisco IOS Security Configuration Guide
xxxii
About Cisco IOS Software Documentation
Obtaining Technical Assistance
Contacting TAC by Telephone
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and
immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following
website:
[Link]
P1 and P2 level problems are defined as follows:
• P1—Your production network is down, causing a critical impact to business operations if service
is not restored quickly. No workaround is available.
• P2—Your production network is severely degraded, affecting significant aspects of your business
operations. No workaround is available.
Cisco IOS Security Configuration Guide
xxxiii
About Cisco IOS Software Documentation
Obtaining Technical Assistance
Cisco IOS Security Configuration Guide
xxxiv
Using Cisco IOS Software
This chapter provides helpful tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes
• Getting Help
• Using the no and default Forms of Commands
• Saving Configuration Changes
• Filtering Output from the show and more Commands
• Identifying Supported Platforms
For an overview of Cisco IOS software configuration, refer to the Cisco IOS Configuration
Fundamentals Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the chapter
“About Cisco IOS Software Documentation” located at the beginning of this book.
Understanding Command Modes
You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes,
the commands available to you at any given time depend on the mode you are currently in. Entering a
question mark (?) at the CLI prompt allows you to obtain a list of commands available for each
command mode.
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited
subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally
by using a password. From privileged EXEC mode you can issue any EXEC command—user or
privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time
commands. For example, show commands show important status information, and clear commands
clear counters or interfaces. The EXEC commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the
running configuration to the startup configuration, these changed commands are stored when the
software is rebooted. To enter specific configuration modes, you must start at global configuration
mode. From global configuration mode, you can enter interface configuration mode and a variety of
other modes, such as protocol-specific modes.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a
valid software image is not found when the software boots or if the configuration file is corrupted at
startup, the software might enter ROM monitor mode.
Cisco IOS Security Configuration Guide
xxxv
Using Cisco IOS Software
Getting Help
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
Table 1 Accessing and Exiting Command Modes
Command
Mode Access Method Prompt Exit Method
User EXEC Log in. Router> Use the logout command.
Privileged From user EXEC mode, Router# To return to user EXEC mode, use the disable
EXEC use the enable EXEC command.
command.
Global From privileged EXEC Router(config)# To return to privileged EXEC mode from global
configuration mode, use the configure configuration mode, use the exit or end command,
terminal privileged or press Ctrl-Z.
EXEC command.
Interface From global Router(config-if)# To return to global configuration mode, use the exit
configuration configuration mode, command.
specify an interface using
To return to privileged EXEC mode, use the end
an interface command.
command, or press Ctrl-Z.
ROM monitor From privileged EXEC > To exit ROM monitor mode, use the continue
mode, use the reload command.
EXEC command. Press
the Break key during the
first 60 seconds while the
system is booting.
For more information on command modes, refer to the “Using the Command-Line Interface” chapter in
the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
Cisco IOS Security Configuration Guide
xxxvi
Using Cisco IOS Software
Getting Help
Example: How to Find Command Options
This section provides an example of how to display syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter
a question mark (?) at the configuration prompt or after entering part of a command followed by a space.
The Cisco IOS software displays a list and brief description of available keywords and arguments. For
example, if you were in global configuration mode and wanted to see all the keywords or arguments for
the arap command, you would type arap ?.
The <cr> symbol in command help output stands for “carriage return.” On older keyboards, the carriage
return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The
<cr> symbol at the end of command help output indicates that you have the option to press Enter to
complete the command and that the arguments and keywords in the list preceding the <cr> symbol are
optional. The <cr> symbol by itself indicates that no more arguments or keywords are available and that
you must press Enter to complete the command.
Table 2 shows examples of how you can use the question mark (?) to assist you in entering commands.
The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that
is running Cisco IOS Release 12.0(3).
Table 2 How to Find Command Options
Command Comment
Router> enable Enter the enable command and
Password: <password> password to access privileged EXEC
Router#
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal Enter the configure terminal
Enter configuration commands, one per line. End with CNTL/Z. privileged EXEC command to enter
Router(config)#
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.
Router(config)# interface serial ? Enter interface configuration mode by
<0-6> Serial interface number specifying the serial interface that you
Router(config)# interface serial 4 ?
/
want to configure using the interface
Router(config)# interface serial 4/ ? serial global configuration command.
<0-3> Serial interface number
Enter ? to display what you must enter
Router(config)# interface serial 4/0
Router(config-if)# next on the command line. In this
example, you must enter the serial
interface slot number and port number,
separated by a forward slash.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.
Cisco IOS Security Configuration Guide
xxxvii
Using Cisco IOS Software
Getting Help
Table 2 How to Find Command Options (continued)
Command Comment
Router(config-if)# ? Enter ? to display a list of all the
Interface configuration commands: interface configuration commands
.
.
available for the serial interface. This
. example shows only some of the
ip Interface Internet Protocol config commands available interface configuration
keepalive Enable keepalive commands.
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Router(config-if)# ip ? Enter the command that you want to
Interface IP configuration subcommands: configure for the interface. This
access-group Specify access control for packets
accounting Enable IP accounting on this interface
example uses the ip command.
address Set the IP address of an interface Enter ? to display what you must enter
authentication authentication subcommands
next on the command line. This
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface example shows only some of the
cgmp Enable/disable CGMP available interface IP configuration
directed-broadcast Enable forwarding of directed broadcasts commands.
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Cisco IOS Security Configuration Guide
xxxviii
Using Cisco IOS Software
Using the no and default Forms of Commands
Table 2 How to Find Command Options (continued)
Command Comment
Router(config-if)# ip address ? Enter the command that you want to
A.B.C.D IP address configure for the interface. This
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
example uses the ip address command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return (<cr>) is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address [Link] ? Enter the keyword or argument you
A.B.C.D IP subnet mask want to use. This example uses the
Router(config-if)# ip address [Link]
[Link] IP address.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP subnet
mask.
A <cr> is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Router(config-if)# ip address [Link] [Link] ? Enter the IP subnet mask. This example
secondary Make this IP address a secondary address uses the [Link] IP subnet mask.
<cr>
Router(config-if)# ip address [Link] [Link] Enter ? to display what you must enter
next on the command line. In this
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address [Link] [Link] In this example, Enter is pressed to
Router(config-if)# complete the command.
Using the no and default Forms of Commands
Almost every configuration command has a no form. In general, use the no form to disable a function.
Use the command without the no keyword to reenable a disabled function or to enable a function that
is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no
ip routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software
command reference publications provide the complete syntax for the configuration commands and
describe what the no form of a command does.
Configuration commands also can have a default form, which returns the command settings to the
default values. Most commands are disabled by default, so in such cases using the default form has the
same result as using the no form of the command. However, some commands are enabled by default and
Cisco IOS Security Configuration Guide
xxxix
Using Cisco IOS Software
Saving Configuration Changes
have variables set to certain default values. In these cases, the default form of the command enables the
command and sets the variables to their default values. The Cisco IOS software command reference
publications describe the effect of the default form of a command if the command functions differently
than the no form.
Saving Configuration Changes
Use the copy system:running-config nvram:startup-config command to save your configuration
changes to the startup configuration so that the changes will not be lost if the software reloads or a
power outage occurs. For example:
Router# copy system:running-config nvram:startup-config
Building configuration...
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
Filtering Output from the show and more Commands
In Cisco IOS Release 12.0(1)T and later releases, you can search and filter the output of show and more
commands. This functionality is useful if you need to sort through large amounts of output or if you
want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character (|); one of
the keywords begin, include, or exclude; and a regular expression on which you want to search or filter
(the expression is case-sensitive):
command | {begin | include | exclude} regular-expression
The output matches certain lines of information in the configuration file. The following example
illustrates how to use output modifiers with the show interface command when you want the output to
include only lines in which the expression “protocol” appears:
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up
Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
For more information on the search and filter functionality, refer to the “Using the Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Cisco IOS Security Configuration Guide
xl
Using Cisco IOS Software
Identifying Supported Platforms
Identifying Supported Platforms
Cisco IOS software is packaged in feature sets consisting of software images that support specific
platforms. The feature sets available for a specific platform depend on which Cisco IOS software
images are included in a release. To identify the set of software images available in a specific release
or to find out if a feature is available in a given Cisco IOS software image, see the following sections:
• Using Feature Navigator
• Using Software Release Notes
Using Feature Navigator
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software
images support a particular set of features and which features are supported in a particular Cisco IOS
image.
Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must
have an account on [Link]. If you have forgotten or lost your account information, e-mail the
Contact Database Administration group at cdbadmin@[Link]. If you do not have an account on
[Link], go to [Link] and follow the directions to establish an account.
To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or
later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable
JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For
JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur.
You can access Feature Navigator at the following URL:
[Link]
Using Software Release Notes
Cisco IOS software releases include release notes that provide the following information:
• Platform support information
• Memory recommendations
• Microcode support information
• Feature set tables
• Feature descriptions
• Open and resolved severity 1 and 2 caveats for all platforms
Release notes are intended to be release-specific for the most current release, and the information
provided in these documents may not be cumulative in providing information about features that first
appeared in previous releases.
Cisco IOS Security Configuration Guide
xli
Using Cisco IOS Software
Identifying Supported Platforms
Cisco IOS Security Configuration Guide
xlii
Security Overview
This chapter contains the following sections:
• About This Guide
Preview the topics in this guide.
• Creating Effective Security Policies
Learn tips and hints for creating a security policy for your organization. A security policy should be
finalized and up to date before you configure any security features.
• Identifying Security Risks and Cisco IOS Solutions
Identify common security risks that might be present in your network, and find the right Cisco IOS
security feature to prevent security break-ins.
About This Guide
The Cisco IOS Security Configuration Guide describes how to configure Cisco IOS security features for
your Cisco networking devices. These security features can protect your network against degradation or
failure and also against data loss or compromise resulting from intentional attacks and from unintended
but damaging mistakes by well-meaning network users.
This guide is divided into five parts:
• Authentication, Authorization, and Accounting (AAA)
• Security Server Protocols
• Traffic Filtering and Firewalls
• IP Security and Encryption
• Other Security Features
Appendixes follow the five main divisions.
The following sections briefly describe each of these parts and the appendixes.
Cisco IOS Security Configuration Guide
SC-1
Security Overview
About This Guide
Authentication, Authorization, and Accounting (AAA)
This part describes how to configure Cisco’s authentication, authorization, and accounting (AAA)
paradigm. AAA is an architectural framework for configuring a set of three independent security
functions in a consistent, modular manner.
• Authentication—Provides the method of identifying users, including login and password dialog,
challenge and response, messaging support, and, depending on the security protocol you select,
encryption. Authentication is the way a user is identified prior to being allowed access to the
network and network services. You configure AAA authentication by defining a named list of
authentication methods and then applying that list to various interfaces.
• Authorization—Provides the method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and support of
IP, IPX, ARA, and Telnet.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by
associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA
authorization works by assembling a set of attributes that describe what the user is authorized to
perform. These attributes are compared with the information contained in a database for a given
user, and the result is returned to AAA to determine the user’s actual capabilities and restrictions.
• Accounting—Provides the method for collecting and sending security server information used for
billing, auditing, and reporting, such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes. Accounting enables you to track the services
users are accessing, as well as the amount of network resources they are consuming.
Note You can configure authentication outside of AAA. However, you must configure AAA if you want to
use RADIUS, TACACS+, or Kerberos or if you want to configure a backup authentication method.
Security Server Protocols
In many circumstances, AAA uses security protocols to administer its security functions. If your router
or access server is acting as a network access server, AAA is the means through which you establish
communication between your network access server and your RADIUS, TACACS+, or Kerberos security
server.
The chapters in this part describe how to configure the following security server protocols:
• RADIUS—A distributed client/server system implemented through AAA that secures networks
against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and
send authentication requests to a central RADIUS server that contains all user authentication and
network service access information.
• TACACS+—A security application implemented through AAA that provides centralized validation
of users attempting to gain access to a router or network access server. TACACS+ services are
maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT
workstation. TACACS+ provides for separate and modular authentication, authorization, and
accounting facilities.
• Kerberos—A secret-key network authentication protocol implemented through AAA that uses the
Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication.
Kerberos was designed to authenticate requests for network resources. Kerberos is based on the
concept of a trusted third party that performs secure verification of users and services. The primary
use of Kerberos is to verify that users and the network services they use are really who and what
Cisco IOS Security Configuration Guide
SC-2
Security Overview
About This Guide
they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets,
which have a limited lifespan, are stored in a user’s credential cache and can be used in place of the
standard username-and-password authentication mechanism.
Traffic Filtering and Firewalls
This part describes how to configure your networking devices to filter traffic or to function as a firewall.
• Cisco implements traffic filters with access control lists (also called access lists). Access lists
determine what traffic is blocked and what traffic is forwarded at router interfaces. Cisco provides
both basic and advanced access list capabilities.
– Basic access lists
An overview of basic access lists is in the chapter “Access Control Lists: Overview and
Guidelines.” This chapter describes tips, cautions, considerations, recommendations, and
general guidelines for configuring access lists for the various network protocols. You should
configure basic access lists for all network protocols that will be routed through your
networking device, such as IP, IPX, AppleTalk, and so forth.
– Advanced access lists
The advanced access list capabilities and configuration are described in the remaining chapters
in the “Traffic Filtering and Firewalls” part of this document. The advanced access lists provide
sophisticated and dynamic traffic filtering capabilities for stronger, more flexible network
security.
• Cisco IOS Firewall provides an extensive set of security features, allowing you to configure a simple
or elaborate firewall, according to your particular requirements. The following features are key
components of Cisco IOS Firewall:
– Context-based Access Control (CBAC)
CBAC intelligently filters TCP and UDP packets based on application-layer protocol session
information. You can configure CBAC to permit specified TCP and UDP traffic through a
firewall only when the connection is initiated from within the network you want to protect.
CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC
can be used for intranet, extranet, and Internet perimeters of your network.
– Cisco IOS Firewall Intrusion Detection System (IDS)
The Cisco IOS Firewall IDS supports intrusion detection technology for mid-range and
high-end router platforms with firewall support. It identifies 59 of the most common attacks
using “signatures” to detect patterns of misuse in network traffic. The Cisco IOS Firewall IDS
acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through
the router, scanning each to match any of the IDS signatures. When it detects suspicious activity,
it responds before network security can be compromised and logs the event through Cisco IOS
syslog.
Cisco IOS Firewall IDS is compatible with the Cisco Secure Intrusion Detection System
(formally known as NetRanger)—an enterprise-scale, real-time intrusion detection system
designed to detect, report, and terminate unauthorized activity throughout a network.
– Authentication Proxy
The Cisco IOS Firewall authentication proxy feature allows network administrators to apply
specific security policies on a per-user basis. Previously, user identity and related authorized
access were associated with a user’s IP address, or a single security policy had to be applied to
Cisco IOS Security Configuration Guide
SC-3
Security Overview
About This Guide
an entire user group or sub network. Now, users can be identified and authorized on the basis of
their per-user policy, and access privileges tailored on an individual basis are possible, as
opposed to general policy applied across multiple users.
– Port to Application Mapping (PAM)
Port to Application Mapping (PAM) is a feature of Cisco Secure Integrated Software. PAM
allows you to customize TCP or UDP port numbers for network services or applications. PAM
uses this information to support network environments that run services using ports that are
different from the registered or well-known ports associated with an application. For example,
the information in the PAM table enables Context-based Access Control (CBAC) supported
services to run on non-standard ports.
Firewalls are discussed in the chapters “Cisco IOS Firewall Overview” and “Configuring
Context-Based Access Control.”
IP Security and Encryption
This part describes how to configure IP security and encryption in the following chapters:
• Configuring IPSec Network Security
This chapter describes how to configure IPSec. IPSec provides security for transmission of sensitive
information over unprotected networks such as the Internet IPSec provides data authentication and
anti-replay services in addition to data confidentiality services.
• Configuring Certification Authority Interoperability
This chapter describes how to configure certification authority (CA) interoperability. CA
interoperability permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device
can obtain and use digital certificates from the CA.
• Configuring Internet Key Exchange Security Protocol
This chapter describes how to configure Internet Key Exchange (IKE). IKE is a key management
protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured
without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of
configuration for the IPSec standard.
Other Security Features
This part describes four important security features in the following chapters:
• Configuring Passwords and Privileges
This chapter describes how to configure static passwords stored on your networking device. These
passwords are used to control access to the device’s command line prompt to view or change the
device configuration.
This chapter also describes how to assign privilege levels to the passwords. You can configure up to
16 different privilege levels and assign each level to a password. For each privilege level you define
a subset of Cisco IOS commands that can be executed. You can use these different levels to allow
some users the ability to execute all Cisco IOS commands, and to restrict other users to a defined
subset of commands.
This chapter also describes how to recover lost passwords.
Cisco IOS Security Configuration Guide
SC-4
Security Overview
About This Guide
• Neighbor Router Authentication: Overview and Guidelines
This chapter briefly describes the security benefits and operation of neighbor router authentication.
When neighbor authentication is configured on a router, the router authenticates its neighbor router
before accepting any route updates from that neighbor. This ensures that a router always receives
reliable routing update information from a trusted source.
• Configuring IP Security Options
This chapter describes how to configure IP Security Options (IPSO) as described in RFC 1108.
IPSO is generally used to comply with the security policy of the U.S. government’s Department of
Defense.
• Configuring Unicast Reverse Path Forwarding
This chapter describes the Unicast Reverse Path Forwarding (Unicast RPF) feature, which helps
mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses
into a network by discarding IP packets that lack a verifiable IP source address. For example, a
number of common types of denial-of-service (DoS) attacks, including Smurf and Tribe Flood
Network (TFN), can take advantage of forged or rapidly changing source IP addresses to allow
attackers to thwart efforts to locate or filter the attacks. For Internet service providers (ISPs) that
provide public access, Unicast RPF deflects such attacks by forwarding only packets that have
source addresses that are valid and consistent with the IP routing table. This action protects the
network of the ISP, its customer, and the rest of the Internet.
• Configuring Secure Shell
This chapter describes the Secure Shell (SSH) feature. SSH is an application and a protocol that
provides a secure replacement to a suite of Unix r-commands such as rsh, rlogin and rcp. (Cisco IOS
supports rlogin.) The protocol secures the sessions using standard cryptographic mechanisms, and
the application can be used similarly to the Berkeley rexec and rsh tools. There are currently two
versions of SSH available: SSH Version 1 and SSH Version 2. Only SSH Version 1 is implemented
in the Cisco IOS software.
Appendixes
The appendixes describe the supported RADIUS attributes and TACACS+ attribute-value pairs as
follows:
• RADIUS Attributes
RADIUS attributes are used to define specific AAA elements in a user profile, which is stored on
the RADIUS daemon. This appendix lists the RADIUS attributes currently supported.
• TACACS+ Attribute-Value Pairs
TACACS+ attribute-value pairs are used to define specific AAA elements in a user profile, which is
stored on the TACACS+ daemon. This appendix lists the TACACS+ attribute-value pairs currently
supported.
Cisco IOS Security Configuration Guide
SC-5
Security Overview
Creating Effective Security Policies
Creating Effective Security Policies
An effective security policy works to ensure that your organization’s network assets are protected from
sabotage and from inappropriate access—both intentional and accidental.
All network security features should be configured in compliance with your organization’s security
policy. If you do not have a security policy, or if your policy is out of date, you should ensure that the
policy is created or updated before you decide how to configure security on your Cisco device.
The following sections provide guidelines to help you create an effective security policy:
• The Nature of Security Policies
• Two Levels of Security Policies
• Tips for Developing an Effective Security Policy
The Nature of Security Policies
You should recognize these aspects of security policies:
• Security policies represent trade-offs.
With all security policies, there is some trade-off between user productivity and security measures
that can be restrictive and time consuming. The goal of any security design is to provide maximum
security with minimum impact on user access and productivity. Some security measures, such as
network data encryption, do not restrict access and productivity. On the other hand, cumbersome or
unnecessarily redundant verification and authorization systems can frustrate users and even prevent
access to critical network resources.
• Security policies should be determined by business needs.
Business needs should dictate the security policy; a security policy should not determine how a
business operates.
• Security policies are living documents.
Because organizations are constantly subject to change, security policies must be systematically
updated to reflect new business directions, technological changes, and resource allocations.
Two Levels of Security Policies
You can think of a security policy as having two levels: a requirements level and an implementation level.
• At the requirements level, a policy defines the degree to which your network assets must be
protected against intrusion or destruction and also estimates the cost (consequences) of a security
breach. For example, the policy could state that only human resources personnel should be able to
access personnel records, or that only IS personnel should be able to configure the backbone routers.
The policy could also address the consequences of a network outage (due to sabotage), and the
consequences of inadvertently making sensitive information public.
• At the implementation level, a policy defines guidelines to implement the requirements-level policy,
using specific technology in a predefined way. For example, the implementation-level policy could
require access lists to be configured so that only traffic from human resources host computers can
access the server containing personnel records.
When creating a policy, define security requirements before defining security implementations so that
you do not end up merely justifying particular technical solutions that might not actually be required.
Cisco IOS Security Configuration Guide
SC-6
Security Overview
Creating Effective Security Policies
Tips for Developing an Effective Security Policy
To develop an effective security policy, consider the recommendations in the following sections:
• Identifying Your Network Assets to Protect
• Determining Points of Risk
• Limiting the Scope of Access
• Identifying Assumptions
• Determining the Cost of Security Measures
• Considering Human Factors
• Keeping a Limited Number of Secrets
• Implementing Pervasive and Scalable Security
• Understanding Typical Network Functions
• Remembering Physical Security
Identifying Your Network Assets to Protect
The first step to developing a security policy is to understand and identify your organization’s network
assets. Network assets include the following:
• Networked hosts (such as PCs; includes the hosts’ operating systems, applications, and data)
• Networking devices (such as routers)
• Network data (data that travels across the network)
You must both identify your network’s assets and determine the degree to which each of these assets
must be protected. For example, one subnetwork of hosts might contain extremely sensitive data that
should be protected at all costs, while a different subnetwork of hosts might require only modest
protection against security risks because there is less cost involved if the subnetwork is compromised.
Determining Points of Risk
You must understand how potential intruders can enter your organization’s network or sabotage network
operation. Special areas of consideration are network connections, dial-up access points, and
misconfigured hosts. Misconfigured hosts, frequently overlooked as points of network entry, can be
systems with unprotected login accounts (guest accounts), employ extensive trust in remote commands
(such as rlogin and rsh), have illegal modems attached to them, and use easy-to-break passwords.
Limiting the Scope of Access
Organizations can create multiple barriers within networks, so that unlawful entry to one part of the
system does not automatically grant entry to the entire infrastructure. Although maintaining a high level
of security for the entire network can be prohibitively expensive (in terms of systems and equipment as
well as productivity), you can often provide higher levels of security to the more sensitive areas of your
network.
Cisco IOS Security Configuration Guide
SC-7
Security Overview
Creating Effective Security Policies
Identifying Assumptions
Every security system has underlying assumptions. For example, an organization might assume that its
network is not tapped, that intruders are not very knowledgeable, that intruders are using standard
software, or that a locked room is safe. It is important to identify, examine, and justify your assumptions:
any hidden assumption is a potential security hole.
Determining the Cost of Security Measures
In general, providing security comes at a cost. This cost can be measured in terms of increased
connection times or inconveniences to legitimate users accessing the assets, or in terms of increased
network management requirements, and sometimes in terms of actual dollars spent on equipment or
software upgrades.
Some security measures inevitably inconvenience some sophisticated users. Security can delay work,
create expensive administrative and educational overhead, use significant computing resources, and
require dedicated hardware.
When you decide which security measures to implement, you must understand their costs and weigh
these against potential benefits. If the security costs are out of proportion to the actual dangers, it is a
disservice to the organization to implement them.
Considering Human Factors
If security measures interfere with essential uses of the system, users resist these measures and
sometimes even circumvent them. Many security procedures fail because their designers do not take this
fact into account. For example, because automatically generated “nonsense” passwords can be difficult
to remember, users often write them on the undersides of keyboards. A “secure” door that leads to a
system’s only tape drive is sometimes propped open. For convenience, unauthorized modems are often
connected to a network to avoid cumbersome dial-in security procedures. To ensure compliance with
your security measures, users must be able to get their work done as well as understand and accept the
need for security.
Any user can compromise system security to some degree. For example, an intruder might learn
passwords by simply calling legitimate users on the telephone claiming to be a system administrator and
asking for them. If users understand security issues and understand the reasons for them, they are far less
likely to compromise security in this way.
Defining such human factors and any corresponding policies needs to be included as a formal part of
your complete security policy.
At a minimum, users must be taught never to release passwords or other secrets over unsecured telephone
lines (especially through cordless or cellular telephones) or electronic mail. They should be wary of
questions asked by people who call them on the telephone. Some companies have implemented
formalized network security training for their employees in which employees are not allowed access to
the network until they have completed a formal training program.
Keeping a Limited Number of Secrets
Most security is based on secrets; for example, passwords and encryption keys are secrets. But the more
secrets there are, the harder it is to keep all of them. It is prudent, therefore, to design a security policy
that relies on a limited number of secrets. Ultimately, the most important secret an organization has is
the information that can help someone circumvent its security.
Cisco IOS Security Configuration Guide
SC-8
Security Overview
Identifying Security Risks and Cisco IOS Solutions
Implementing Pervasive and Scalable Security
Use a systematic approach to security that includes multiple, overlapping security methods.
Almost any change that is made to a system can affect security. This is especially true when new services
are created. System administrators, programmers, and users need to consider the security implications
of every change they make. Understanding the security implications of a change takes practice; it
requires lateral thinking and a willingness to explore every way that a service could potentially be
manipulated. The goal of any security policy is to create an environment that is not susceptible to every
minor change.
Understanding Typical Network Functions
Understand how your network system normally functions, know what is expected and unexpected
behavior, and be familiar with how devices are usually used. This kind of awareness helps the
organization detect security problems. Noticing unusual events can help catch intruders before they can
damage the system. Software auditing tools can help detect, log, and track unusual events. In addition,
an organization should know exactly what software it relies on to provide auditing trails, and a security
system should not operate on the assumption that all software is bug free.
Remembering Physical Security
The physical security of your network devices and hosts cannot be neglected. For example, many
facilities implement physical security by using security guards, closed circuit television, card-key entry
systems, or other means to control physical access to network devices and hosts. Physical access to a
computer or router usually gives a sophisticated user complete control over that device. Physical access
to a network link usually allows a person to tap into that link, jam it, or inject traffic into it. Software
security measures can often be circumvented when access to the hardware is not controlled.
Identifying Security Risks and Cisco IOS Solutions
Cisco IOS software provides a comprehensive set of security features to guard against specific security
risks. This section describes a few common security risks that might be present in your network, and
describes how to use Cisco IOS software to protect against each of these risks:
• Preventing Unauthorized Access into Networking Devices
• Preventing Unauthorized Access into Networks
• Preventing Network Data Interception
• Preventing Fraudulent Route Updates
Preventing Unauthorized Access into Networking Devices
If someone were to gain console or terminal access into a networking device, such as a router, switch,
or network access server, that person could do significant damage to your network—perhaps by
reconfiguring the device, or even by simply viewing the device’s configuration information.
Typically, you want administrators to have access to your networking device; you do not want other users
on your local-area network or those dialing in to the network to have access to the router.
Cisco IOS Security Configuration Guide
SC-9
Security Overview
Identifying Security Risks and Cisco IOS Solutions
Users can access Cisco networking devices by dialing in from outside the network through an
asynchronous port, connecting from outside the network through a serial port, or connecting via a
terminal or workstation from within the local network.
To prevent unauthorized access into a networking device, you should configure one or more of the
following security features:
• At a minimum, you should configure passwords and privileges at each networking device for all
device lines and ports, as described in the chapter “Configuring Passwords and Privileges.” These
passwords are stored on the networking device. When users attempt to access the device through a
particular line or port, they must enter the password applied to the line or port before they can access
the device.
• For an additional layer of security, you can also configure username/password pairs, stored in a
database on the networking device, as described in the chapter “Configuring Passwords and
Privileges.” These pairs are assigned to lines or interfaces and authenticate each user before that user
can access the device. If you have defined privilege levels, you can also assign a specific privilege
level (with associated rights and privileges) to each username/password pair.
• If you want to use username/password pairs, but you want to store them centrally instead of locally
on each individual networking device, you can store them in a database on a security server. Multiple
networking devices can then use the same database to obtain user authentication (and, if necessary,
authorization) information. Cisco supports a variety of security server protocols, such as RADIUS,
TACACS+, and Kerberos. If you decide to use the database on a security server to store login
username/password pairs, you must configure your router or access server to support the applicable
protocol; in addition, because most supported security protocols must be administered through the
AAA security services, you will probably need to enable AAA. For more information about security
protocols and AAA, refer to the chapters in the “Authentication, Authorization, and Accounting
(AAA)” part of this document.
Note Cisco recommends that, whenever possible, AAA be used to implement authentication.
• If you want to authorize individual users for specific rights and privileges, you can implement
AAA’s authorization feature, using a security protocol such as TACACS+ or RADIUS. For more
information about security protocol features and AAA, refer to the chapters in the “Authentication,
Authorization, and Accounting (AAA)” part of this document.
• If you want to have a backup authentication method, you must configure AAA. AAA allows you to
specify the primary method for authenticating users (for example, a username/password database
stored on a TACACS+ server) and then specify backup methods (for example, a locally stored
username/password database.) The backup method is used if the primary method’s database cannot
be accessed by the networking device. To configure AAA, refer to the chapters in the
“Authentication, Authorization, and Accounting (AAA)” part of this document. You can configure
up to four sequential backup methods.
Note If you do not have backup methods configured, you will be denied access to the device
if the username/password database cannot be accessed for any reason.
• If you want to keep an audit trail of user access, configure AAA accounting as described in the
chapter “Configuring Accounting.”
Cisco IOS Security Configuration Guide
SC-10
Security Overview
Identifying Security Risks and Cisco IOS Solutions
Preventing Unauthorized Access into Networks
If someone were to gain unauthorized access to your organization’s internal network, that person could
cause damage in many ways, perhaps by accessing sensitive files from a host, by planting a virus, or by
hindering network performance by flooding your network with illegitimate packets.
This risk can also apply to a person within your network attempting to access another internal network
such as a Research and Development subnetwork with sensitive and critical data. That person could
intentionally or inadvertently cause damage; for example, that person might access confidential files or
tie up a time-critical printer.
To prevent unauthorized access through a networking device into a network, you should configure one
or more of these security features:
• Traffic Filtering
Cisco uses access lists to filter traffic at networking devices. Basic access lists allow only specified
traffic through the device; other traffic is simply dropped. You can specify individual hosts or
subnets that should be allowed into the network, and you can specify what type of traffic should be
allowed into the network. Basic access lists generally filter traffic based on source and destination
addresses, and protocol type of each packet.
Advanced traffic filtering is also available, providing additional filtering capabilities; for example,
the Lock-and-Key Security feature requires each user to be authenticated via a username/password
before that user’s traffic is allowed onto the network.
All the Cisco IOS traffic filtering capabilities are described in the chapters in the “Traffic Filtering
and Firewalls” part of this document.
• Authentication
You can require users to be authenticated before they gain access into a network. When users attempt
to access a service or host (such as a web site or file server) within the protected network, they must
first enter certain data such as a username and password, and possibly additional information such
as their date of birth or mother’s maiden name. After successful authentication (depending on the
method of authentication), users will be assigned specific privileges, allowing them to access
specific network assets. In most cases, this type of authentication would be facilitated by using
CHAP or PAP over a serial PPP connection in conjunction with a specific security protocol, such as
TACACS+ or RADIUS.
Just as in preventing unauthorized access to specific network devices, you need to decide whether
or not you want the authentication database to reside locally or on a separate security server. In this
case, a local security database is useful if you have very few routers providing network access. A
local security database does not require a separate (and costly) security server. A remote, centralized
security database is convenient when you have a large number of routers providing network access
because it prevents you from having to update each router with new or changed username
authentication and authorization information for potentially hundreds of thousands of dial-in users.
A centralized security database also helps establish consistent remote access policies throughout a
corporation.
Cisco IOS software supports a variety of authentication methods. Although AAA is the primary (and
recommended) method for access control, Cisco IOS software provides additional features for
simple access control that are outside the scope of AAA. For more information, refer to the chapter
“Configuring Authentication.”
Cisco IOS Security Configuration Guide
SC-11
Security Overview
Identifying Security Risks and Cisco IOS Solutions
Preventing Network Data Interception
When packets travel across a network, they are susceptible to being read, altered, or “hijacked.”
(Hijacking occurs when a hostile party intercepts a network traffic session and poses as one of the
session endpoints.)
If the data is traveling across an unsecured network such as the Internet, the data is exposed to a fairly
significant risk. Sensitive or confidential data could be exposed, critical data could be modified, and
communications could be interrupted if data is altered.
To protect data as it travels across a network, configure network data encryption, as described in the
chapter “Configuring IPSec Network Security.”
IPSec provides the following network security services. These services are optional. In general, local
security policy will dictate the use of one or more of the following services:
• Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a
network.
• Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that
the data has not been altered during transmission.
• Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets
sent. This service is dependent upon the data integrity service.
• Anti-Replay—The IPSec receiver can detect and reject replayed packets.
Cisco IPSec prevents routed traffic from being examined or tampered with while it travels across a
network. This feature causes IP packets to be encrypted at a Cisco router, routed across a network
as encrypted information, and decrypted at the destination Cisco router. In between the two routers,
the packets are in encrypted form and therefore the packets’ contents cannot be read or altered. You
define what traffic should be encrypted between the two routers, according to what data is more
sensitive or critical.
If you want to protect traffic for protocols other than IP, you can encapsulate those other protocols
into IP packets using GRE encapsulation, and then encrypt the IP packets.
Typically, you do not use IPSec for traffic that is routed through networks that you consider secure.
Consider using IPSec for traffic that is routed across unsecured networks, such as the Internet, if
your organization could be damaged if the traffic is examined or tampered with by unauthorized
individuals.
Preventing Fraudulent Route Updates
All routing devices determine where to route individual packets by using information stored in route
tables. This route table information is created using route updates obtained from neighboring routers.
If a router receives a fraudulent update, the router could be tricked into forwarding traffic to the wrong
destination. This could cause sensitive data to be exposed, or could cause network communications to
be interrupted.
To ensure that route updates are received only from known, trusted neighbor routers, configure neighbor
router authentication as described in the chapter “Neighbor Router Authentication: Overview and
Guidelines.”
Cisco IOS Security Configuration Guide
SC-12
Authentication, Authorization, and
Accounting (AAA)
AAA Overview
Access control is the way you control who is allowed access to the network server and what services they
are allowed to use once they have access. Authentication, authorization, and accounting (AAA) network
security services provide the primary framework through which you set up access control on your router
or access server.
In This Chapter
This chapter includes the following sections:
• About AAA Security Services
• Where to Begin
• What to Do Next
About AAA Security Services
AAA is an architectural framework for configuring a set of three independent security functions in a
consistent manner. AAA provides a modular way of performing the following services:
• Authentication—Provides the method of identifying users, including login and password dialog,
challenge and response, messaging support, and, depending on the security protocol you select,
encryption.
Authentication is the way a user is identified prior to being allowed access to the network and
network services. You configure AAA authentication by defining a named list of authentication
methods, and then applying that list to various interfaces. The method list defines the types of
authentication to be performed and the sequence in which they will be performed; it must be applied
to a specific interface before any of the defined authentication methods will be performed. The only
exception is the default method list (which is named “default”). The default method list is
automatically applied to all interfaces if no other method list is defined. A defined method list
overrides the default method list.
All authentication methods, except for local, line password, and enable authentication, must be
defined through AAA. For information about configuring all authentication methods, including
those implemented outside of the AAA security services, refer to the chapter “Configuring
Authentication.”
Cisco IOS Security Configuration Guide
SC-15
AAA Overview
About AAA Security Services
• Authorization—Provides the method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and support of
IP, IPX, ARA, and Telnet.
AAA authorization works by assembling a set of attributes that describe what the user is authorized
to perform. These attributes are compared to the information contained in a database for a given user
and the result is returned to AAA to determine the user’s actual capabilities and restrictions. The
database can be located locally on the access server or router or it can be hosted remotely on a
RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+,
authorize users for specific rights by associating attribute-value (AV) pairs, which define those
rights with the appropriate user. All authorization methods must be defined through AAA.
As with authentication, you configure AAA authorization by defining a named list of authorization
methods, and then applying that list to various interfaces. For information about configuring
authorization using AAA, refer to the chapter “Configuring Authorization.”
• Accounting—Provides the method for collecting and sending security server information used for
billing, auditing, and reporting, such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes.
Accounting enables you to track the services users are accessing as well as the amount of network
resources they are consuming. When AAA accounting is activated, the network access server reports
user activity to the RADIUS or TACACS+ security server (depending on which security method you
have implemented) in the form of accounting records. Each accounting record is comprised of
accounting AV pairs and is stored on the access control server. This data can then be analyzed for
network management, client billing, and/or auditing. All accounting methods must be defined
through AAA. As with authentication and authorization, you configure AAA accounting by defining
a named list of accounting methods, and then applying that list to various interfaces. For information
about configuring accounting using AAA, refer to the chapter “Configuring Accounting.”
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its
security functions. If your router or access server is acting as a network access server, AAA is the means
through which you establish communication between your network access server and your RADIUS,
TACACS+, or Kerberos security server.
Although AAA is the primary (and recommended) method for access control, Cisco IOS software
provides additional features for simple access control that are outside the scope of AAA, such as local
username authentication, line password authentication, and enable password authentication. However,
these features do not provide the same degree of access control that is possible by using AAA.
This section includes the following sections:
• Benefits of Using AAA
• AAA Philosophy
• Method Lists
Benefits of Using AAA
AAA provides the following benefits:
• Increased flexibility and control of access configuration
• Scalability
• Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
• Multiple backup systems
Cisco IOS Security Configuration Guide
SC-16
AAA Overview
About AAA Security Services
Note The deprecated protocols, TACACS and extended TACACS, are not compatible with AAA; if you
select these security protocols, you will not be able to take advantage of the AAA security services.
AAA Philosophy
AAA is designed to enable you to dynamically configure the type of authentication and authorization
you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the
type of authentication and authorization you want by creating method lists, then applying those method
lists to specific services or interfaces.
For information about applications that use AAA, such as per-user configuration and virtual profiles,
refer to the chapters “Configuring Per-User Configuration” and “Configuring Virtual Profiles” in the
Cisco IOS Dial Technologies Configuration Guide, Release 12.2.
Method Lists
A method list is a sequential list that defines the authentication methods used to authenticate a user.
Method lists enable you to designate one or more security protocols to be used for authentication, thus
ensuring a backup system for authentication in case the initial method fails. Cisco IOS software uses the
first method listed to authenticate users; if that method does not respond, Cisco IOS software selects the
next authentication method in the method list. This process continues until there is successful
communication with a listed authentication method or the authentication method list is exhausted, in
which case authentication fails.
Note Cisco IOS software attempts authentication with the next listed authentication method only when
there is no response from the previous method. If authentication fails at any point in this
cycle—meaning that the security server or local username database responds by denying the user
access—the authentication process stops and no other authentication methods are attempted.
Cisco IOS Security Configuration Guide
SC-17
AAA Overview
Where to Begin
Figure 2 shows a typical AAA network configuration that includes four security servers: R1 and R2 are
RADIUS servers, and T1 and T2 are TACACS+ servers.
Figure 2 Typical AAA Network Configuration
R1 RADIUS
server
R2 RADIUS
server
T1 TACACS+
server
NAS
Remote
T2 TACACS+
PC
server
S6746
Workstation
Suppose the system administrator has defined a method list where R1 will be contacted first for
authentication information, then R2, T1, T2, and finally the local username database on the access server
itself. When a remote user attempts to dial in to the network, the network access server first queries R1
for authentication information. If R1 authenticates the user, it issues a PASS response to the network
access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is
denied access and the session is terminated. If R1 does not respond, then the network access server
processes that as an ERROR and queries R2 for authentication information. This pattern continues
through the remaining designated methods until the user is either authenticated or rejected, or until the
session is terminated. If all of the authentication methods return errors, the network access server will
process the session as a failure, and the session will be terminated.
Note A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met
the criteria contained in the applicable authentication database to be successfully authenticated.
Authentication ends with a FAIL response. An ERROR means that the security server has not
responded to an authentication query. Because of this, no authentication has been attempted. Only
when an ERROR is detected will AAA select the next authentication method defined in the
authentication method list.
Where to Begin
You must first decide what kind of security solution you want to implement. You need to assess the
security risks in your particular network and decide on the appropriate means to prevent unauthorized
entry and attack. For more information about assessing your security risks and possible security
solutions, refer to the chapter “Security Overview.” Cisco recommends that you use AAA, no matter how
minor your security needs might be.
Cisco IOS Security Configuration Guide
SC-18
AAA Overview
Where to Begin
This section includes the following subsections:
• Overview of the AAA Configuration Process
• Enabling AAA
• Disabling AAA
Overview of the AAA Configuration Process
Configuring AAA is relatively simple after you understand the basic process involved. To configure
security on a Cisco router or access server using AAA, follow this process:
1. Enable AAA by using the aaa new-model global configuration command.
2. If you decide to use a separate security server, configure security protocol parameters, such as
RADIUS, TACACS+, or Kerberos.
3. Define the method lists for authentication by using an AAA authentication command.
4. Apply the method lists to a particular interface or line, if required.
5. (Optional) Configure authorization using the aaa authorization command.
6. (Optional) Configure accounting using the aaa accounting command.
For a complete description of the commands used in this chapter, refer to the chapter “Authentication
Commands” of the Cisco IOS Security Command Reference. To locate documentation of other
commands that appear in this chapter, use the command reference master index or search online.
Enabling AAA
Before you can use any of the services AAA network security services provide, you must enable AAA.
Note When you enable AAA, you can no longer access the commands to configure the older protocols,
TACACS or extended TACACS. If you decided to use TACACS or extended TACACS in your
security solution, do not enable AAA.
To enable AAA, use the following command in global configuration mode:
Command Purpose
Router (config)# aaa new-model Enables AAA.
Cisco IOS Security Configuration Guide
SC-19
AAA Overview
What to Do Next
Disabling AAA
You can disable AAA functionality with a single command if you decide that your security needs cannot
be met by AAA but can be met by using TACACS, extended TACACS, or a line security method that can
be implemented without AAA. To disable AAA, use the following command in global configuration
mode:
Command Purpose
Router(config)# no aaa new-model Disables AAA.
What to Do Next
Once you have enabled AAA, you are ready to configure the other elements relating to your selected
security solution. Table 3 describes AAA configuration tasks and where to find more information.
Table 3 AAA Access Control Security Solutions Methods
Chapter in the
Task Cisco IOS Security Configuration Guide
Configuring local login authentication “Configuring Authentication”
Controlling login using security server authentication “Configuring Authentication”
Defining method lists for authentication “Configuring Authentication”
Applying method lists to a particular interface or line “Configuring Authentication”
Configuring RADIUS security protocol parameters “Configuring RADIUS”
Configuring TACACS+ security protocol parameters “Configuring TACACS+”
Configuring Kerberos security protocol parameters “Configuring Kerberos”
Enabling TACACS+ authorization “Configuring Authorization”
Enabling RADIUS authorization “Configuring Authorization”
Viewing supported IETF RADIUS attributes “RADIUS Attributes” (Appendix)
Viewing supported vendor-specific RADIUS attributes “RADIUS Attributes” (Appendix)
Viewing supported TACACS+ AV pairs “TACACS+ AV Pairs” (Appendix)
Enabling accounting “Configuring Accounting”
If you have elected not to use the AAA security services, see the “Configuring Authentication” chapter
for the non-AAA configuration task “Configuring Login Authentication.”
Cisco IOS Security Configuration Guide
SC-20
Configuring Authentication
Authentication verifies users before they are allowed access to the network and network services. The
Cisco IOS software implementation of authentication is divided into two main categories:
• AAA Authentication Methods Configuration Task List
• Non-AAA Authentication Methods
Authentication, for the most part, is implemented through the AAA security services. Cisco recommends
that, whenever possible, AAA be used to implement authentication.
This chapter describes both AAA and non-AAA authentication methods. For authentication
configuration examples, refer to the “Authentication Examples” section at the end of this chapter. For a
complete description of the AAA commands used in this chapter, refer to the “Authentication,
Authorization, and Accounting (AAA)” part of the Cisco IOS Security Command Reference. To locate
documentation of other commands that appear in this chapter, use the command reference master index
or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature, or refer to the software
release notes for a specific release. For more information, see the section “Identifying Supported
Platforms” in the chapter “Using Cisco IOS Software.”
In This Chapter
This chapter contains the following sections:
• Named Method Lists for Authentication
• AAA Authentication Methods Configuration Task List
• Non-AAA Authentication Methods
• Authentication Examples
Named Method Lists for Authentication
To configure AAA authentication, you must first define a named list of authentication methods, and then
apply that list to various interfaces. The method list defines the types of authentication to be performed
and the sequence in which they will be performed; it must be applied to a specific interface before any
Cisco IOS Security Configuration Guide
SC-21
Configuring Authentication
Named Method Lists for Authentication
of the defined authentication methods will be performed. The only exception is the default method list
(which is named “default”). The default method list is automatically applied to all interfaces except those
that have a named method list explicitly defined. A defined method list overrides the default method list.
A method list is a sequential list describing the authentication methods to be queried in order to
authenticate a user. Method lists enable you to designate one or more security protocols to be used for
authentication, thus ensuring a backup system for authentication in case the initial method fails.
Cisco IOS software uses the first listed method to authenticate users. If that method fails to respond, the
Cisco IOS software selects the next authentication method listed in the method list. This process
continues until there is successful communication with a listed authentication method, or all methods
defined in the method list are exhausted.
It is important to note that the Cisco IOS software attempts authentication with the next listed
authentication method only when there is no response from the previous method. If authentication fails
at any point in this cycle—meaning that the security server or local username database responds by
denying the user access—the authentication process stops and no other authentication methods are
attempted.
This section contains the following subsections:
• Method Lists and Server Groups
• Method List Examples
• AAA Authentication General Configuration Procedure
Method Lists and Server Groups
A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists.
Figure 3 shows a typical AAA network configuration that includes four security servers: R1 and R2 are
RADIUS servers and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS server.
T1 and T2 make up the group of TACACS+ servers.
Figure 3 Typical AAA Network Configuration
R1 RADIUS
server
R2 RADIUS
server
T1 TACACS+
server
NAS
Remote
T2 TACACS+
PC
server
S6746
Workstation
Cisco IOS Security Configuration Guide
SC-22
Configuring Authentication
Named Method Lists for Authentication
Using server groups, you can specify a subset of the configured server hosts and use them for a particular
service. For example, server groups allow you to define R1 and R2 as a server group, and define T1 and
T2 as a separate server group. For example, you can specify R1 and T1 in the method list for
authentication login, while specifying R2 and T2 in the method list for PPP authentication.
Server groups also can include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and a UDP port number creates a unique identifier,
allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured
for the same service—for example, authentication—the second host entry configured acts as failover
backup to the first one. Using this example, if the first host entry fails to provide accounting services,
the network access server will try the second host entry configured on the same device for accounting
services. (The RADIUS host entries will be tried in the order in which they are configured.)
For more information about configuring server groups and about configuring server groups based on
Dialed Number Identification Service (DNIS) numbers, refer to the “Configuring RADIUS” or
“Configuring TACACS+” chapter.
Method List Examples
Suppose the system administrator has decided on a security solution where all interfaces will use the
same authentication methods to authenticate PPP connections. In the RADIUS group, R1 is contacted
first for authentication information, then if there is no response, R2 is contacted. If R2 does not respond,
T1 in the TACACS+ group is contacted; if T1 does not respond, T2 is contacted. If all designated servers
fail to respond, authentication falls to the local username database on the access server itself. To
implement this solution, the system administrator would create a default method list by entering the
following command:
aaa authentication ppp default group radius group tacacs+ local
In this example, “default” is the name of the method list. The protocols included in this method list are
listed after the name, in the order they are to be queried. The default list is automatically applied to all
interfaces.
When a remote user attempts to dial in to the network, the network access server first queries R1 for
authentication information. If R1 authenticates the user, it issues a PASS response to the network access
server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied
access and the session is terminated. If R1 does not respond, then the network access server processes
that as an ERROR and queries R2 for authentication information. This pattern would continue through
the remaining designated methods until the user is either authenticated or rejected, or until the session
is terminated.
It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL
means that the user has not met the criteria contained in the applicable authentication database to be
successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the
security server has not responded to an authentication query. Because of this, no authentication has been
attempted. Only when an ERROR is detected will AAA select the next authentication method defined in
the authentication method list.
Cisco IOS Security Configuration Guide
SC-23
Configuring Authentication
AAA Authentication Methods Configuration Task List
Suppose the system administrator wants to apply a method list only to a particular interface or set of
interfaces. In this case, the system administrator creates a named method list and then applies this named
list to the applicable interfaces. The following example shows how the system administrator can
implement an authentication method that will be applied only to interface 3:
aaa authentication ppp default group radius group tacacs+ local
aaa authentication ppp apple group radius group tacacs+ local none
interface async 3
ppp authentication chap apple
In this example, “apple” is the name of the method list, and the protocols included in this method list are
listed after the name in the order in which they are to be performed. After the method list has been
created, it is applied to the appropriate interface. Note that the method list name (apple) in both the AAA
and PPP authentication commands must match.
In the following example, the system administrator uses server groups to specify that only R2 and T2 are
valid servers for PPP authentication. To do this, the administrator must define specific server groups
whose members are R2 ([Link]) and T2 ([Link]), respectively. In this example, the RADIUS
server group “rad2only” is defined as follows using the aaa group server command:
aaa group server radius rad2only
server [Link]
The TACACS+ server group “tac2only” is defined as follows using the aaa group server command:
aaa group server tacacs+ tac2only
server [Link]
The administrator then applies PPP authentication using the server groups. In this example, the default
methods list for PPP authentication follows this order: group rad2only, group tac2only, and local:
aaa authentication ppp default group rad2only group tac2only local
AAA Authentication General Configuration Procedure
To configure AAA authentication, perform the following tasks:
1. Enable AAA by using the aaa new-model global configuration command. For more information
about configuring AAA, refer to the chapter “AAA Overview”.
2. Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using
a security server. For more information about RADIUS, refer to the chapter “Configuring
RADIUS”. For more information about TACACS+, refer to the chapter “Configuring TACACS+”.
For more information about Kerberos, refer to the chapter “Configuring Kerberos”.
3. Define the method lists for authentication by using an AAA authentication command.
4. Apply the method lists to a particular interface or line, if required.
AAA Authentication Methods Configuration Task List
This section discusses the following AAA authentication methods:
• Configuring Login Authentication Using AAA
• Configuring PPP Authentication Using AAA
• Configuring AAA Scalability for PPP Requests
• Configuring ARAP Authentication Using AAA
Cisco IOS Security Configuration Guide
SC-24
Configuring Authentication
AAA Authentication Methods Configuration Task List
• Configuring NASI Authentication Using AAA
• Specifying the Amount of Time for Login Input
• Enabling Password Protection at the Privileged Level
• Changing the Text Displayed at the Password Prompt
• Configuring Message Banners for AAA Authentication
• Configuring AAA Packet of Disconnect
• Enabling Double Authentication
• Enabling Automated Double Authentication
Note AAA features are not available for use until you enable AAA globally by issuing the aaa new-model
command. For more information about enabling AAA, refer to the “AAA Overview” chapter.
For authentication configuration examples using the commands in this chapter, refer to the section
“Authentication Examples” at the end of the this chapter.
Configuring Login Authentication Using AAA
The AAA security services facilitate a variety of login authentication methods. Use the aaa
authentication login command to enable AAA authentication no matter which of the supported login
authentication methods you decide to use. With the aaa authentication login command, you create one
or more lists of authentication methods that are tried at login. These lists are applied using the login
authentication line configuration command.
To configure login authentication by using AAA, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA globally.
Step 2 Router(config)# aaa authentication login {default | Creates a local authentication list.
list-name} method1 [method2...]
Step 3 Router(config)# line [aux | console | tty | vty] Enters line configuration mode for the lines to which
line-number [ending-line-number] you want to apply the authentication list.
Step 4 Router(config-line)# login authentication Applies the authentication list to a line or set of lines.
{default | list-name}
The list-name is a character string used to name the list you are creating. The method argument refers to
the actual method the authentication algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails. To specify that the authentication should
succeed even if all methods return an error, specify none as the final method in the command line.
For example, to specify that authentication should succeed even if (in this example) the TACACS+ server
returns an error, enter the following command:
aaa authentication login default group tacacs+ none
Note Because the none keyword enables any user logging in to successfully authenticate, it should be used
only as a backup method of authentication.
Cisco IOS Security Configuration Guide
SC-25
Configuring Authentication
AAA Authentication Methods Configuration Task List
To create a default list that is used when a named list is not specified in the login authentication
command, use the default keyword followed by the methods that are to be used in default situations. The
default method list is automatically applied to all interfaces.
For example, to specify RADIUS as the default method for user authentication during login, enter the
following command:
aaa authentication login default group radius
Table 4 lists the supported login authentication methods.
Table 4 AAA Authentication Login Methods
Keyword Description
enable Uses the enable password for authentication.
krb5 Uses Kerberos 5 for authentication.
krb5-telnet Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to
the router. If selected, this keyword must be listed as the first method in the method
list.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Note The login command only changes username and privilege level but does not execute a shell; therefore
autocommands will not be executed. To execute autocommands under this circumstance, you need to
establish a Telnet session back into the router (loop-back). Make sure that the router has been
configured for secure Telnet sessions if you choose to implement autocommands this way.
This section includes the following sections:
• Login Authentication Using Enable Password
• Login Authentication Using Kerberos
• Login Authentication Using Line Password
• Login Authentication Using Local Password
• Login Authentication Using Group RADIUS
• Login Authentication Using Group TACACS+
• Login Authentication Using group group-name
Cisco IOS Security Configuration Guide
SC-26
Configuring Authentication
AAA Authentication Methods Configuration Task List
Login Authentication Using Enable Password
Use the aaa authentication login command with the enable method keyword to specify the enable
password as the login authentication method. For example, to specify the enable password as the method
of user authentication at login when no other method list has been defined, enter the following command:
aaa authentication login default enable
Before you can use the enable password as the login authentication method, you need to define the
enable password. For more information about defining enable passwords, refer to the chapter
“Configuring Passwords and Privileges.”
Login Authentication Using Kerberos
Authentication via Kerberos is different from most other authentication methods: the user’s password is
never sent to the remote access server. Remote users logging in to the network are prompted for a
username. If the key distribution center (KDC) has an entry for that user, it creates an encrypted ticket
granting ticket (TGT) with the password for that user and sends it back to the router. The user is then
prompted for a password, and the router attempts to decrypt the TGT with that password. If it succeeds,
the user is authenticated and the TGT is stored in the user’s credential cache on the router.
While krb5 does use the KINIT program, a user does not need to run the KINIT program to get a TGT
to authenticate to the router. This is because KINIT has been integrated into the login procedure in the
Cisco IOS implementation of Kerberos.
Use the aaa authentication login command with the krb5 method keyword to specify Kerberos as the
login authentication method. For example, to specify Kerberos as the method of user authentication at
login when no other method list has been defined, enter the following command:
aaa authentication login default krb5
Before you can use Kerberos as the login authentication method, you need to enable communication with
the Kerberos security server. For more information about establishing communication with a Kerberos
server, refer to the chapter “Configuring Kerberos.”
Login Authentication Using Line Password
Use the aaa authentication login command with the line method keyword to specify the line password
as the login authentication method. For example, to specify the line password as the method of user
authentication at login when no other method list has been defined, enter the following command:
aaa authentication login default line
Before you can use a line password as the login authentication method, you need to define a line
password. For more information about defining line passwords, refer to the section “Configuring Line
Password Protection” in this chapter.
Login Authentication Using Local Password
Use the aaa authentication login command with the local method keyword to specify that the Cisco
router or access server will use the local username database for authentication. For example, to specify
the local username database as the method of user authentication at login when no other method list has
been defined, enter the following command:
aaa authentication login default local
For information about adding users into the local username database, refer to the section “Establishing
Username Authentication” in this chapter.
Cisco IOS Security Configuration Guide
SC-27
Configuring Authentication
AAA Authentication Methods Configuration Task List
Login Authentication Using Group RADIUS
Use the aaa authentication login command with the group radius method to specify RADIUS as the
login authentication method. For example, to specify RADIUS as the method of user authentication at
login when no other method list has been defined, enter the following command:
aaa authentication login default group radius
Before you can use RADIUS as the login authentication method, you need to enable communication with
the RADIUS security server. For more information about establishing communication with a RADIUS
server, refer to the chapter “Configuring RADIUS.”
Configuring RADIUS Attribute 8 in Access Requests
Once you have used the aaa authentication login command to specify RADIUS and your login host has
been configured to request its IP address from the NAS, you can send attribute 8 (Framed-IP-Address)
in access-request packets by using the radius-server attribute 8 include-in-access-req command in
global configuration mode. This command makes it possible for a NAS to provide the RADIUS server
with a hint of the user IP address in advance of user authentication. For more information about
attribute 8, refer to the appendix “RADIUS Attributes” at the end of the book.
Login Authentication Using Group TACACS+
Use the aaa authentication login command with the group tacacs+ method to specify TACACS+ as the
login authentication method. For example, to specify TACACS+ as the method of user authentication at
login when no other method list has been defined, enter the following command:
aaa authentication login default group tacacs+
Before you can use TACACS+ as the login authentication method, you need to enable communication
with the TACACS+ security server. For more information about establishing communication with a
TACACS+ server, refer to the chapter “Configuring TACACS+.”
Login Authentication Using group group-name
Use the aaa authentication login command with the group group-name method to specify a subset of
RADIUS or TACACS+ servers to use as the login authentication method. To specify and define the group
name and the members of the group, use the aaa group server command. For example, use the aaa
group server command to first define the members of group loginrad:
aaa group server radius loginrad
server [Link]
server 172.16.2 17
server [Link]
This command specifies RADIUS servers [Link], [Link], and [Link] as members of the
group loginrad.
To specify group loginrad as the method of user authentication at login when no other method list has
been defined, enter the following command:
aaa authentication login default group loginrad
Before you can use a group name as the login authentication method, you need to enable communication
with the RADIUS or TACACS+ security server. For more information about establishing communication
with a RADIUS server, refer to the chapter “Configuring RADIUS.” For more information about
establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”
Cisco IOS Security Configuration Guide
SC-28
Configuring Authentication
AAA Authentication Methods Configuration Task List
Configuring PPP Authentication Using AAA
Many users access network access servers through dialup via async or ISDN. Dialup via async or ISDN
bypasses the CLI completely; instead, a network protocol (such as PPP or ARA) starts as soon as the
connection is established.
The AAA security services facilitate a variety of authentication methods for use on serial interfaces
running PPP. Use the aaa authentication ppp command to enable AAA authentication no matter which
of the supported PPP authentication methods you decide to use.
To configure AAA authentication methods for serial lines using PPP, use the following commands in
global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA globally.
Step 2 Router(config)# aaa authentication ppp {default | Creates a local authentication list.
list-name} method1 [method2...]
Step 3 Router(config)# interface interface-type Enters interface configuration mode for the interface
interface-number to which you want to apply the authentication list.
Step 4 Router(config-if)# ppp authentication {protocol1 Applies the authentication list to a line or set of lines.
[protocol2...]} [if-needed] {default | list-name} In this command, protocol1 and protocol2 represent
[callin] [one-time][optional]
the following protocols: CHAP, MS-CHAP, and PAP.
PPP authentication is attempted first using the first
authentication method, specified by protocol1. If
protocol1 is unable to establish authentication, the
next configured protocol is used to negotiate
authentication.
With the aaa authentication ppp command, you create one or more lists of authentication methods that
are tried when a user tries to authenticate via PPP. These lists are applied using the ppp authentication
line configuration command.
To create a default list that is used when a named list is not specified in the ppp authentication
command, use the default keyword followed by the methods you want used in default situations.
For example, to specify the local username database as the default method for user authentication, enter
the following command:
aaa authentication ppp default local
The list-name is any character string used to name the list you are creating. The method argument refers
to the actual method the authentication algorithm tries. The additional methods of authentication are
used only if the previous method returns an error, not if it fails. To specify that the authentication should
succeed even if all methods return an error, specify none as the final method in the command line.
For example, to specify that authentication should succeed even if (in this example) the TACACS+ server
returns an error, enter the following command:
aaa authentication ppp default group tacacs+ none
Note Because none allows all users logging in to authenticate successfully, it should be used as a backup
method of authentication.
Table 5 lists the supported login authentication methods.
Cisco IOS Security Configuration Guide
SC-29
Configuring Authentication
AAA Authentication Methods Configuration Task List
Table 5 AAA Authentication PPP Methods
Keyword Description
if-needed Does not authenticate if user has already been authenticated on a TTY line.
krb5 Uses Kerberos 5 for authentication (can only be used for PAP
authentication).
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as
defined by the aaa group server radius or aaa group server tacacs+
command.
This section includes the following sections:
• PPP Authentication Using Kerberos
• PPP Authentication Using Local Password
• PPP Authentication Using Group RADIUS
• PPP Authentication Using Group TACACS+
• PPP Authentication Using group group-name
PPP Authentication Using Kerberos
Use the aaa authentication ppp command with the krb5 method keyword to specify Kerberos as the
authentication method for use on interfaces running PPP. For example, to specify Kerberos as the method
of user authentication when no other method list has been defined, enter the following command:
aaa authentication ppp default krb5
Before you can use Kerberos as the PPP authentication method, you need to enable communication with
the Kerberos security server. For more information about establishing communication with a Kerberos
server, refer to the chapter “Configuring Kerberos”.
Note Kerberos login authentication works only with PPP PAP authentication.
PPP Authentication Using Local Password
Use the aaa authentication ppp command with the method keyword local to specify that the Cisco
router or access server will use the local username database for authentication. For example, to specify
the local username database as the method of authentication for use on lines running PPP when no other
method list has been defined, enter the following command:
aaa authentication ppp default local
For information about adding users into the local username database, refer to the section “Establishing
Username Authentication” in this chapter.
Cisco IOS Security Configuration Guide
SC-30
Configuring Authentication
AAA Authentication Methods Configuration Task List
PPP Authentication Using Group RADIUS
Use the aaa authentication ppp command with the group radius method to specify RADIUS as the
login authentication method. For example, to specify RADIUS as the method of user authentication at
login when no other method list has been defined, enter the following command:
aaa authentication ppp default group radius
Before you can use RADIUS as the PPP authentication method, you need to enable communication with
the RADIUS security server. For more information about establishing communication with a RADIUS
server, refer to the chapter “Configuring RADIUS.”
Configuring RADIUS Attribute 44 in Access Requests
Once you have used the aaa authentication ppp command with the group radius method to specify
RADIUS as the login authentication method, you can configure your router to send attribute 44
(Acct-Seccion-ID) in access-request packets by using the radius-server attribute 44
include-in-access-req command in global configuration mode. This command allows the RADIUS
daemon to track a call from the beginning of the call to the end of the call. For more information on
attribute 44, refer to the appendix “RADIUS Attributes” at the end of the book.
PPP Authentication Using Group TACACS+
Use the aaa authentication ppp command with the group tacacs+ method to specify TACACS+ as the
login authentication method. For example, to specify TACACS+ as the method of user authentication at
login when no other method list has been defined, enter the following command:
aaa authentication ppp default group tacacs+
Before you can use TACACS+ as the PPP authentication method, you need to enable communication
with the TACACS+ security server. For more information about establishing communication with a
TACACS+ server, refer to the chapter “Configuring TACACS+.”
PPP Authentication Using group group-name
Use the aaa authentication ppp command with the group group-name method to specify a subset of
RADIUS or TACACS+ servers to use as the login authentication method. To specify and define the group
name and the members of the group, use the aaa group server command. For example, use the aaa
group server command to first define the members of group ppprad:
aaa group server radius ppprad
server [Link]
server 172.16.2 17
server [Link]
This command specifies RADIUS servers [Link], [Link], and [Link] as members of the
group ppprad.
To specify group ppprad as the method of user authentication at login when no other method list has
been defined, enter the following command:
aaa authentication ppp default group ppprad
Before you can use a group name as the PPP authentication method, you need to enable communication
with the RADIUS or TACACS+ security server. For more information about establishing communication
with a RADIUS server, refer to the chapter “Configuring RADIUS”. For more information about
establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”
Cisco IOS Security Configuration Guide
SC-31
Configuring Authentication
AAA Authentication Methods Configuration Task List
Configuring AAA Scalability for PPP Requests
You can configure and monitor the number of background processes allocated by the PPP manager in
the network access server (NAS) to deal with AAA authentication and authorization requests. In
previous Cisco IOS releases, only one background process was allocated to handle all AAA requests for
PPP. This meant that parallelism in AAA servers could not be fully exploited. The AAA Scalability
feature enables you to configure the number of processes used to handle AAA requests for PPP, thus
increasing the number of users that can be simultaneously authenticated or authorized.
To allocate a specific number of background processes to handle AAA requests for PPP, use the
following command in global configuration mode:
Command Purpose
Router(config)# aaa processes number Allocates a specific number of background processes to handle
AAA authentication and authorization requests for PPP.
The argument number defines the number of background processes earmarked to process AAA
authentication and authorization requests for PPP and can be configured for any value from 1 to
2147483647. Because of the way the PPP manager handles requests for PPP, this argument also defines
the number of new users that can be simultaneously authenticated. This argument can be increased or
decreased at any time.
Note Allocating additional background processes can be expensive. You should configure the minimum
number of background processes capable of handling the AAA requests for PPP.
Configuring ARAP Authentication Using AAA
With the aaa authentication arap command, you create one or more lists of authentication methods that
are tried when AppleTalk Remote Access Protocol (ARAP) users attempt to log in to the router. These
lists are used with the arap authentication line configuration command.
Use the following commands starting in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA globally.
Step 2 Router(config)# aaa authentication arap Enables authentication for ARAP users.
{default | list-name} method1 [method2...]
Step 3 Router(config)# line number (Optional) Changes to line configuration mode.
Step 4 Router(config-line)# autoselect arap (Optional) Enables autoselection of ARAP.
Step 5 Router(config-line)# autoselect during-login (Optional) Starts the ARAP session automatically at
user login.
Step 6 Router(config-line)# arap authentication list-name (Optional—not needed if default is used in the aaa
authentication arap command) Enables TACACS+
authentication for ARAP on a line.
Cisco IOS Security Configuration Guide
SC-32
Configuring Authentication
AAA Authentication Methods Configuration Task List
The list-name is any character string used to name the list you are creating. The method argument refers
to the actual list of methods the authentication algorithm tries, in the sequence entered.
To create a default list that is used when a named list is not specified in the arap authentication
command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it
fails. To specify that the authentication should succeed even if all methods return an error, specify none
as the final method in the command line.
Note Because none allows all users logging in to authenticate successfully, it should be used as a backup
method of authentication.
Table 6 lists the supported login authentication methods.
Table 6 AAA Authentication ARAP Methods
Keyword Description
auth-guest Allows guest logins only if the user has already logged in to EXEC.
guest Allows guest logins.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
For example, to create a default AAA authentication method list used with ARAP, enter the following
command:
aaa authentication arap default if-needed none
To create the same authentication method list for ARAP but name the list MIS-access, enter the
following command:
aaa authentication arap MIS-access if-needed none
This section includes the following sections:
• ARAP Authentication Allowing Authorized Guest Logins
• ARAP Authentication Allowing Guest Logins
• ARAP Authentication Using Line Password
• ARAP Authentication Using Local Password
• ARAP Authentication Using Group RADIUS
• ARAP Authentication Using Group TACACS+
• ARAP Authentication Using Group group-name
Cisco IOS Security Configuration Guide
SC-33
Configuring Authentication
AAA Authentication Methods Configuration Task List
ARAP Authentication Allowing Authorized Guest Logins
Use the aaa authentication arap command with the auth-guest keyword to allow guest logins only if
the user has already successfully logged in to the EXEC. This method must be the first listed in the
ARAP authentication method list but it can be followed by other methods if it does not succeed. For
example, to allow all authorized guest logins—meaning logins by users who have already successfully
logged in to the EXEC—as the default method of authentication, using RADIUS only if that method
fails, enter the following command:
aaa authentication arap default auth-guest group radius
For more information about ARAP authorized guest logins, refer to the chapter “Configuring
AppleTalk” in the Cisco IOS AppleTalk and Novell IPX Configuration Guide.
Note By default, guest logins through ARAP are disabled when you initialize AAA. To allow guest logins,
you must use the aaa authentication arap command with either the guest or the auth-guest
keyword.
ARAP Authentication Allowing Guest Logins
Use the aaa authentication arap command with the guest keyword to allow guest logins. This method
must be the first listed in the ARAP authentication method list but it can be followed by other methods
if it does not succeed. For example, to allow all guest logins as the default method of authentication,
using RADIUS only if that method fails, enter the following command:
aaa authentication arap default guest group radius
For more information about ARAP guest logins, refer to the chapter “Configuring AppleTalk” in the
Cisco IOS AppleTalk and Novell IPX Configuration Guide.
ARAP Authentication Using Line Password
Use the aaa authentication arap command with the method keyword line to specify the line password
as the authentication method. For example, to specify the line password as the method of ARAP user
authentication when no other method list has been defined, enter the following command:
aaa authentication arap default line
Before you can use a line password as the ARAP authentication method, you need to define a line
password. For more information about defining line passwords, refer to the section “Configuring Line
Password Protection” in this chapter.
ARAP Authentication Using Local Password
Use the aaa authentication arap command with the method keyword local to specify that the Cisco
router or access server will use the local username database for authentication. For example, to specify
the local username database as the method of ARAP user authentication when no other method list has
been defined, enter the following command:
aaa authentication arap default local
For information about adding users to the local username database, refer to the section “Establishing
Username Authentication” in this chapter.
Cisco IOS Security Configuration Guide
SC-34
Configuring Authentication
AAA Authentication Methods Configuration Task List
ARAP Authentication Using Group RADIUS
Use the aaa authentication arap command with the group radius method to specify RADIUS as the
ARAP authentication method. For example, to specify RADIUS as the method of user authentication at
login when no other method list has been defined, enter the following command:
aaa authentication arap default group radius
Before you can use RADIUS as the ARAP authentication method, you need to enable communication
with the RADIUS security server. For more information about establishing communication with a
RADIUS server, refer to the chapter “Configuring RADIUS.”
ARAP Authentication Using Group TACACS+
Use the aaa authentication arap command with the group tacacs+ method to specify TACACS+ as the
ARAP authentication method. For example, to specify TACACS+ as the method of user authentication
at login when no other method list has been defined, enter the following command:
aaa authentication arap default group tacacs+
Before you can use TACACS+ as the ARAP authentication method, you need to enable communication
with the TACACS+ security server. For more information about establishing communication with a
TACACS+ server, refer to the chapter “Configuring TACACS+.”
ARAP Authentication Using Group group-name
Use the aaa authentication arap command with the group group-name method to specify a subset of
RADIUS or TACACS+ servers to use as the ARAP authentication method. To specify and define the
group name and the members of the group, use the aaa group server command. For example, use the
aaa group server command to first define the members of group araprad:
aaa group server radius araprad
server [Link]
server 172.16.2 17
server [Link]
This command specifies RADIUS servers [Link], [Link], and [Link] as members of the
group araprad.
To specify group araprad as the method of user authentication at login when no other method list has
been defined, enter the following command:
aaa authentication arap default group araprad
Before you can use a group name as the ARAP authentication method, you need to enable
communication with the RADIUS or TACACS+ security server. For more information about establishing
communication with a RADIUS server, refer to the chapter “Configuring RADIUS.” For more
information about establishing communication with a TACACS+ server, refer to the chapter
“Configuring TACACS+.”
Cisco IOS Security Configuration Guide
SC-35
Configuring Authentication
AAA Authentication Methods Configuration Task List
Configuring NASI Authentication Using AAA
With the aaa authentication nasi command, you create one or more lists of authentication methods that
are tried when NetWare Asynchronous Services Interface (NASI) users attempt to log in to the router.
These lists are used with the nasi authentication line configuration command.
To configure NASI authentication using AAA, use the following commands starting in global
configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA globally.
Step 2 Router(config)# aaa authentication nasi Enables authentication for NASI users.
{default | list-name} method1 [method2...]
Step 3 Router(config)# line number (Optional—not needed if default is used in the aaa
authentication nasi command) Enters line
configuration mode.
Step 4 Router(config-line)# nasi authentication list-name (Optional—not needed if default is used in the aaa
authentication nasi command) Enables
authentication for NASI on a line.
The list-name is any character string used to name the list you are creating. The method argument refers
to the actual list of methods the authentication algorithm tries, in the sequence entered.
To create a default list that is used when a named list is not specified in the aaa authentication nasi
command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it
fails. To specify that the authentication should succeed even if all methods return an error, specify none
as the final method in the command line.
Note Because none allows all users logging in to authenticate successfully, it should be used as a backup
method of authentication.
Table 7 lists the supported NASI authentication methods.
Table 7 AAA Authentication NASI Methods
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Cisco IOS Security Configuration Guide
SC-36
Configuring Authentication
AAA Authentication Methods Configuration Task List
This section includes the following sections:
• NASI Authentication Using Enable Password
• NASI Authentication Using Line Password
• NASI Authentication Using Local Password
• NASI Authentication Using Group RADIUS
• NASI Authentication Using Group TACACS+
• NASI Authentication Using group group-name
NASI Authentication Using Enable Password
Use the aaa authentication nasi command with the method keyword enable to specify the enable
password as the authentication method. For example, to specify the enable password as the method of
NASI user authentication when no other method list has been defined, enter the following command:
aaa authentication nasi default enable
Before you can use the enable password as the authentication method, you need to define the enable
password. For more information about defining enable passwords, refer to the chapter “Configuring
Passwords and Privileges.”
NASI Authentication Using Line Password
Use the aaa authentication nasi command with the method keyword line to specify the line password
as the authentication method. For example, to specify the line password as the method of NASI user
authentication when no other method list has been defined, enter the following command:
aaa authentication nasi default line
Before you can use a line password as the NASI authentication method, you need to define a line
password. For more information about defining line passwords, refer to the section “Configuring Line
Password Protection” in this chapter.
NASI Authentication Using Local Password
Use the aaa authentication nasi command with the method keyword local to specify that the Cisco
router or access server will use the local username database for authentication information. For example,
to specify the local username database as the method of NASI user authentication when no other method
list has been defined, enter the following command:
aaa authentication nasi default local
For information about adding users to the local username database, refer to the section “Establishing
Username Authentication” in this chapter.
Cisco IOS Security Configuration Guide
SC-37
Configuring Authentication
AAA Authentication Methods Configuration Task List
NASI Authentication Using Group RADIUS
Use the aaa authentication nasi command with the group radius method to specify RADIUS as the
NASI authentication method. For example, to specify RADIUS as the method of NASI user
authentication when no other method list has been defined, enter the following command:
aaa authentication nasi default group radius
Before you can use RADIUS as the NASI authentication method, you need to enable communication
with the RADIUS security server. For more information about establishing communication with a
RADIUS server, refer to the chapter “Configuring RADIUS.”
NASI Authentication Using Group TACACS+
Use the aaa authentication nasi command with the group tacacs+ method keyword to specify
TACACS+ as the NASI authentication method. For example, to specify TACACS+ as the method of
NASI user authentication when no other method list has been defined, enter the following command:
aaa authentication nasi default group tacacs+
Before you can use TACACS+ as the authentication method, you need to enable communication with the
TACACS+ security server. For more information about establishing communication with a TACACS+
server, refer to the chapter “Configuring TACACS+.”
NASI Authentication Using group group-name
Use the aaa authentication nasi command with the group group-name method to specify a subset of
RADIUS or TACACS+ servers to use as the NASI authentication method. To specify and define the
group name and the members of the group, use the aaa group server command. For example, use the
aaa group server command to first define the members of group nasirad:
aaa group server radius nasirad
server [Link]
server 172.16.2 17
server [Link]
This command specifies RADIUS servers [Link], [Link], and [Link] as members of the
group nasirad.
To specify group nasirad as the method of user authentication at login when no other method list has
been defined, enter the following command:
aaa authentication nasi default group nasirad
Before you can use a group name as the NASI authentication method, you need to enable communication
with the RADIUS or TACACS+ security server. For more information about establishing communication
with a RADIUS server, refer to the chapter “Configuring RADIUS”. For more information about
establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”
Cisco IOS Security Configuration Guide
SC-38
Configuring Authentication
AAA Authentication Methods Configuration Task List
Specifying the Amount of Time for Login Input
The timeout login response command allows you to specify how long the system will wait for login
input (such as username and password) before timing out. The default login value is 30 seconds; with
the timeout login response command, you can specify a timeout value from 1 to 300 seconds. To change
the login timeout value from the default of 30 seconds, use the following command in line configuration
mode:
Command Purpose
Router(config-line)# timeout login response seconds Specifies how long the system will wait for login information
before timing out.
Enabling Password Protection at the Privileged Level
Use the aaa authentication enable default command to create a series of authentication methods that
are used to determine whether a user can access the privileged EXEC command level. You can specify
up to four authentication methods. The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To specify that the authentication should succeed even if all
methods return an error, specify none as the final method in the command line.
Use the following command in global configuration mode:
Command Purpose
Router(config)# aaa authentication enable default Enables user ID and password checking for users requesting
method1 [method2...] privileged EXEC level.
Note All aaa authentication enable default requests sent by
the router to a RADIUS server include the username
“$enab15$.” Requests sent to a TACACS+ server will
include the username that is entered for login
authentication.
The method argument refers to the actual list of methods the authentication algorithm tries, in the
sequence entered. Table 8 lists the supported enable authentication methods.
Table 8 AAA Authentication Enable Default Methods
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS hosts for authentication.
Note The RADIUS method does not work on a per-username basis.
group tacacs+ Uses the list of all TACACS+ hosts for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Cisco IOS Security Configuration Guide
SC-39
Configuring Authentication
AAA Authentication Methods Configuration Task List
Changing the Text Displayed at the Password Prompt
Use the aaa authentication password-prompt command to change the default text that the Cisco IOS
software displays when prompting a user to enter a password. This command changes the password
prompt for the enable password as well as for login passwords that are not supplied by remote security
servers. The no form of this command returns the password prompt to the following default value:
Password:
The aaa authentication password-prompt command does not change any dialog that is supplied by a
remote TACACS+ or RADIUS server.
The aaa authentication password-prompt command works when RADIUS is used as the login method.
You will be able to see the password prompt defined in the command shown even when the RADIUS
server is unreachable. The aaa authentication password-prompt command does not work with
TACACS+. TACACS+ supplies the NAS with the password prompt to display to the users. If the
TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt
instead of the one defined in the aaa authentication password-prompt command. If the TACACS+
server is not reachable, the password prompt defined in the aaa authentication password-prompt
command may be used.
Use the following command in global configuration mode:
Command Purpose
Router(config)# aaa authentication Changes the default text displayed when a user is prompted to
password-prompt text-string enter a password.
Configuring Message Banners for AAA Authentication
AAA supports the use of configurable, personalized login and failed-login banners. You can configure
message banners that will be displayed when a user logs in to the system to be authenticated using AAA
and when, for whatever reason, authentication fails.
This section includes the following sections:
• Configuring a Login Banner
• Configuring a Failed-Login Banner
Cisco IOS Security Configuration Guide
SC-40
Configuring Authentication
AAA Authentication Methods Configuration Task List
Configuring a Login Banner
To create a login banner, you need to configure a delimiting character, which notifies the system that the
following text string is to be displayed as the banner, and then the text string itself. The delimiting
character is repeated at the end of the text string to signify the end of the banner. The delimiting character
can be any single character in the extended ASCII character set, but once defined as the delimiter, that
character cannot be used in the text string making up the banner.
To configure a banner that will be displayed whenever a user logs in (replacing the default message for
login), use the following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA.
Step 2 Router(config)# aaa authentication banner delimiter Creates a personalized login banner.
string delimiter
The maximum number of characters that can be displayed in the login banner is 2996 characters.
Configuring a Failed-Login Banner
To create a failed-login banner, you need to configure a delimiting character, which notifies the system
that the following text string is to be displayed as the banner, and then the text string itself. The
delimiting character is repeated at the end of the text string to signify the end of the failed-login banner.
The delimiting character can be any single character in the extended ASCII character set, but once
defined as the delimiter, that character cannot be used in the text string making up the banner.
To configure a message that will be displayed whenever a user fails login (replacing the default message
for failed login), use the following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables AAA.
Step 2 Router(config)# aaa authentication fail-message Creates a message to be displayed when a user fails
delimiter string delimiter login.
The maximum number of characters that can be displayed in the failed-login banner is 2996 characters.
Cisco IOS Security Configuration Guide
SC-41
Configuring Authentication
AAA Authentication Methods Configuration Task List
Configuring AAA Packet of Disconnect
Packet of disconnect (POD) terminates connections on the network access server (NAS) when particular
session attributes are identified. By using session information obtained from AAA, the POD client residing
on a UNIX workstation sends disconnect packets to the POD server running on the network access server.
The NAS terminates any inbound user session with one or more matching key attributes. It rejects requests
when required fields are missing or when an exact match is not found.
To configure POD, perform the following tasks in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa accounting network default Enables AAA accounting records.
start-stop radius
Step 2 Router(config)# aaa accounting delay-start (Optional) Delays generation of the start accounting
record until the Framed-IP-Address is assigned,
allowing its use in the POD packet.
Step 3 Router(config)# aaa pod server server-key string Enables POD reception.
Step 4 Router(config)# radius-server host IP address Declares a RADIUS host that uses a
non-standard vendor-proprietary version of RADIUS.
Enabling Double Authentication
Previously, PPP sessions could only be authenticated by using a single authentication method: either
PAP or CHAP. Double authentication requires remote users to pass a second stage of
authentication—after CHAP or PAP authentication—before gaining network access.
This second (“double”) authentication requires a password that is known to the user but not stored on
the user’s remote host. Therefore, the second authentication is specific to a user, not to a host. This
provides an additional level of security that will be effective even if information from the remote host is
stolen. In addition, this also provides greater flexibility by allowing customized network privileges for
each user.
The second stage authentication can use one-time passwords such as token card passwords, which are
not supported by CHAP. If one-time passwords are used, a stolen user password is of no use to the
perpetrator.
This section includes the following subsections:
• How Double Authentication Works
• Configuring Double Authentication
• Accessing the User Profile After Double Authentication
How Double Authentication Works
With double authentication, there are two authentication/authorization stages. These two stages occur
after a remote user dials in and a PPP session is initiated.
In the first stage, the user logs in using the remote host name; CHAP (or PAP) authenticates the remote
host, and then PPP negotiates with AAA to authorize the remote host. In this process, the network access
privileges associated with the remote host are assigned to the user.
Cisco IOS Security Configuration Guide
SC-42
Configuring Authentication
AAA Authentication Methods Configuration Task List
Note We suggest that the network administrator restrict authorization at this first stage to allow only Telnet
connections to the local host.
In the second stage, the remote user must Telnet to the network access server to be authenticated. When
the remote user logs in, the user must be authenticated with AAA login authentication. The user then
must enter the access-profile command to be reauthorized using AAA. When this authorization is
complete, the user has been double authenticated, and can access the network according to per-user
network privileges.
The system administrator determines what network privileges remote users will have after each stage of
authentication by configuring appropriate parameters on a security server. To use double authentication,
the user must activate it by issuing the access-profile command.
Caution Double authentication can cause certain undesirable events if multiple hosts share a PPP connection
to a network access server, as shown in Figure 4.
First, if a user, Bob, initiates a PPP session and activates double authentication at the network access
server (per Figure 4), any other user will automatically have the same network privileges as Bob until
Bob’s PPP session expires. This happens because Bob’s authorization profile is applied to the
network access server’s interface during the PPP session and any PPP traffic from other users will
use the PPP session Bob established.
Second, if Bob initiates a PPP session and activates double authentication, and then—before Bob’s
PPP session has expired—another user, Jane, executes the access-profile command (or, if Jane
Telnets to the network access server and autocommand access-profile is executed), a
reauthorization will occur and Jane’s authorization profile will be applied to the interface—replacing
Bob’s profile. This can disrupt or halt Bob’s PPP traffic, or grant Bob additional authorization
privileges Bob should not have.
Figure 4 Possibly Risky Topology: Multiple Hosts Share a PPP Connection to a Network
Access Server
Remote host Local host
Bob PPP
Router
Router
AAA server
S5923
Jane
Configuring Double Authentication
To configure double authentication, you must complete the following steps:
1. Enable AAA by using the aaa-new model global configuration command. For more information
about enabling AAA, refer to the chapter “AAA Overview.”
2. Use the aaa authentication command to configure your network access server to use login and PPP
authentication method lists, then apply those method lists to the appropriate lines or interfaces.
Cisco IOS Security Configuration Guide
SC-43
Configuring Authentication
AAA Authentication Methods Configuration Task List
3. Use the aaa authorization command to configure AAA network authorization at login. For more
information about configuring network authorization, refer to the “Configuring Authorization”
chapter.
4. Configure security protocol parameters (for example, RADIUS or TACACS+). For more
information about RADIUS, refer to the chapter “Configuring RADIUS”. For more information
about TACACS+, refer to the chapter “Configuring TACACS+.”
5. Use access control list AV pairs on the security server that the user can connect to the local host only
by establishing a Telnet connection.
6. (Optional) Configure the access-profile command as an autocommand. If you configure the
autocommand, remote users will not have to manually enter the access-profile command to access
authorized rights associated with their personal user profile. To learn about configuring
autocommands, refer to the autocommand command in the Cisco IOS Dial Technologies Command
Reference: Network Services.
Note If the access-profile command is configured as an autocommand, users will still have to Telnet to the
local host and log in to complete double authentication.
Follow these rules when creating the user-specific authorization statements (These rules relate to the
default behavior of the access-profile command):
• Use valid AV pairs when configuring access control list AV pairs on the security server. For a list of
valid AV pairs, refer to the chapter “Authentication Commands” in the Cisco IOS Security Command
Reference.
• If you want remote users to use the interface’s existing authorization (that which existed prior to the
second stage authentication/authorization), but you want them to have different access control lists
(ACLs), you should specify only ACL AV pairs in the user-specific authorization definition. This
might be desirable if you set up a default authorization profile to apply to the remote host, but want
to apply specific ACLs to specific users.
• When these user-specific authorization statements are later applied to the interface, they can either
be added to the existing interface configuration or they can replace the existing interface
configuration—depending on which form of the access-profile command is used to authorize the
user. You should understand how the access-profile command works before configuring the
authorization statements.
• If you will be using ISDN or Multilink PPP, you must also configure virtual templates at the
local host.
To troubleshoot double authentication, use the debug aaa per-user debug command. For more
information about this command, refer to the Cisco IOS Debug Command Reference.
Accessing the User Profile After Double Authentication
In double authentication, when a remote user establishes a PPP link to the local host using the local host
name, the remote host is CHAP (or PAP) authenticated. After CHAP (or PAP) authentication, PPP
negotiates with AAA to assign network access privileges associated with the remote host to the user. (We
suggest that privileges at this stage be restricted to allow the user to connect to the local host only by
establishing a Telnet connection.)
When the user needs to initiate the second phase of double authentication, establishing a Telnet
connection to the local host, the user enters a personal username and password (different from the CHAP
or PAP username and password). This action causes AAA reauthentication to occur according to the
Cisco IOS Security Configuration Guide
SC-44
Configuring Authentication
AAA Authentication Methods Configuration Task List
personal username/password. The initial rights associated with the local host, though, are still in place.
By using the access-profile command, the rights associated with the local host are replaced by or merged
with those defined for the user in the user’s profile.
To access the user profile after double authentication, use the following command in EXEC
configuration mode:
Command Purpose
Router> access-profile [merge | replace] Accesses the rights associated for the user after double
[ignore-sanity-checks] authentication.
If you configured the access-profile command to be executed as an autocommand, it will be executed
automatically after the remote user logs in.
Enabling Automated Double Authentication
You can make the double authentication process easier for users by implementing automated double
authentication. Automated double authentication provides all of the security benefits of double
authentication, but offers a simpler, more user-friendly interface for remote users. With double
authentication, a second level of user authentication is achieved when the user Telnets to the network
access server or router and enters a username and password. With automated double authentication, the
user does not have to Telnet to the network access server; instead the user responds to a dialog box that
requests a username and password or personal identification number (PIN). To use the automated double
authentication feature, the remote user hosts must be running a companion client application. As of
Cisco IOS Release 12.0, the only client application software available is the Glacier Bay application
server software for PCs.
Note Automated double authentication, like the existing double authentication feature, is for Multilink
PPP ISDN connections only. Automated double authentication cannot be used with other protocols
such as X.25 or SLIP.
Automated double authentication is an enhancement to the existing double authentication feature. To
configure automated double authentication, you must first configure double authentication by
completing the following steps:
1. Enable AAA by using the aaa-new model global configuration command. For more information
about enabling AAA, refer to the chapter “AAA Overview.”
2. Use the aaa authentication command to configure your network access server to use login and PPP
authentication method lists, then apply those method lists to the appropriate lines or interfaces.
3. Use the aaa authorization command to configure AAA network authorization at login. For more
information about configuring network authorization, refer to the chapter “Configuring
Authorization.”
4. Configure security protocol parameters (for example, RADIUS or TACACS+). For more
information about RADIUS, refer to the chapter “Configuring RADIUS”. For more information
about TACACS+, refer to the chapter “Configuring TACACS+.”
Cisco IOS Security Configuration Guide
SC-45
Configuring Authentication
AAA Authentication Methods Configuration Task List
5. Use access control list AV pairs on the security server that the user can connect to the local host only
by establishing a Telnet connection.
6. Configure the access-profile command as an autocommand. If you configure the autocommand,
remote users will not have to manually enter the access-profile command to access authorized rights
associated with their personal user profile. To learn about configuring autocommands, refer to the
autocommand command in the Cisco IOS Dial Technologies Command Reference, Release 12.2.
Note If the access-profile command is configured as an autocommand, users will still have to Telnet to the
local host and log in to complete double authentication.
Follow these rules when creating the user-specific authorization statements (These rules relate to the
default behavior of the access-profile command):
• Use valid AV pairs when configuring access control list AV pairs on the security server. For a list of
valid AV pairs, refer to the chapter “Authentication Commands” in the Cisco IOS Security Command
Reference.
• If you want remote users to use the interface’s existing authorization (that which existed prior to the
second stage authentication/authorization), but you want them to have different access control lists
(ACLs), you should specify only ACL AV pairs in the user-specific authorization definition. This
might be desirable if you set up a default authorization profile to apply to the remote host, but want
to apply specific ACLs to specific users.
• When these user-specific authorization statements are later applied to the interface, they can either
be added to the existing interface configuration, or replace the existing interface
configuration—depending on which form of the access-profile command is used to authorize the
user. You should understand how the access-profile command works before configuring the
authorization statements.
• If you will be using ISDN or Multilink PPP, you must also configure virtual templates at the local
host.
To troubleshoot double authentication, use the debug aaa per-user debug command. For more
information about this command, refer to the Cisco IOS Debug Command Reference.
After you have configured double authentication, you are ready to configure the automation
enhancement.
To configure automated double authentication, use the following commands, starting in global
configuration mode.
:
Command Purpose
Step 1 Router(config)# ip trigger-authentication Enables automation of double authentication.
[timeout seconds] [port number]
Step 2 Router(config)# interface bri number Selects an ISDN BRI or ISDN PRI interface and enter
the interface configuration mode.
or
Router(config)# interface serial number:23
Step 3 Router(config-if)# ip trigger-authentication Applies automated double authentication to the
interface.
Cisco IOS Security Configuration Guide
SC-46
Configuring Authentication
Non-AAA Authentication Methods
To troubleshoot automated double authentication, use the following commands in privileged EXEC
mode:
Command Purpose
Step 1 Router# show ip trigger-authentication Displays the list of remote hosts for which automated
double authentication has been attempted
(successfully or unsuccessfully).
Step 2 Router# clear ip trigger-authentication Clears the list of remote hosts for which automated
double authentication has been attempted. (This
clears the table displayed by the show ip
trigger-authentication command.)
Step 3 Router# debug ip trigger-authentication Displays debug output related to automated double
authentication.
Non-AAA Authentication Methods
This section discusses the following non-AAA authentication tasks:
• Configuring Line Password Protection
• Establishing Username Authentication
• Enabling CHAP or PAP Authentication
• Using MS-CHAP
Configuring Line Password Protection
You can provide access control on a terminal line by entering the password and establishing password
checking. To do so, use the following commands in line configuration mode:
Command Purpose
Step 1 Router(config-line)# password password Assigns a password to a terminal or other device on a
line.
Step 2 Router(config-line)# login Enables password checking at login.
The password checker is case sensitive and can include spaces; for example, the password “Secret” is
different from the password “secret,” and “two words” is an acceptable password.
You can disable line password verification by disabling password checking. To do so, use the following
command in line configuration mode:
Command Purpose
Router(config-line)# no login Disables password checking or allow access to a line without password
verification.
Cisco IOS Security Configuration Guide
SC-47
Configuring Authentication
Non-AAA Authentication Methods
If you configure line password protection and then configure TACACS or extended TACACS, the
TACACS username and password take precedence over line passwords. If you have not yet implemented
a security policy, we recommend that you use AAA.
Note The login command only changes username and privilege level but it does not execute a shell;
therefore autocommands will not be executed. To execute autocommands under this circumstance,
you need to establish a Telnet session back into the router (loop-back). Make sure that the router has
been configured for secure Telnet sessions if you choose to implement autocommands this way.
Establishing Username Authentication
You can create a username-based authentication system, which is useful in the following situations:
• To provide a TACACS-like username and encrypted password-authentication system for networks
that cannot support TACACS
• To provide special-case logins: for example, access list verification, no password verification,
autocommand execution at login, and “no escape” situations
To establish username authentication, use the following commands in global configuration mode as
needed for your system configuration:
Command Purpose
Step 1 Router(config)# username name [nopassword | password Establishes username authentication with encrypted
password | password encryption-type encrypted passwords.
password]
or
or
(Optional) Establishes username authentication by
Router(config)# username name [access-class number] access list.
Step 2 Router(config)# username name [privilege level] (Optional) Sets the privilege level for the user.
Step 3 Router(config)# username name [autocommand command] (Optional) Specifies a command to be executed
automatically.
Step 4 Router(config)# username name [noescape] [nohangup] (Optional) Sets a “no escape” login environment.
The keyword noescape prevents users from using escape characters on the hosts to which they are
connected. The nohangup feature does not disconnect after using the autocommand.
Caution Passwords will be displayed in clear text in your configuration unless you enable the service
password-encryption command. For more information about the service password-encryption
command, refer to the chapter “Passwords and Privileges Commands” in the Cisco IOS Security
Command Reference.
Cisco IOS Security Configuration Guide
SC-48
Configuring Authentication
Non-AAA Authentication Methods
Enabling CHAP or PAP Authentication
One of the most common transport protocols used in Internet service providers’ (ISPs’) dial solutions is
the Point-to-Point Protocol (PPP). Traditionally, remote users dial in to an access server to initiate a PPP
session. After PPP has been negotiated, remote users are connected to the ISP network and to
the Internet.
Because ISPs want only customers to connect to their access servers, remote users are required to
authenticate to the access server before they can start up a PPP session. Normally, a remote user
authenticates by typing in a username and password when prompted by the access server. Although this
is a workable solution, it is difficult to administer and awkward for the remote user.
A better solution is to use the authentication protocols built into PPP. In this case, the remote user dials
in to the access server and starts up a minimal subset of PPP with the access server. This does not give
the remote user access to the ISP’s network—it merely allows the access server to talk to the
remote device.
PPP currently supports two authentication protocols: Password Authentication Protocol (PAP) and
Challenge Handshake Authentication Protocol (CHAP). Both are specified in RFC 1334 and are
supported on synchronous and asynchronous interfaces. Authentication via PAP or CHAP is equivalent
to typing in a username and password when prompted by the server. CHAP is considered to be more
secure because the remote user’s password is never sent across the connection.
PPP (with or without PAP or CHAP authentication) is also supported in dialout solutions. An access
server utilizes a dialout feature when it initiates a call to a remote device and attempts to start up a
transport protocol such as PPP.
See the chapter “Configuring Interfaces” in the Cisco IOS Configuration Fundamentals Configuration
Guide for more information about CHAP and PAP.
Note To use CHAP or PAP, you must be running PPP encapsulation.
When CHAP is enabled on an interface and a remote device attempts to connect to it, the access server
sends a CHAP packet to the remote device. The CHAP packet requests or “challenges” the remote device
to respond. The challenge packet consists of an ID, a random number, and the host name of the
local router.
When the remote device receives the challenge packet, it concatenates the ID, the remote device’s
password, and the random number, and then encrypts all of it using the remote device’s password. The
remote device sends the results back to the access server, along with the name associated with the
password used in the encryption process.
When the access server receives the response, it uses the name it received to retrieve a password stored
in its user database. The retrieved password should be the same password the remote device used in its
encryption process. The access server then encrypts the concatenated information with the newly
retrieved password—if the result matches the result sent in the response packet, authentication succeeds.
The benefit of using CHAP authentication is that the remote device’s password is never transmitted in
clear text. This prevents other devices from stealing it and gaining illegal access to the ISP’s network.
CHAP transactions occur only at the time a link is established. The access server does not request a
password during the rest of the call. (The local device can, however, respond to such requests from other
devices during a call.)
When PAP is enabled, the remote router attempting to connect to the access server is required to send an
authentication request. If the username and password specified in the authentication request are
accepted, the Cisco IOS software sends an authentication acknowledgment.
Cisco IOS Security Configuration Guide
SC-49
Configuring Authentication
Non-AAA Authentication Methods
After you have enabled CHAP or PAP, the access server will require authentication from remote devices
dialing in to the access server. If the remote device does not support the enabled protocol, the call will
be dropped.
To use CHAP or PAP, you must perform the following tasks:
1. Enable PPP encapsulation.
2. Enable CHAP or PAP on the interface.
3. For CHAP, configure host name authentication and the secret or password for each remote system
with which authentication is required.
This section includes the following sections:
• Enabling PPP Encapsulation
• Enabling PAP or CHAP
• Inbound and Outbound Authentication
• Enabling Outbound PAP Authentication
• Refusing PAP Authentication Requests
• Creating a Common CHAP Password
• Refusing CHAP Authentication Requests
• Delaying CHAP Authentication Until Peer Authenticates
Enabling PPP Encapsulation
To enable PPP encapsulation, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# encapsulation ppp Enables PPP on an interface.
Enabling PAP or CHAP
To enable CHAP or PAP authentication on an interface configured for PPP encapsulation, use the
following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp authentication {protocol1 Defines the authentication protocols supported and the order in
[protocol2...]} [if-needed] {default | list-name} which they are used. In this command, protocol1, protocol2
[callin] [one-time]
represent the following protocols: CHAP, MS-CHAP, and PAP.
PPP authentication is attempted first using the first authentication
method, which is protocol1. If protocol1 is unable to establish
authentication, the next configured protocol is used to negotiate
authentication.
If you configure ppp authentication chap on an interface, all incoming calls on that interface that
initiate a PPP connection will have to be authenticated using CHAP; likewise, if you configure ppp
authentication pap, all incoming calls that start a PPP connection will have to be authenticated via PAP.
If you configure ppp authentication chap pap, the access server will attempt to authenticate all
Cisco IOS Security Configuration Guide
SC-50
Configuring Authentication
Non-AAA Authentication Methods
incoming calls that start a PPP session with CHAP. If the remote device does not support CHAP, the
access server will try to authenticate the call using PAP. If the remote device does not support either
CHAP or PAP, authentication will fail and the call will be dropped. If you configure ppp authentication
pap chap, the access server will attempt to authenticate all incoming calls that start a PPP session with
PAP. If the remote device does not support PAP, the access server will try to authenticate the call using
CHAP. If the remote device does not support either protocol, authentication will fail and the call will be
dropped. If you configure the ppp authentication command with the callin keyword, the access server
will only authenticate the remote device if the remote device initiated the call.
Authentication method lists and the one-time keyword are only available if you have enabled
AAA—they will not be available if you are using TACACS or extended TACACS. If you specify the
name of an authentication method list with the ppp authentication command, PPP will attempt to
authenticate the connection using the methods defined in the specified method list. If AAA is enabled
and no method list is defined by name, PPP will attempt to authenticate the connection using the methods
defined as the default. The ppp authentication command with the one-time keyword enables support
for one-time passwords during authentication.
The if-needed keyword is only available if you are using TACACS or extended TACACS. The ppp
authentication command with the if-needed keyword means that PPP will only authenticate the remote
device via PAP or CHAP if they have not yet authenticated during the life of the current call. If the
remote device authenticated via a standard login procedure and initiated PPP from the EXEC prompt,
PPP will not authenticate via CHAP if ppp authentication chap if-needed is configured on
the interface.
Caution If you use a list-name that has not been configured with the aaa authentication ppp command, you
disable PPP on the line.
For information about adding a username entry for each remote system from which the local router or
access server requires authentication, see the section “Establishing Username Authentication.”
Inbound and Outbound Authentication
PPP supports two-way authentication. Normally, when a remote device dials in to an access server, the
access server requests that the remote device prove that it is allowed access. This is known as inbound
authentication. At the same time, the remote device can also request that the access server prove that it
is who it says it is. This is known as outbound authentication. An access server also does outbound
authentication when it initiates a call to a remote device.
Enabling Outbound PAP Authentication
To enable outbound PAP authentication, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp pap sent-username username password password Enables outbound PAP authentication.
The access server uses the username and password specified by the ppp pap sent-username command
to authenticate itself whenever it initiates a call to a remote device or when it has to respond to a remote
device’s request for outbound authentication.
Cisco IOS Security Configuration Guide
SC-51
Configuring Authentication
Non-AAA Authentication Methods
Refusing PAP Authentication Requests
To refuse PAP authentication from peers requesting it, meaning that PAP authentication is disabled for
all calls, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp pap refuse Refuses PAP authentication from peers
requesting PAP authentication.
If the refuse keyword is not used, the router will not refuse any PAP authentication challenges received
from the peer.
Creating a Common CHAP Password
For remote CHAP authentication only, you can configure your router to create a common CHAP secret
password to use in response to challenges from an unknown peer; for example, if your router calls a
rotary of routers (either from another vendor, or running an older version of the Cisco IOS software) to
which a new (that is, unknown) router has been added. The ppp chap password command allows you
to replace several username and password configuration commands with a single copy of this command
on any dialer interface or asynchronous group interface.
To enable a router calling a collection of routers to configure a common CHAP secret password, use the
following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp chap password secret Enables a router calling a collection of routers to configure a
common CHAP secret password.
Refusing CHAP Authentication Requests
To refuse CHAP authentication from peers requesting it, meaning that CHAP authentication is disabled
for all calls, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp chap refuse [callin] Refuses CHAP authentication from peers requesting CHAP
authentication.
If the callin keyword is used, the router will refuse to answer CHAP authentication challenges received
from the peer, but will still require the peer to answer any CHAP challenges the router sends.
If outbound PAP has been enabled (using the ppp pap sent-username command), PAP will be suggested
as the authentication method in the refusal packet.
Cisco IOS Security Configuration Guide
SC-52
Configuring Authentication
Non-AAA Authentication Methods
Delaying CHAP Authentication Until Peer Authenticates
To specify that the router will not authenticate to a peer requesting CHAP authentication until after the
peer has authenticated itself to the router, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# ppp chap wait secret Configures the router to delay CHAP authentication until after the
peer has authenticated itself to the router.
This command (which is the default) specifies that the router will not authenticate to a peer requesting
CHAP authentication until the peer has authenticated itself to the router. The no ppp chap wait
command specifies that the router will respond immediately to an authentication challenge.
Using MS-CHAP
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is the Microsoft version of CHAP
and is an extension of RFC 1994. Like the standard version of CHAP, MS-CHAP is used for PPP
authentication; in this case, authentication occurs between a PC using Microsoft Windows NT or
Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
MS-CHAP differs from the standard CHAP as follows:
• MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3, Authentication
Protocol.
• The MS-CHAP Response packet is in a format designed to be compatible with
Microsoft Windows NT 3.5 and 3.51, Microsoft Windows 95, and Microsoft LAN Manager 2.x.
This format does not require the authenticator to store a clear or reversibly encrypted password.
• MS-CHAP provides an authenticator-controlled authentication retry mechanism.
• MS-CHAP provides an authenticator-controlled change password mechanism.
• MS-CHAP defines a set of “reason-for failure” codes returned in the Failure packet message field.
Depending on the security protocols you have implemented, PPP authentication using MS-CHAP can be
used with or without AAA security services. If you have enabled AAA, PPP authentication using
MS-CHAP can be used in conjunction with both TACACS+ and RADIUS. Table 9 lists the
vendor-specific RADIUS attributes (IETF Attribute 26) that enable RADIUS to support MS-CHAP.
Table 9 Vendor-Specific RADIUS Attributes for MS-CHAP
Vendor-ID Vendor-Type Vendor-Proprietary
Number Number Attribute Description
311 11 MSCHAP-Challenge Contains the challenge sent by a network
access server to an MS-CHAP user. It can be
used in both Access-Request and
Access-Challenge packets.
211 11 MSCHAP-Response Contains the response value provided by a PPP
MS-CHAP user in response to the challenge. It
is only used in Access-Request packets. This
attribute is identical to the PPP CHAP
Identifier.
Cisco IOS Security Configuration Guide
SC-53
Configuring Authentication
Authentication Examples
To define PPP authentication using MS-CHAP, use the following commands in interface configuration
mode:
Command Purpose
Step 1 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 2 Router(config-if)# ppp authentication ms-chap Defines PPP authentication using MS-CHAP.
[if-needed] [list-name | default] [callin]
[one-time]
If you configure ppp authentication ms-chap on an interface, all incoming calls on that interface that
initiate a PPP connection will have to be authenticated using MS-CHAP. If you configure the ppp
authentication command with the callin keyword, the access server will only authenticate the remote
device if the remote device initiated the call.
Authentication method lists and the one-time keyword are only available if you have enabled
AAA—they will not be available if you are using TACACS or extended TACACS. If you specify the
name of an authentication method list with the ppp authentication command, PPP will attempt to
authenticate the connection using the methods defined in the specified method list. If AAA is enabled
and no method list is defined by name, PPP will attempt to authenticate the connection using the methods
defined as the default. The ppp authentication command with the one-time keyword enables support
for one-time passwords during authentication.
The if-needed keyword is only available if you are using TACACS or extended TACACS. The ppp
authentication command with the if-needed keyword means that PPP will only authenticate the remote
device via MS-CHAP if that device has not yet authenticated during the life of the current call. If the
remote device authenticated through a standard login procedure and initiated PPP from the EXEC
prompt, PPP will not authenticate through MS-CHAP if ppp authentication chap if-needed
is configured.
Note If PPP authentication using MS-CHAP is used with username authentication, you must include the
MS-CHAP secret in the local username/password database. For more information about username
authentication, refer to the “Establish Username Authentication” section.
Authentication Examples
The following sections provide authentication configuration examples:
• RADIUS Authentication Examples
• TACACS+ Authentication Examples
• Kerberos Authentication Examples
• AAA Scalability Example
• Login and Failed Banner Examples
• AAA Packet of Disconnect Server Key Example
• Double Authentication Examples
• Automated Double Authentication Example
• MS-CHAP Example
Cisco IOS Security Configuration Guide
SC-54
Configuring Authentication
Authentication Examples
RADIUS Authentication Examples
This section provides two sample configurations using RADIUS.
The following example shows how to configure the router to authenticate and authorize using RADIUS:
aaa authentication login radius-login group radius local
aaa authentication ppp radius-ppp if-needed group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
line 3
login authentication radius-login
interface serial 0
ppp authentication radius-ppp
The lines in this sample RADIUS authentication and authorization configuration are defined as follows:
• The aaa authentication login radius-login group radius local command configures the router to
use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is
authenticated using the local database.
• The aaa authentication ppp radius-ppp if-needed group radius command configures the
Cisco IOS software to use PPP authentication using CHAP or PAP if the user has not already logged
in. If the EXEC facility has authenticated the user, PPP authentication is not performed.
• The aaa authorization exec default group radius if-authenticated command queries the RADIUS
database for information that is used during EXEC authorization, such as autocommands and
privilege levels, but only provides authorization if the user has successfully authenticated.
• The aaa authorization network default group radius command queries RADIUS for network
authorization, address assignment, and other access lists.
• The login authentication radius-login command enables the radius-login method list for line 3.
• The ppp authentication radius-ppp command enables the radius-ppp method list for serial
interface 0.
The following example shows how to configure the router to prompt for and verify a username and
password, authorize the user’s EXEC level, and specify it as the method of authorization for privilege
level 2. In this example, if a local username is entered at the username prompt, that username is used for
authentication.
If the user is authenticated using the local database, EXEC authorization using RADIUS will fail because
no data is saved from the RADIUS authentication. The method list also uses the local database to find
an autocommand. If there is no autocommand, the user becomes the EXEC user. If the user then attempts
to issue commands that are set at privilege level 2, TACACS+ is used to attempt to authorize the
command.
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa authorization command 2 default group tacacs+ if-authenticated
radius-server host [Link] auth-port 1645 acct-port 1646
radius-server attribute 44 include-in-access-req
radius-server attribute 8 include-in-access-req
Cisco IOS Security Configuration Guide
SC-55
Configuring Authentication
Authentication Examples
The lines in this sample RADIUS authentication and authorization configuration are defined as follows:
• The aaa authentication login default group radius local command specifies that the username and
password are verified by RADIUS or, if RADIUS is not responding, by the router’s local user
database.
• The aaa authorization exec default group radius local command specifies that RADIUS
authentication information be used to set the user’s EXEC level if the user authenticates with
RADIUS. If no RADIUS information is used, this command specifies that the local user database
be used for EXEC authorization.
• The aaa authorization command 2 default group tacacs+ if-authenticated command specifies
TACACS+ authorization for commands set at privilege level 2, if the user has already successfully
authenticated.
• The radius-server host [Link] auth-port 1645 acct-port 1646 command specifies the IP
address of the RADIUS server host, the UDP destination port for authentication requests, and the
UDP destination port for accounting requests.
• The radius-server attribute 44 include-in-access-req command sends RADIUS attribute 44
(Acct-Seccion-ID) in access-request packets.
• The radius-server attribute 8 include-in-access-req command sends RADIUS attribute 8
(Framed-IP-Address) in access-request packets.
TACACS+ Authentication Examples
The following example shows how to configure TACACS+ as the security protocol to be used for PPP
authentication:
aaa new-model
aaa authentication ppp test group tacacs+ local
interface serial 0
ppp authentication chap pap test
tacacs-server host [Link]
tacacs-server key goaway
The lines in this sample TACACS+ authentication configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “test,” to be used on serial interfaces
running PPP. The keywords group tacacs+ means that authentication will be done through
TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the keyword local
indicates that authentication will be attempted using the local database on the network access server.
• The interface command selects the line.
• The ppp authentication command applies the test method list to this line.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link].
• The tacacs-server key command defines the shared encryption key to be “goaway.”
The following example shows how to configure AAA authentication for PPP:
aaa authentication ppp default if-needed group tacacs+ local
In this example, the keyword default means that PPP authentication is applied by default to all
interfaces. The if-needed keyword means that if the user has already authenticated by going through the
ASCII login procedure, then PPP is not necessary and can be skipped. If authentication is needed, the
Cisco IOS Security Configuration Guide
SC-56
Configuring Authentication
Authentication Examples
keywords group tacacs+ means that authentication will be done through TACACS+. If TACACS+
returns an ERROR of some sort during authentication, the keyword local indicates that authentication
will be attempted using the local database on the network access server.
The following example shows how to create the same authentication algorithm for PAP, but it calls the
method list “MIS-access” instead of “default”:
aaa authentication ppp MIS-access if-needed group tacacs+ local
interface serial 0
ppp authentication pap MIS-access
In this example, because the list does not apply to any interfaces (unlike the default list, which applies
automatically to all interfaces), the administrator must select interfaces to which this authentication
scheme should apply by using the interface command. The administrator must then apply this method
list to those interfaces by using the ppp authentication command.
Kerberos Authentication Examples
To specify Kerberos as the login authentication method, use the following command:
aaa authentication login default krb5
To specify Kerberos authentication for PPP, use the following command:
aaa authentication ppp default krb5
AAA Scalability Example
The following example shows a general security configuration using AAA with RADIUS as the security
protocol. In this example, the network access server is configured to allocate 16 background processes
to handle AAA requests for PPP.
aaa new-model
radius-server host alcatraz
radius-server key myRaDiUSpassWoRd
radius-server configure-nas
username root password ALongPassword
aaa authentication ppp dialins group radius local
aaa authentication login admins local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem dialin
interface group-async 1
group-range 1 16
encapsulation ppp
ppp authentication pap dialins
The lines in this sample RADIUS AAA configuration are defined as follows:
• The aaa new-model command enables AAA network security services.
• The radius-server host command defines the name of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
Cisco IOS Security Configuration Guide
SC-57
Configuring Authentication
Authentication Examples
• The radius-server configure-nas command defines that the Cisco router or access server will query
the RADIUS server for static routes and IP pool definitions when the device first starts up.
• The username command defines the username and password to be used for the PPP Password
Authentication Protocol (PAP) caller identification.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication, then (if the RADIUS server does
not respond) local authentication will be used on serial lines using PPP.
• The aaa authentication login admins local command defines another method list, “admins,” for
login authentication.
• The aaa authorization network default group radius local command is used to assign an address
and other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa processes command allocates 16 background processes to handle AAA requests for PPP.
• The line command switches the configuration mode from global configuration to line configuration
and identifies the specific lines being configured.
• The autoselect ppp command configures the Cisco IOS software to allow a PPP session to start up
automatically on these selected lines.
• The autoselect during-login command is used to display the username and password prompt
without pressing the Return key. After the user logs in, the autoselect function (in this case, PPP)
begins.
• The login authentication admins command applies the “admins” method list for login
authentication.
• The modem dialin command configures modems attached to the selected lines to only accept
incoming calls.
• The interface group-async command selects and defines an asynchronous interface group.
• The group-range command defines the member asynchronous interfaces in the interface group.
• The encapsulation ppp command sets PPP as the encapsulation method used on the specified
interfaces.
• The ppp authentication pap dialins command applies the “dialins” method list to the specified
interfaces.
Login and Failed Banner Examples
The following example shows how to configure a login banner (in this case, the phrase “Unauthorized
Access Prohibited”) that will be displayed when a user logs in to the system. The asterisk (*) is used as
the delimiting character. (RADIUS is specified as the default login authentication method.)
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
This configuration produces the following login banner:
Unauthorized Access Prohibited
Username:
Cisco IOS Security Configuration Guide
SC-58
Configuring Authentication
Authentication Examples
The following example shows how to additionally configure a failed login banner (in this case, the phrase
“Failed login. Try again.”) that will be displayed when a user tries to log in to the system and fails. The
asterisk (*) is used as the delimiting character. (RADIUS is specified as the default login authentication
method.)
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication fail-message *Failed login. Try again.*
aaa authentication login default group radius
This configuration produces the following login and failed login banner:
Unauthorized Access Prohibited
Username:
Password:
Failed login. Try again.
AAA Packet of Disconnect Server Key Example
The following example shows how to configure POD (packet of disconnect), which terminates
connections on the network access server (NAS) when particular session attributes are identified.
aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop radius
aaa accounting delay-start
aaa pod server server-key xyz123
radius-server host [Link] non-standard
radius-server key rad123
Double Authentication Examples
The examples in this section illustrate possible configurations to be used with double authentication.
Your configurations could differ significantly, depending on your network and security requirements.
This section includes the following examples:
• Configuration of the Local Host for AAA with Double Authentication Examples
• Configuration of the AAA Server for First-Stage (PPP) Authentication and Authorization Example
• Configuration of the AAA Server for Second-Stage (Per-User) Authentication and Authorization
Examples
• Complete Configuration with TACACS+ Example
Note These configuration examples include specific IP addresses and other specific information. This
information is for illustration purposes only: your configuration will use different IP addresses,
different usernames and passwords, and different authorization statements.
Cisco IOS Security Configuration Guide
SC-59
Configuring Authentication
Authentication Examples
Configuration of the Local Host for AAA with Double Authentication Examples
These two examples show how to configure a local host to use AAA for PPP and login authentication,
and for network and EXEC authorization. One example is shown for RADIUS and one example for
TACACS+.
In both examples, the first three lines configure AAA, with a specific server as the AAA server. The next
two lines configure AAA for PPP and login authentication, and the last two lines configure network and
EXEC authorization. The last line is necessary only if the access-profile command will be executed as
an autocommand.
The following example shows router configuration with a RADIUS AAA server:
aaa new-model
radius-server host secureserver
radius-server key myradiuskey
aaa authentication ppp default group radius
aaa authentication login default group radius
aaa authorization network default group radius
aaa authorization exec default group radius
The following example shows router configuration with a TACACS+ server:
aaa new-model
tacacs-server host security
tacacs-server key mytacacskey
aaa authentication ppp default group tacacs+
aaa authentication login default group tacacs+
aaa authorization network default group tacacs+
aaa authorization exec default group tacacs+
Configuration of the AAA Server for First-Stage (PPP) Authentication and Authorization Example
This example shows a configuration on the AAA server. A partial sample AAA configuration is shown
for RADIUS.
TACACS+ servers can be configured similarly. (See the section “Complete Configuration with
TACACS+ Example” later in this chapter.)
This example defines authentication/authorization for a remote host named “hostx” that will be
authenticated by CHAP in the first stage of double authentication. Note that the ACL AV pair limits the
remote host to Telnet connections to the local host. The local host has the IP address [Link].
The following example shows a partial AAA server configuration for RADIUS:
hostx Password = “welcome”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=ip unnumbered ethernet 0”,
cisco-avpair = “ip:inacl#3=permit tcp any [Link] [Link] eq telnet”,
cisco-avpair = “ip:inacl#4=deny icmp any any”,
cisco-avpair = “ip:route#5=[Link] [Link]”,
cisco-avpair = “ip:route#6=[Link] [Link]”,
cisco-avpair = “ipx:inacl#3=deny any”
Cisco IOS Security Configuration Guide
SC-60
Configuring Authentication
Authentication Examples
Configuration of the AAA Server for Second-Stage (Per-User) Authentication and Authorization
Examples
This section contains partial sample AAA configurations on a RADIUS server. These configurations
define authentication and authorization for a user (Pat) with the username “patuser,” who will be
user-authenticated in the second stage of double authentication.
TACACS+ servers can be configured similarly. (See the section “Complete Configuration with
TACACS+ Example” later in this chapter.)
Three examples show sample RADIUS AAA configurations that could be used with each of the three
forms of the access-profile command.
The first example shows a partial sample AAA configuration that works with the default form
(no keywords) of the access-profile command. Note that only ACL AV pairs are defined. This example
also sets up the access-profile command as an autocommand.
patuser Password = “welcome”
User-Service-Type = Shell-User,
cisco-avpair = “shell:autocmd=access-profile”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “ip:inacl#3=permit tcp any host [Link] eq telnet”,
cisco-avpair = “ip:inacl#4=deny icmp any any”
The second example shows a partial sample AAA configuration that works with the access-profile
merge form of the access-profile command. This example also sets up the access-profile merge
command as an autocommand.
patuser Password = “welcome”
User-Service-Type = Shell-User,
cisco-avpair = “shell:autocmd=access-profile merge”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “ip:inacl#3=permit tcp any any”
cisco-avpair = “ip:route=[Link] [Link]",
cisco-avpair = “ip:route=[Link] [Link]",
cisco-avpair = “ip:route=[Link] [Link]"
The third example shows a partial sample AAA configuration that works with the access-profile replace
form of the access-profile command. This example also sets up the access-profile replace command as
an autocommand.
patuser Password = “welcome”
User-Service-Type = Shell-User,
cisco-avpair = “shell:autocmd=access-profile replace”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “ip:inacl#3=permit tcp any any”,
cisco-avpair = “ip:inacl#4=permit icmp any any”,
cisco-avpair = “ip:route=[Link] [Link]",
cisco-avpair = “ip:route=[Link] [Link]",
cisco-avpair = “ip:route=[Link] [Link]"
Cisco IOS Security Configuration Guide
SC-61
Configuring Authentication
Authentication Examples
Complete Configuration with TACACS+ Example
This example shows TACACS+ authorization profile configurations both for the remote host (used in the
first stage of double authentication) and for specific users (used in the second stage of double
authentication). This TACACS+ example contains approximately the same configuration information as
shown in the previous RADIUS examples.
This sample configuration shows authentication/authorization profiles on the TACACS+ server for the
remote host “hostx” and for three users, with the usernames “pat_default,” “pat_merge,” and
“pat_replace.” The configurations for these three usernames illustrate different configurations that
correspond to the three different forms of the access-profile command. The three user configurations
also illustrate setting up the autocommand for each form of the access-profile command.
Figure 5 shows the topology. The example that follows the figure shows a TACACS+ configuration file.
Figure 5 Example Topology for Double Authentication
Remote host Local host
TACACS+
ISDN
BRI0
Cisco 1003 PRI1
AS5200
ISDN router PPP
S5922
Network AAA server
access server
This sample configuration shows authentication/authorization profiles on the TACACS+ server for the
remote host “hostx” and for three users, with the usernames “pat_default,” “pat_merge,” and
“pat_replace.”
key = “mytacacskey”
default authorization = permit
#-----------------------------Remote Host (BRI)-------------------------
#
# This allows the remote host to be authenticated by the local host
# during fist-stage authentication, and provides the remote host
# authorization profile.
#
#-----------------------------------------------------------------------
user = hostx
{
login = cleartext “welcome”
chap = cleartext “welcome”
service = ppp protocol = lcp {
interface-config=”ip unnumbered ethernet 0"
}
service = ppp protocol = ip {
# It is important to have the hash sign and some string after
# it. This indicates to the NAS that you have a per-user
# config.
inacl#3=”permit tcp any [Link] [Link] eq telnet”
inacl#4=”deny icmp any any”
Cisco IOS Security Configuration Guide
SC-62
Configuring Authentication
Authentication Examples
route#5=”[Link] [Link]"
route#6=”[Link] [Link]"
}
service = ppp protocol = ipx {
# see previous comment about the hash sign and string, in protocol = ip
inacl#3=”deny any”
}
#------------------- “access-profile” default user “only acls” ------------------
#
# Without arguments, access-profile removes any access-lists it can find
# in the old configuration (both per-user and per-interface), and makes sure
# that the new profile contains ONLY access-list definitions.
#
#--------------------------------------------------------------------------------
user = pat_default
{
login = cleartext “welcome”
chap = cleartext “welcome”
service = exec
{
# This is the autocommand that executes when pat_default logs in.
autocmd = “access-profile”
}
service = ppp protocol = ip {
# Put whatever access-lists, static routes, whatever
# here.
# If you leave this blank, the user will have NO IP
# access-lists (not even the ones installed prior to
# this)!
inacl#3=”permit tcp any host [Link] eq telnet”
inacl#4=”deny icmp any any”
}
service = ppp protocol = ipx {
# Put whatever access-lists, static routes, whatever
# here.
# If you leave this blank, the user will have NO IPX
# access-lists (not even the ones installed prior to
# this)!
}
#--------------------- “access-profile merge” user ---------------------------
#
# With the 'merge' option, first all old access-lists are removed (as before),
# but then (almost) all AV pairs are uploaded and installed. This will allow
# for uploading any custom static routes, sap-filters, and so on, that the user
# may need in his or her profile. This needs to be used with care, as it leaves
# open the possibility of conflicting configurations.
Cisco IOS Security Configuration Guide
SC-63
Configuring Authentication
Authentication Examples
#
#-----------------------------------------------------------------------------
user = pat_merge
{
login = cleartext “welcome”
chap = cleartext “welcome”
service = exec
{
# This is the autocommand that executes when pat_merge logs in.
autocmd = “access-profile merge”
}
service = ppp protocol = ip
{
# Put whatever access-lists, static routes, whatever
# here.
# If you leave this blank, the user will have NO IP
# access-lists (not even the ones installed prior to
# this)!
inacl#3=”permit tcp any any”
route#2=”[Link] [Link]"
route#3=”[Link] [Link]"
route#4=”[Link] [Link]"
service = ppp protocol = ipx
{
# Put whatever access-lists, static routes, whatever
# here.
# If you leave this blank, the user will have NO IPX
# access-lists (not even the ones installed prior to
# this)!
#--------------------- “access-profile replace” user ----------------------------
#
# With the 'replace' option, ALL old configuration is removed and ALL new
# configuration is installed.
#
# One caveat: access-profile checks the new configuration for address-pool and
# address AV pairs. As addresses cannot be renegotiated at this point, the
# command will fail (and complain) when it encounters such an AV pair.
# Such AV pairs are considered to be “invalid” for this context.
#-------------------------------------------------------------------------------
user = pat_replace
{
login = cleartext “welcome”
chap = cleartext “welcome”
service = exec
{
Cisco IOS Security Configuration Guide
SC-64
Configuring Authentication
Authentication Examples
# This is the autocommand that executes when pat_replace logs in.
autocmd = “access-profile replace”
}
service = ppp protocol = ip
{
# Put whatever access-lists, static routes, whatever
# here.
# If you leave this blank, the user will have NO IP
# access-lists (not even the ones installed prior to
# this)!
inacl#3=”permit tcp any any”
inacl#4=”permit icmp any any”
route#2=”[Link] [Link]"
route#3=”[Link] [Link]"
route#4=”[Link] [Link]"
}
service = ppp protocol = ipx
{
# put whatever access-lists, static routes, whatever
# here.
# If you leave this blank, the user will have NO IPX
# access-lists (not even the ones installed prior to
# this)!
}
Automated Double Authentication Example
This example shows a complete configuration file for a Cisco 2509 router with automated double
authentication configured. The configuration commands that apply to automated double authentication
are preceded by descriptions with a double asterisk (**).
Current configuration:
!
version 11.3
no service password-encryption
!
hostname myrouter
!
!
! **The following AAA commands are used to configure double authentication:
!
! **The following command enables AAA:
aaa new-model
! **The following command enables user authentication via the TACACS+ AAA server:
aaa authentication login default group tacacs+
aaa authentication login console none
! **The following command enables device authentication via the TACACS+ AAA server:
aaa authentication ppp default group tacacs+
! **The following command causes the remote user’s authorization profile to be
! downloaded from the AAA server to the Cisco 2509 router when required:
aaa authorization exec default group tacacs+
! **The following command causes the remote device’s authorization profile to be
! downloaded from the AAA server to the Cisco 2509 router when required:
aaa authorization network default group tacacs+
Cisco IOS Security Configuration Guide
SC-65
Configuring Authentication
Authentication Examples
enable password mypassword
!
ip host blue [Link]
ip host green [Link]
ip host red [Link]
ip domain-name [Link]
ip name-server [Link]
! **The following command globally enables automated double authentication:
ip trigger-authentication timeout 60 port 7500
isdn switch-type basic-5ess
!
!
interface Ethernet0
ip address [Link] [Link]
no ip route-cache
no ip mroute-cache
no keepalive
ntp disable
no cdp enable
!
interface Virtual-Template1
ip unnumbered Ethernet0
no ip route-cache
no ip mroute-cache
!
interface Serial0
ip address [Link] [Link]
encapsulation ppp
no ip mroute-cache
no keepalive
shutdown
clockrate 2000000
no cdp enable
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
no cdp enable
!
! **Automated double authentication occurs via the ISDN BRI interface BRI0:
interface BRI0
ip unnumbered Ethernet0
! **The following command turns on automated double authentication at this interface:
ip trigger-authentication
! **PPP encapsulation is required:
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer idle-timeout 500
dialer map ip [Link] name myrouter 60074
dialer-group 1
no cdp enable
Cisco IOS Security Configuration Guide
SC-66
Configuring Authentication
Authentication Examples
! **The following command specifies that device authentication occurs via PPP CHAP:
ppp authentication chap
!
router eigrp 109
network [Link]
no auto-summary
!
ip default-gateway [Link]
no ip classless
ip route [Link] [Link] [Link]
! **Virtual profiles are required for double authentication to work:
virtual-profile virtual-template 1
dialer-list 1 protocol ip permit
no cdp run
! **The following command defines where the TACACS+ AAA server is:
tacacs-server host [Link] port 1049
tacacs-server timeout 90
! **The following command defines the key to use with TACACS+ traffic (required):
tacacs-server key mytacacskey
snmp-server community public RO
!
line con 0
exec-timeout 0 0
login authentication console
line aux 0
transport input all
line vty 0 4
exec-timeout 0 0
password lab
!
end
MS-CHAP Example
The following example shows how to configure a Cisco AS5200 Universal Access Server (enabled for
AAA and communication with a RADIUS security server) for PPP authentication using MS-CHAP:
aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
username root password ALongPassword
radius-server host alcatraz
radius-server key myRaDiUSpassWoRd
interface group-async 1
group-range 1 16
encapsulation ppp
ppp authentication ms-chap dialins
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem dialin
Cisco IOS Security Configuration Guide
SC-67
Configuring Authentication
Authentication Examples
The lines in this sample RADIUS AAA configuration are defined as follows:
• The aaa new-model command enables AAA network security services.
• The aaa authentication login admins local command defines another method list, “admins”, for
login authentication.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication then (if the RADIUS server does
not respond) local authentication will be used on serial lines using PPP.
• The aaa authorization network default group radius local command is used to assign an address
and other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The username command defines the username and password to be used for the PPP Password
Authentication Protocol (PAP) caller identification.
• The radius-server host command defines the name of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The interface group-async command selects and defines an asynchronous interface group.
• The group-range command defines the member asynchronous interfaces in the interface group.
• The encapsulation ppp command sets PPP as the encapsulation method used on the specified
interfaces.
• The ppp authentication ms-chap dialins command selects MS-CHAP as the method of PPP
authentication and applies the “dialins” method list to the specified interfaces.
• The line command switches the configuration mode from global configuration to line configuration
and identifies the specific lines being configured.
• The autoselect ppp command configures the Cisco IOS software to allow a PPP session to start up
automatically on these selected lines.
• The autoselect during-login command is used to display the username and password prompt
without pressing the Return key. After the user logs in, the autoselect function (in this case, PPP)
begins.
• The login authentication admins command applies the “admins” method list for login
authentication.
• The modem dialin command configures modems attached to the selected lines to only accept
incoming calls.
Cisco IOS Security Configuration Guide
SC-68
Configuring Authorization
AAA authorization enables you to limit the services available to a user. When AAA authorization is
enabled, the network access server uses information retrieved from the user’s profile, which is located
either in the local user database or on the security server, to configure the user’s session. Once this is
done, the user will be granted access to a requested service only if the information in the user profile
allows it.
For a complete description of the authorization commands used in this chapter, refer to the chapter
“Authorization Commands” in the Cisco IOS Security Command Reference. To locate documentation of
other commands that appear in this chapter, use the command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the chapter “Identifying Supported
Platforms” section in the “Using Cisco IOS Software.”
In This Chapter
This chapter contains the following sections:
• Named Method Lists for Authorization
• AAA Authorization Methods
• Method Lists and Server Groups
• AAA Authorization Types
• AAA Authorization Prerequisites
• AAA Authorization Configuration Task List
• Authorization Attribute-Value Pairs
• Authorization Configuration Examples
Named Method Lists for Authorization
Method lists for authorization define the ways that authorization will be performed and the sequence in
which these methods will be performed. A method list is simply a named list describing the authorization
methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to
designate one or more security protocols to be used for authorization, thus ensuring a backup system in
case the initial method fails. Cisco IOS software uses the first method listed to authorize users for
Cisco IOS Security Configuration Guide
SC-69
Configuring Authorization
AAA Authorization Methods
specific network services; if that method fails to respond, the Cisco IOS software selects the next method
listed in the method list. This process continues until there is successful communication with a listed
authorization method, or all methods defined are exhausted.
Note The Cisco IOS software attempts authorization with the next listed method only when there is no
response from the previous method. If authorization fails at any point in this cycle—meaning that the
security server or local username database responds by denying the user services—the authorization
process stops and no other authorization methods are attempted.
Method lists are specific to the authorization type requested:
• Auth-proxy—Applies specific security policies on a per-user basis. For detailed information on the
authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic
Filtering and Firewalls” part of this book.
• Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts
authorization for all EXEC mode commands, including global configuration commands, associated
with a specific privilege level.
• EXEC—Applies to the attributes associated with a user EXEC terminal session.
• Network—Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
• Reverse Access—Applies to reverse Telnet sessions.
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined
methods will be performed. The only exception is the default method list (which is named “default”). If
the aaa authorization command for a particular authorization type is issued without a named method
list specified, the default method list is automatically applied to all interfaces or lines except those that
have a named method list explicitly defined. (A defined method list overrides the default method list.) If
no default method list is defined, local authorization takes place by default.
AAA Authorization Methods
AAA supports five different methods of authorization:
• TACACS+—The network access server exchanges authorization information with the TACACS+
security daemon. TACACS+ authorization defines specific rights for users by associating
attribute-value pairs, which are stored in a database on the TACACS+ security server, with the
appropriate user.
• If-Authenticated—The user is allowed to access the requested function provided the user has been
authenticated successfully.
• None—The network access server does not request authorization information; authorization is not
performed over this line/interface.
• Local—The router or access server consults its local database, as defined by the username
command, for example, to authorize specific rights for users. Only a limited set of functions can be
controlled via the local database.
• RADIUS—The network access server requests authorization information from the RADIUS
security server. RADIUS authorization defines specific rights for users by associating attributes,
which are stored in a database on the RADIUS server, with the appropriate user.
Cisco IOS Security Configuration Guide
SC-70
Configuring Authorization
Method Lists and Server Groups
Method Lists and Server Groups
A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists.
Figure 6 shows a typical AAA network configuration that includes four security servers: R1 and R2 are
RADIUS servers, and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS
servers. T1 and T2 make up the group of TACACS+ servers.
Figure 6 Typical AAA Network Configuration
R1 RADIUS
server
R2 RADIUS
server
T1 TACACS+
server
NAS
Remote
T2 TACACS+
PC
server
S6746
Workstation
Using server groups, you can specify a subset of the configured server hosts and use them for a particular
service. For example, server groups allow you to define R1 and R2 as separate server groups, and T1 and
T2 as separate server groups. This means you can specify either R1 and T1 in the method list or R2 and
T2 in the method list, which provides more flexibility in the way that you assign RADIUS and TACACS+
resources.
Server groups also can include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and a UDP port number creates a unique identifier,
allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured
for the same service—for example, authorization—the second host entry configured acts as fail-over
backup to the first one. Using this example, if the first host entry fails to provide accounting services,
the network access server will try the second host entry configured on the same device for accounting
services. (The RADIUS host entries will be tried in the order they are configured.)
For more information about configuring server groups and about configuring server groups based on
DNIS numbers, refer to the chapter “Configuring RADIUS” or the chapter “Configuring TACACS+”
Cisco IOS Security Configuration Guide
SC-71
Configuring Authorization
AAA Authorization Types
AAA Authorization Types
Cisco IOS software supports five different types of authorization:
• Auth-proxy—Applies specific security policies on a per-user basis. For detailed information on the
authentication proxy feature, refer to the “Configuring Authentication Proxy” chapter in the “Traffic
Filtering and Firewalls” section of this book.
• Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts
authorization for all EXEC mode commands, including global configuration commands, associated
with a specific privilege level.
• EXEC—Applies to the attributes associated with a user EXEC terminal session.
• Network—Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
• Reverse Access—Applies to reverse Telnet sessions.
• Configuration—Applies to downloading configurations from the AAA server.
• IP Mobile—Applies to authorization for IP mobile services.
AAA Authorization Prerequisites
Before configuring authorization using named method lists, you must first perform the following tasks:
• Enable AAA on your network access server. For more information about enabling AAA on your
Cisco router or access server, refer to the “AAA Overview” chapter.
• Configure AAA authentication. Authorization generally takes place after authentication and relies
on authentication to work properly. For more information about AAA authentication, refer to the
“Configuring Authentication” chapter.
• Define the characteristics of your RADIUS or TACACS+ security server if you are issuing RADIUS
or TACACS+ authorization. For more information about configuring your Cisco network access
server to communicate with your RADIUS security server, refer to the chapter “Configuring
RADIUS”. For more information about configuring your Cisco network access server to
communicate with your TACACS+ security server, refer to the chapter “Configuring TACACS+”.
• Define the rights associated with specific users by using the username command if you are issuing
local authorization. For more information about the username command, refer to the Cisco IOS
Security Command Reference.
AAA Authorization Configuration Task List
This section describes the following configuration tasks:
• Configuring AAA Authorization Using Named Method Lists
• Disabling Authorization for Global Configuration Commands
• Configuring Authorization for Reverse Telnet
For authorization configuration examples using the commands in this chapter, refer to the section
“Authorization Configuration Examples” at the end of the this chapter.
Cisco IOS Security Configuration Guide
SC-72
Configuring Authorization
AAA Authorization Configuration Task List
Configuring AAA Authorization Using Named Method Lists
To configure AAA authorization using named method lists, use the following commands beginning in
global configuration mode:
Command Purpose
Step 1 Router(config)# aaa authorization {auth-proxy | Creates an authorization method list for a particular
network | exec | commands level | reverse-access | authorization type and enable authorization.
configuration | ipmobile} {default | list-name}
[method1 [method2...]]
Step 2 Router(config)# line [aux | console | tty | vty] Enters the line configuration mode for the lines to
line-number [ending-line-number] which you want to apply the authorization method
list.
or
Router(config)# interface interface-type
Alternately, enters the interface configuration mode
interface-number for the interfaces to which you want to apply the
authorization method list.
Step 3 Router(config-line)# authorization {arap | commands Applies the authorization list to a line or set of lines.
level | exec | reverse-access} {default |
list-name} Alternately, applies the authorization list to an
interface or set of interfaces.
or
Router(config-line)# ppp authorization {default |
list-name}
This section includes the following sections:
• Authorization Types
• Authorization Methods
Authorization Types
Named authorization method lists are specific to the indicated type of authorization.
To create a method list to enable authorization that applies specific security policies on a per-user basis,
use the auth-proxy keyword. For detailed information on the authentication proxy feature, refer to the
chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
To create a method list to enable authorization for all network-related service requests (including SLIP,
PPP, PPP NCPs, and ARAP), use the network keyword.
To create a method list to enable authorization to determine if a user is allowed to run an EXEC shell,
use the exec keyword.
To create a method list to enable authorization for specific, individual EXEC commands associated with
a specific privilege level, use the commands keyword. (This allows you to authorize all commands
associated with a specified command level from 0 to 15.)
To create a method list to enable authorization for reverse Telnet functions, use the reverse-access
keyword.
For information about the types of authorization supported by the Cisco IOS software, refer to the “AAA
Authorization Types” section of this chapter.
Cisco IOS Security Configuration Guide
SC-73
Configuring Authorization
AAA Authorization Configuration Task List
Authorization Methods
To have the network access server request authorization information via a TACACS+ security server, use
the aaa authorization command with the group tacacs+ method keyword. For more specific
information about configuring authorization using a TACACS+ security server, refer to the chapter
“Configuring TACACS+.” For an example of how to enable a TACACS+ server to authorize the use of
network services, including PPP and ARA, see the section “TACACS+ Authorization Examples” at the
end of this chapter.
To allow users to have access to the functions they request as long as they have been authenticated, use
the aaa authorization command with the if-authenticated method keyword. If you select this method,
all requested functions are automatically granted to authenticated users.
There may be times when you do not want to run authorization from a particular interface or line. To
stop authorization activities on designated lines or interfaces, use the none method keyword. If you
select this method, authorization is disabled for all actions.
To select local authorization, which means that the router or access server consults its local user database
to determine the functions a user is permitted to use, use the aaa authorization command with the local
method keyword. The functions associated with local authorization are defined by using the username
global configuration command. For a list of permitted functions, refer to the chapter “Configuring
Authentication.”
To have the network access server request authorization via a RADIUS security server, use the radius
method keyword. For more specific information about configuring authorization using a RADIUS
security server, refer to the chapter “Configuring RADIUS.”
To have the network access server request authorization via a RADIUS security server, use the
aaa authorization command with the group radius method keyword. For more specific information
about configuring authorization using a RADIUS security server, refer to the chapter “Configuring
RADIUS”. For an example of how to enable a RADIUS server to authorize services, see the “RADIUS
Authorization Example” section at the end of this chapter.
Note Authorization method lists for SLIP follow whatever is configured for PPP on the relevant interface.
If no lists are defined and applied to a particular interface (or no PPP settings are configured), the
default setting for authorization applies.
Disabling Authorization for Global Configuration Commands
The aaa authorization command with the keyword commands attempts authorization for all EXEC
mode commands, including global configuration commands, associated with a specific privilege level.
Because there are configuration commands that are identical to some EXEC-level commands, there can
be some confusion in the authorization process. Using no aaa authorization config-commands stops
the network access server from attempting configuration command authorization.
To disable AAA authorization for all global configuration commands, use the following command in
global configuration mode:
Command Purpose
Router(config)# no aaa authorization config-commands Disables authorization for all global configuration
commands.
Cisco IOS Security Configuration Guide
SC-74
Configuring Authorization
Authorization Attribute-Value Pairs
Configuring Authorization for Reverse Telnet
Telnet is a standard terminal emulation protocol used for remote terminal connection. Normally, you log
in to a network access server (typically through a dialup connection) and then use Telnet to access other
network devices from that network access server. There are times, however, when it is necessary to
establish a reverse Telnet session. In reverse Telnet sessions, the Telnet connection is established in the
opposite direction—from inside a network to a network access server on the network periphery to gain
access to modems or other devices connected to that network access server. Reverse Telnet is used to
provide users with dialout capability by allowing them to Telnet to modem ports attached to a network
access server.
It is important to control access to ports accessible through reverse Telnet. Failure to do so could, for
example, allow unauthorized users free access to modems where they can trap and divert incoming calls
or make outgoing calls to unauthorized destinations.
Authentication during reverse Telnet is performed through the standard AAA login procedure for Telnet.
Typically the user has to provide a username and password to establish either a Telnet or reverse Telnet
session. Reverse Telnet authorization provides an additional (optional) level of security by requiring
authorization in addition to authentication. When enabled, reverse Telnet authorization can use RADIUS
or TACACS+ to authorize whether or not this user is allowed reverse Telnet access to specific
asynchronous ports, after the user successfully authenticates through the standard Telnet login
procedure.
Reverse Telnet authorization offers the following benefits:
• An additional level of protection by ensuring that users engaged in reverse Telnet activities are
indeed authorized to access a specific asynchronous port using reverse Telnet.
• An alternative method (other than access lists) to manage reverse Telnet authorization.
To configure a network access server to request authorization information from a TACACS+ or RADIUS
server before allowing a user to establish a reverse Telnet session, use the following command in global
configuration mode:
Command Purpose
Router(config)# aaa authorization reverse-access Configures the network access server to request authorization
method1 [method2 ...] information before allowing a user to establish a reverse Telnet
session.
This feature enables the network access server to request reverse Telnet authorization information from
the security server, whether RADIUS or TACACS+. You must configure the specific reverse Telnet
privileges for the user on the security server itself.
Authorization Attribute-Value Pairs
RADIUS and TACACS+ authorization both define specific rights for users by processing attributes,
which are stored in a database on the security server. For both RADIUS and TACACS+, attributes are
defined on the security server, associated with the user, and sent to the network access server where they
are applied to the user’s connection.
For a list of supported RADIUS attributes, refer to the appendix “RADIUS Attributes”. For a list of
supported TACACS+ AV pairs, refer to the appendix “TACACS+ Attribute-Value Pairs.”
Cisco IOS Security Configuration Guide
SC-75
Configuring Authorization
Authorization Configuration Examples
Authorization Configuration Examples
The following sections provide authorization configuration examples:
• Named Method List Configuration Example
• TACACS+ Authorization Examples
• RADIUS Authorization Example
• Reverse Telnet Authorization Examples
Named Method List Configuration Example
The following example shows how to configure a Cisco AS5300 (enabled for AAA and communication
with a RADIUS security server) for AAA services to be provided by the RADIUS server. If the RADIUS
server fails to respond, then the local database will be queried for authentication and authorization
information, and accounting services will be handled by a TACACS+ server.
aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins group radius local
aaa authorization network scoobee group radius local
aaa accounting network charley start-stop group radius
username root password ALongPassword
radius-server host alcatraz
radius-server key myRaDiUSpassWoRd
interface group-async 1
group-range 1 16
encapsulation ppp
ppp authentication chap dialins
ppp authorization scoobee
ppp accounting charley
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem dialin
The lines in this sample RADIUS AAA configuration are defined as follows:
• The aaa new-model command enables AAA network security services.
• The aaa authentication login admins local command defines a method list, admins, for login
authentication.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication then (if the RADIUS server does
not respond) local authentication will be used on serial lines using PPP.
• The aaa authorization network scoobee group radius local command defines the network
authorization method list named scoobee, which specifies that RADIUS authorization will be used
on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization
will be performed.
Cisco IOS Security Configuration Guide
SC-76
Configuring Authorization
Authorization Configuration Examples
• The aaa accounting network charley start-stop group radius command defines the network
accounting method list named charley, which specifies that RADIUS accounting services (in this
case, start and stop records for specific events) will be used on serial lines using PPP.
• The username command defines the username and password to be used for the PPP Password
Authentication Protocol (PAP) caller identification.
• The radius-server host command defines the name of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The interface group-async command selects and defines an asynchronous interface group.
• The group-range command defines the member asynchronous interfaces in the interface group.
• The encapsulation ppp command sets PPP as the encapsulation method used on the specified
interfaces.
• The ppp authentication chap dialins command selects Challenge Handshake Authentication
Protocol (CHAP) as the method of PPP authentication and applies the “dialins” method list to the
specified interfaces.
• The ppp authorization scoobee command applies the scoobee network authorization method list to
the specified interfaces.
• The ppp accounting charley command applies the charley network accounting method list to the
specified interfaces.
• The line command switches the configuration mode from global configuration to line configuration
and identifies the specific lines being configured.
• The autoselect ppp command configures the Cisco IOS software to allow a PPP session to start up
automatically on these selected lines.
• The autoselect during-login command is used to display the username and password prompt
without pressing the Return key. After the user logs in, the autoselect function (in this case, PPP)
begins.
• The login authentication admins command applies the admins method list for login authentication.
• The modem dialin command configures modems attached to the selected lines to only accept
incoming calls.
TACACS+ Authorization Examples
The following examples show how to use a TACACS+ server to authorize the use of network services,
including PPP and ARA. If the TACACS+ server is not available or an error occurs during the
authorization process, the fallback method (none) is to grant all authorization requests:
aaa authorization network default group tacacs+ none
The following example shows how to allow network authorization using TACACS+:
aaa authorization network default group tacacs+
The following example shows how to provide the same authorization, but it also creates address pools
called “mci” and “att”:
aaa authorization network default group tacacs+
ip address-pool local
ip local-pool mci [Link] [Link]
ip local-pool att [Link] [Link]
Cisco IOS Security Configuration Guide
SC-77
Configuring Authorization
Authorization Configuration Examples
These address pools can then be selected by the TACACS daemon. A sample configuration of the
daemon follows:
user = mci_customer1 {
login = cleartext “some password”
service = ppp protocol = ip {
addr-pool=mci
}
}
user = att_customer1 {
login = cleartext “some other password”
service = ppp protocol = ip {
addr-pool=att
}
RADIUS Authorization Example
The following example shows how to configure the router to authorize using RADIUS:
aaa new-model
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
radius-server host ip
radius-server key
The lines in this sample RADIUS authorization configuration are defined as follows:
• The aaa authorization exec default group radius if-authenticated command configures the
network access server to contact the RADIUS server to determine if users are permitted to start an
EXEC shell when they log in. If an error occurs when the network access server contacts the
RADIUS server, the fallback method is to permit the CLI to start, provided the user has been
properly authenticated.
The RADIUS information returned may be used to specify an autocommand or a connection access
list be applied to this connection.
• The aaa authorization network default group radius command configures network authorization
via RADIUS. This can be used to govern address assignment, the application of access lists, and
various other per-user quantities.
Note Because no fallback method is specified in this example, authorization will fail if, for any reason,
there is no response from the RADIUS server.
Reverse Telnet Authorization Examples
The following examples show how to cause the network access server to request authorization
information from a TACACS+ security server before allowing a user to establish a reverse Telnet session:
aaa new-model
aaa authentication login default group tacacs+
aaa authorization reverse-access default group tacacs+
!
tacacs-server host [Link]
tacacs-server timeout 90
tacacs-server key goaway
Cisco IOS Security Configuration Guide
SC-78
Configuring Authorization
Authorization Configuration Examples
The lines in this sample TACACS+ reverse Telnet authorization configuration are defined as follows:
• The aaa new-model command enables AAA.
• The aaa authentication login default group tacacs+ command specifies TACACS+ as the default
method for user authentication during login.
• The aaa authorization reverse-access default group tacacs+ command specifies TACACS+ as the
method for user authorization when trying to establish a reverse Telnet session.
• The tacacs-server host command identifies the TACACS+ server.
• The tacacs-server timeout command sets the interval of time that the network access server waits
for the TACACS+ server to reply.
• The tacacs-server key command defines the encryption key used for all TACACS+ communications
between the network access server and the TACACS+ daemon.
The following example shows how to configure a generic TACACS+ server to grant a user, pat, reverse
Telnet access to port tty2 on the network access server named “maple” and to port tty5 on the network
access server named “oak”:
user = pat
login = cleartext lab
service = raccess {
port#1 = maple/tty2
port#2 = oak/tty5
Note In this example, “maple” and “oak” are the configured host names of network access servers, not
DNS names or alias.
The following example shows how to configure the TACACS+ server (CiscoSecure) to grant a user
named pat reverse Telnet access:
user = pat
profile_id = 90
profile_cycle = 1
member = Tacacs_Users
service=shell {
default cmd=permit
}
service=raccess {
allow “c2511e0” “tty1” “.*”
refuse “.*” “.*” “.*”
password = clear “goaway”
Note CiscoSecure only supports reverse Telnet using the command line interface in versions 2.1(x)
through version 2.2(1).
An empty “service=raccess {}” clause permits a user to have unconditional access to network access
server ports for reverse Telnet. If no “service=raccess” clause exists, the user is denied access to any port
for reverse Telnet.
For more information about configuring TACACS+, refer to the chapter “Configuring TACACS+.” For
more information about configuring CiscoSecure, refer to the CiscoSecure Access Control Server User
Guide, version 2.1(2) or greater.
The following example shows how to cause the network access server to request authorization from a
RADIUS security server before allowing a user to establish a reverse Telnet session:
aaa new-model
Cisco IOS Security Configuration Guide
SC-79
Configuring Authorization
Authorization Configuration Examples
aaa authentication login default group radius
aaa authorization reverse-access default group radius
!
radius-server host [Link]
radius-server key go away
auth-port 1645 acct-port 1646
The lines in this sample RADIUS reverse Telnet authorization configuration are defined as follows:
• The aaa new-model command enables AAA.
• The aaa authentication login default group radius command specifies RADIUS as the default
method for user authentication during login.
• The aaa authorization reverse-access default group radius command specifies RADIUS as the
method for user authorization when trying to establish a reverse Telnet session.
• The radius-server host command identifies the RADIUS server.
• The radius-server key command defines the encryption key used for all RADIUS communications
between the network access server and the RADIUS daemon.
The following example shows how to send a request to the RADIUS server to grant a user named “pat”
reverse Telnet access at port tty2 on the network access server named “maple”:
Username = “pat”
Password = “goaway”
User-Service-Type = Shell-User
cisco-avpair = “raccess:port#1=maple/tty2”
The syntax "raccess:port=any/any" permits a user to have unconditional access to network access server
ports for reverse Telnet. If no "raccess:port={nasname}/{tty number}" clause exists in the user profile,
the user is denied access to reverse Telnet on all ports.
For more information about configuring RADIUS, refer to the chapter “Configuring RADIUS.”
Cisco IOS Security Configuration Guide
SC-80
Configuring Accounting
The AAA accounting feature enables you to track the services that users are accessing and the amount
of network resources that they are consuming. When AAA accounting is enabled, the network access
server reports user activity to the TACACS+ or RADIUS security server (depending on which security
method you have implemented) in the form of accounting records. Each accounting record contains
accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed
for network management, client billing, and auditing.
For a complete description of the accounting commands used in this chapter, refer to the chapter
“Accounting Commands” in the Cisco IOS Security Command Reference. To locate documentation of
other commands that appear in this chapter, use the command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the chapter “Identifying Supported
Platforms” section in the “Using Cisco IOS Software.”
In This Chapter
This chapter contains the following sections:
• Named Method Lists for Accounting
• AAA Accounting Types
• AAA Accounting Enhancements
• AAA Accounting Prerequisites
• AAA Accounting Configuration Task List
• Accounting Attribute-Value Pairs
• Accounting Configuration Examples
Named Method Lists for Accounting
Like authentication and authorization method lists, method lists for accounting define the way
accounting will be performed and the sequence in which these methods are performed.
Cisco IOS Security Configuration Guide
SC-81
Configuring Accounting
Named Method Lists for Accounting
Named accounting method lists enable you to designate a particular security protocol to be used on
specific lines or interfaces for accounting services. The only exception is the default method list (which,
by coincidence, is named “default”). The default method list is automatically applied to all interfaces
except those that have a named method list explicitly defined. A defined method list overrides the default
method list.
A method list is simply a named list describing the accounting methods to be queried (such as RADIUS
or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be
used for accounting, thus ensuring a backup system for accounting in case the initial method fails.
Cisco IOS software uses the first method listed to support accounting; if that method fails to respond,
the Cisco IOS software selects the next accounting method listed in the method list. This process
continues until there is successful communication with a listed accounting method, or all methods
defined are exhausted.
Note The Cisco IOS software attempts accounting with the next listed accounting method only when there
is no response from the previous method. If accounting fails at any point in this cycle—meaning that
the security server responds by denying the user access—the accounting process stops and no other
accounting methods are attempted.
Accounting method lists are specific to the type of accounting being requested. AAA supports six
different types of accounting:
• Network—Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte
counts.
• EXEC—Provides information about user EXEC terminal sessions of the network access server.
• Commands—Provides information about the EXEC mode commands that a user issues. Command
accounting generates accounting records for all EXEC mode commands, including global
configuration commands, associated with a specific privilege level.
• Connection—Provides information about all outbound connections made from the network access
server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD),
and rlogin.
• System—Provides information about system-level events.
• Resource—Provides “start” and “stop” records for calls that have passed user authentication, and
provides “stop” records for calls that fail to authenticate.
Note System accounting does not use named accounting lists; you can only define the default list for
system accounting.
Once again, when you create a named method list, you are defining a particular list of accounting
methods for the indicated accounting type.
Accounting method lists must be applied to specific lines or interfaces before any of the defined methods
will be performed. The only exception is the default method list (which is named “default”). If the aaa
accounting command for a particular accounting type is issued without a named method list specified,
the default method list is automatically applied to all interfaces or lines except those that have a named
method list explicitly defined. (A defined method list overrides the default method list.) If no default
method list is defined, then no accounting takes place.
Cisco IOS Security Configuration Guide
SC-82
Configuring Accounting
Named Method Lists for Accounting
This section includes the following subsections:
• Method Lists and Server Groups
• AAA Accounting Methods
Method Lists and Server Groups
A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists.
Figure 7 shows a typical AAA network configuration that includes four security servers: R1 and R2 are
RADIUS servers, and T1 and T2 are TACACS+ servers. R1 and R2 comprise the group of RADIUS
servers. T1 and T2 comprise the group of TACACS+ servers.
Figure 7 Typical AAA Network Configuration
R1 RADIUS
server
R2 RADIUS
server
T1 TACACS+
server
NAS
Remote
T2 TACACS+
PC
server
S6746
Workstation
In Cisco IOS software, RADIUS and TACACS+ server configurations are global. Using server groups,
you can specify a subset of the configured server hosts and use them for a particular service. For
example, server groups allow you to define R1 and R2 as separate server groups (SG1 and SG2), and T1
and T2 as separate server groups (SG3 and SG4). This means you can specify either R1 and T1 (SG1
and SG3) in the method list or R2 and T2 (SG2 and SG4) in the method list, which provides more
flexibility in the way that you assign RADIUS and TACACS+ resources.
Server groups also can include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and a UDP port number creates a unique identifier,
allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured
for the same service—for example, accounting—the second host entry configured acts as failover backup
to the first one. Using this example, if the first host entry fails to provide accounting services, the
network access server will try the second host entry configured on the same device for accounting
services. (The RADIUS host entries will be tried in the order in which they are configured.)
For more information about configuring server groups and about configuring server groups based on
DNIS numbers, refer to the chapter “Configuring RADIUS” or the chapter “Configuring TACACS+.”
Cisco IOS Security Configuration Guide
SC-83
Configuring Accounting
AAA Accounting Types
AAA Accounting Methods
Cisco IOS supports the following two methods for accounting:
• TACACS+—The network access server reports user activity to the TACACS+ security server in the
form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs
and is stored on the security server.
• RADIUS—The network access server reports user activity to the RADIUS security server in the
form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs
and is stored on the security server.
AAA Accounting Types
AAA supports six different accounting types:
• Network Accounting
• Connection Accounting
• EXEC Accounting
• System Accounting
• Command Accounting
• Resource Accounting
Network Accounting
Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and
byte counts.
The following example shows the information contained in a RADIUS network accounting record for a
PPP user who comes in through an EXEC session:
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 5
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “562”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “0000000D”
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 5
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “562”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed
Cisco IOS Security Configuration Guide
SC-84
Configuring Accounting
AAA Accounting Types
Acct-Session-Id = “0000000E”
Framed-IP-Address = “[Link]”
Framed-Protocol = PPP
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 5
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “562”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = “0000000E”
Framed-IP-Address = “[Link]”
Framed-Protocol = PPP
Acct-Input-Octets = 3075
Acct-Output-Octets = 167
Acct-Input-Packets = 39
Acct-Output-Packets = 9
Acct-Session-Time = 171
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 5
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “408”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “0000000D”
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
The following example shows the information contained in a TACACS+ network accounting record for
a PPP user who first started an EXEC session:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty4 562/4327528 starttask_id=28
service=shell
Wed Jun 27 [Link] 2001 [Link] fgeorge tty4 562/4327528 starttask_id=30
addr=[Link] service=ppp
Wed Jun 27 [Link] 2001 [Link] fgeorge tty4 408/4327528 update
task_id=30 addr=[Link] service=ppp protocol=ip addr=[Link]
Wed Jun 27 [Link] 2001 [Link] fgeorge tty4 562/4327528 stoptask_id=30
addr=[Link] service=ppp protocol=ip addr=[Link] bytes_in=2844
bytes_out=1682 paks_in=36 paks_out=24 elapsed_time=51
Wed Jun 27 [Link] 2001 [Link] fgeorge tty4 562/4327528 stoptask_id=28
service=shell elapsed_time=57
Note The precise format of accounting packets records may vary depending on your particular security
server daemon.
Cisco IOS Security Configuration Guide
SC-85
Configuring Accounting
AAA Accounting Types
The following example shows the information contained in a RADIUS network accounting record for a
PPP user who comes in through autoselect:
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 3
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “562”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = “0000000B”
Framed-Protocol = PPP
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 3
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “562”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = “0000000B”
Framed-Protocol = PPP
Framed-IP-Address = “[Link]”
Acct-Input-Octets = 8630
Acct-Output-Octets = 5722
Acct-Input-Packets = 94
Acct-Output-Packets = 64
Acct-Session-Time = 357
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
The following example shows the information contained in a TACACS+ network accounting record for
a PPP user who comes in through autoselect:
Wed Jun 27 [Link] 2001 [Link] fgeorge Async5 562/4327528 starttask_id=35
service=ppp
Wed Jun 27 [Link] 2001 [Link] fgeorge Async5 562/4327528 update
task_id=35 service=ppp protocol=ip addr=[Link]
Wed Jun 27 [Link] 2001 [Link] fgeorge Async5 562/4327528 stoptask_id=35
service=ppp protocol=ip addr=[Link] bytes_in=3366 bytes_out=2149
paks_in=42 paks_out=28 elapsed_time=164
Cisco IOS Security Configuration Guide
SC-86
Configuring Accounting
AAA Accounting Types
Connection Accounting
Connection accounting provides information about all outbound connections made from the network
access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler
(PAD), and rlogin.
The following example shows the information contained in a RADIUS connection accounting record for
an outbound Telnet connection:
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 2
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “5622329477”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = “00000008”
Login-Service = Telnet
Login-IP-Host = “[Link]”
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 2
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “5622329477”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = “00000008”
Login-Service = Telnet
Login-IP-Host = “[Link]”
Acct-Input-Octets = 10774
Acct-Output-Octets = 112
Acct-Input-Packets = 91
Acct-Output-Packets = 99
Acct-Session-Time = 39
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
The following example shows the information contained in a TACACS+ connection accounting record
for an outbound Telnet connection:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528
start task_id=10 service=connection protocol=telnet addr=[Link]
cmd=telnet fgeorge-sun
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=10 service=connection protocol=telnet addr=[Link] cmd=telnet
fgeorge-sun bytes_in=4467 bytes_out=96 paks_in=61 paks_out=72
elapsed_time=55
The following example shows the information contained in a RADIUS connection accounting record for
an outbound rlogin connection:
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 2
Cisco IOS Security Configuration Guide
SC-87
Configuring Accounting
AAA Accounting Types
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “5622329477”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = “0000000A”
Login-Service = Rlogin
Login-IP-Host = “[Link]”
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 2
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “5622329477”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = “0000000A”
Login-Service = Rlogin
Login-IP-Host = “[Link]”
Acct-Input-Octets = 18686
Acct-Output-Octets = 86
Acct-Input-Packets = 90
Acct-Output-Packets = 68
Acct-Session-Time = 22
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
The following example shows the information contained in a TACACS+ connection accounting record
for an outbound rlogin connection:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528
start task_id=12 service=connection protocol=rlogin addr=[Link]
cmd=rlogin fgeorge-sun /user fgeorge
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=12 service=connection protocol=rlogin addr=[Link] cmd=rlogin
fgeorge-sun /user fgeorge bytes_in=659926 bytes_out=138 paks_in=2378 paks_
out=1251 elapsed_time=171
The following example shows the information contained in a TACACS+ connection accounting record
for an outbound LAT connection:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528
start task_id=18 service=connection protocol=lat addr=VAX cmd=lat
VAX
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=18 service=connection protocol=lat addr=VAX cmd=lat VAX
bytes_in=0 bytes_out=0 paks_in=0 paks_out=0 elapsed_time=6
Cisco IOS Security Configuration Guide
SC-88
Configuring Accounting
AAA Accounting Types
EXEC Accounting
EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network
access server, including username, date, start and stop times, the access server IP address, and (for dial-in
users) the telephone number the call originated from.
The following example shows the information contained in a RADIUS EXEC accounting record for a
dial-in user:
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 1
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “5622329483”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “00000006”
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 1
User-Name = “fgeorge”
Client-Port-DNIS = “4327528”
Caller-ID = “5622329483”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “00000006”
Acct-Session-Time = 62
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
The following example shows the information contained in a TACACS+ EXEC accounting record for a
dial-in user:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528
start task_id=2 service=shell
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=2 service=shell elapsed_time=1354
The following example shows the information contained in a RADIUS EXEC accounting record for a
Telnet user:
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 26
User-Name = “fgeorge”
Caller-ID = “[Link]”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “00000010”
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
Cisco IOS Security Configuration Guide
SC-89
Configuring Accounting
AAA Accounting Types
Wed Jun 27 [Link] 2001
NAS-IP-Address = “[Link]”
NAS-Port = 26
User-Name = “fgeorge”
Caller-ID = “[Link]”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “00000010”
Acct-Session-Time = 14
Acct-Delay-Time = 0
User-Id = “fgeorge”
NAS-Identifier = “[Link]”
The following example shows the information contained in a TACACS+ EXEC accounting record for a
Telnet user:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty26 [Link]
starttask_id=41 service=shell
Wed Jun 27 [Link] 2001 [Link] fgeorge tty26 [Link]
stoptask_id=41 service=shell elapsed_time=9
System Accounting
System accounting provides information about all system-level events (for example, when the system
reboots or when accounting is turned on or off).
The following accounting record shows a typical TACACS+ system accounting record server indicating
that AAA accounting has been turned off:
Wed Jun 27 [Link] 2001 [Link] unknown unknown unknown start task_id=25
service=system event=sys_acct reason=reconfigure
Note The precise format of accounting packets records may vary depending on your particular TACACS+
daemon.
The following accounting record shows a TACACS+ system accounting record indicating that AAA
accounting has been turned on:
Wed Jun 27 [Link] 2001 [Link] unknown unknown unknown stop task_id=23
service=system event=sys_acct reason=reconfigure
Additional tasks for measuring system resources are covered in other chapters in the Cisco IOS software
configuration guides. For example, IP accounting tasks are described in the “Configuring IP Services”
chapter in the Cisco IOS IP Configuration Guide.
Cisco IOS Security Configuration Guide
SC-90
Configuring Accounting
AAA Accounting Types
Command Accounting
Command accounting provides information about the EXEC shell commands for a specified privilege
level that are being executed on a network access server. Each command accounting record includes a
list of the commands executed for that privilege level, as well as the date and time each command was
executed, and the user who executed it.
The following example shows the information contained in a TACACS+ command accounting record for
privilege level 1:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=3 service=shell priv-lvl=1 cmd=show version <cr>
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=4 service=shell priv-lvl=1 cmd=show interfaces Ethernet 0 <cr>
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=5 service=shell priv-lvl=1 cmd=show ip route <cr>
The following example shows the information contained in a TACACS+ command accounting record for
privilege level 15:
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=6 service=shell priv-lvl=15 cmd=configure terminal <cr>
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=7 service=shell priv-lvl=15 cmd=interface Serial 0 <cr>
Wed Jun 27 [Link] 2001 [Link] fgeorge tty3 5622329430/4327528 stop
task_id=8 service=shell priv-lvl=15 cmd=ip address [Link] [Link] <cr>
Note The Cisco Systems implementation of RADIUS does not support command accounting.
Resource Accounting
The Cisco implementation of AAA accounting provides “start” and “stop” record support for calls that
have passed user authentication. The additional feature of generating “stop” records for calls that fail to
authenticate as part of user authentication is also supported. Such records are necessary for users
employing accounting records to manage and monitor their networks.
This section includes the following subsections:
• AAA Resource Failure Stop Accounting
• AAA Resource Accounting for Start-Stop Records
AAA Resource Failure Stop Accounting
Before AAA resource failure stop accounting, there was no method of providing accounting records for
calls that failed to reach the user authentication stage of a call setup sequence. Such records are
necessary for users employing accounting records to manage and monitor their networks and their
wholesale customers.
This functionality will generate a “stop” accounting record for any calls that do not reach user
authentication; “stop” records will be generated from the moment of call setup. All calls that pass user
authentication will behave as before; that is, no additional accounting records will be seen.
Note For Cisco IOS Release 12.2, this function is supported only on the Cisco AS5300 and Cisco AS5800.
Cisco IOS Security Configuration Guide
SC-91
Configuring Accounting
AAA Accounting Types
Figure 8 illustrates a call setup sequence with normal call flow (no disconnect) and without AAA
resource failure stop accounting enabled.
Figure 8 Modem Dial-In Call Setup Sequence With Normal Flow and Without Resource Failure Stop Accounting Enabled
Call Modem Service "Start" "Stop"
setup allocation setup record record
Call Modem User Call
35771
authentication training authentication disconnect
Figure 9 illustrates a call setup sequence with normal call flow (no disconnect) and with AAA resource
failure stop accounting enabled.
Figure 9 Modem Dial-In Call Setup Sequence With Normal Flow and WIth Resource Failure Stop Accounting Enabled
User
accounting
Call Modem Service "Start" "Stop"
setup allocation setup record record
Call Modem User Call "Stop"
54825
authentication training authentication disconnect record
Resource
accounting
Figure 10 illustrates a call setup sequence with call disconnect occurring before user authentication and
with AAA resource failure stop accounting enabled.
Figure 10 Modem Dial-In Call Setup Sequence With Call Disconnect Occurring Before User Authentication and With
Resource Failure Stop Accounting Enabled
Call Modem "Stop"
setup allocation record
Call Modem Call
35772
authentication training disconnect
Figure 11 illustrates a call setup sequence with call disconnect occurring before user authentication and
without AAA resource failure stop accounting enabled.
Cisco IOS Security Configuration Guide
SC-92
Configuring Accounting
AAA Accounting Enhancements
Figure 11 Modem Dial-In Call Setup Sequence With Call Disconnect Occurring Before User Authentication and Without
Resource Failure Stop Accounting Enabled
No resource
Call Modem "Stop" record sent
setup allocation
••••
Call Modem Call
54826
authentication training disconnect
AAA Resource Accounting for Start-Stop Records
AAA resource accounting for start-stop records supports the ability to send a “start” record at each call
setup, followed by a corresponding “stop” record at the call disconnect. This functionality can be used
to manage and monitor wholesale customers from one source of data reporting, such as accounting
records.
With this feature, a call setup and call disconnect “start-stop” accounting record tracks the progress of
the resource connection to the device. A separate user authentication “start-stop” accounting record
tracks the user management progress. These two sets of accounting records are interlinked by using a
unique session ID for the call.
Note For Cisco IOS Release 12.2, this function is supported only on the Cisco AS5300 and Cisco AS5800.
Figure 12 illustrates a call setup sequence with AAA resource start-stop accounting enabled.
Figure 12 Modem Dial-In Call Setup Sequence With Resource Start-Stop Accounting Enabled
Call "Start" Modem Service "Start" "Stop"
setup record allocation setup record record
35773
Call Modem User Call "Stop"
authentication training authentication disconnect record
AAA Accounting Enhancements
The section includes the following enhancements:
• AAA Broadcast Accounting
• AAA Session MIB
Cisco IOS Security Configuration Guide
SC-93
Configuring Accounting
AAA Accounting Enhancements
AAA Broadcast Accounting
AAA broadcast accounting allows accounting information to be sent to multiple AAA servers at the
same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously.
This functionality allows service providers to send accounting information to their own private AAA
servers and to the AAA servers of their end customers. It also provides redundant billing information for
voice applications.
Note Accounting information can be sent simultaneously to a maximum of four AAA servers.
Broadcasting is allowed among groups of RADIUS or TACACS+ servers, and each server group can
define its backup servers for failover independently of other groups.
Thus, service providers and their end customers can use different protocols (RADIUS or TACACS+) for
the accounting server. Service providers and their end customers can also specify their backup servers
independently. As for voice applications, redundant accounting information can be managed
independently through a separate group with its own failover sequence.
AAA Session MIB
The AAA session MIB feature allows customers to monitor and terminate their authenticated client
connections using Simple Network Management Protocol (SNMP). The data of the client is presented
so that it correlates directly to the AAA accounting information reported by either the RADIUS or the
TACACS+ server. AAA session MIB provides the following information:
• Statistics for each AAA function (when used in conjunction with the show radius statistics
command)
• Status of servers providing AAA functions
• Identities of external AAA servers
• Real-time information (such as idle times), providing additional criteria for use by SNMP networks
for assessing whether or not to terminate an active call
Note This command is supported only on Cisco AS5300 and Cisco AS5800 universal access server
platforms.
Table 10 shows the SNMP user-end data objects that can be used to monitor and terminate authenticated
client connections with the AAA session MIB feature.
Table 10 SNMP End-User Data Objects
SessionId The session identification used by the AAA accounting protocol (same value as
reported by RADIUS attribute 44 (Acct-Session-ID)).
UserId The user login ID or zero-length string if a login is unavailable.
IpAddr The IP address of the session or [Link] if an IP address is not applicable or unavailable.
IdleTime The elapsed time in seconds that the session has been idle.
Disconnect The session termination object used to disconnect the given client.
CallId The entry index corresponding to this accounting session that the Call Tracker record
stored.
Cisco IOS Security Configuration Guide
SC-94
Configuring Accounting
AAA Accounting Prerequisites
Table 11 describes the AAA summary information provided by the AAA session MIB feature using
SNMP on a per-system basis.
Table 11 SNMP AAA Session Summary
ActiveTableEntries Number of sessions currently active.
ActiveTableHighWaterMark Maximum number of sessions present at once since last system reinstal-
lation.
TotalSessions Total number of sessions since last system reinstallation.
DisconnectedSessions Total number of sessions that have been disconnected using since last
system reinstallation.
AAA Accounting Prerequisites
Before configuring accounting using named method lists, you must first perform the following tasks:
• Enable AAA on your network access server. For more information about enabling AAA on your
Cisco router or access server, refer to the chapter “AAA Overview”.
• Define the characteristics of your RADIUS or TACACS+ security server if you are issuing RADIUS
or TACACS+ authorization. For more information about configuring your Cisco network access
server to communicate with your RADIUS security server, refer to the chapter “Configuring
RADIUS”. For more information about configuring your Cisco network access server to
communicate with your TACACS+ security server, refer to the chapter “Configuring TACACS+”.
AAA Accounting Configuration Task List
This section describes the following configuration tasks:
• Configuring AAA Accounting Using Named Method Lists
• Suppressing Generation of Accounting Records for Null Username Sessions
• Generating Interim Accounting Records
• Generating Accounting Records for Failed Login or Session
• Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records
• Configuring AAA Resource Failure Stop Accounting
• Configuring AAA Resource Accounting for Start-Stop Records
• Configuring AAA Broadcast Accounting
• Configuring AAA Resource Failure Stop Accounting
• Configuring AAA Session MIB
• Monitoring Accounting
• Troubleshooting Accounting
For accounting configuration examples using the commands in this chapter, refer to the section
“Accounting Configuration Examples” at the end of the this chapter.
Cisco IOS Security Configuration Guide
SC-95
Configuring Accounting
AAA Accounting Configuration Task List
Configuring AAA Accounting Using Named Method Lists
To configure AAA accounting using named method lists, use the following commands beginning in
global configuration mode:
Command Purpose
Step 1 Router(config)# aaa accounting {system | network | Creates an accounting method list and enables
exec | connection | commands level} {default | accounting. The argument list-name is a character
list-name} {start-stop | stop-only | none} [method1
[method2...]]
string used to name the list you are creating.
Step 2 Router(config)# line [aux | console | tty | vty] Enters the line configuration mode for the lines to
line-number [ending-line-number] which you want to apply the accounting method list.
or or
Enters the interface configuration mode for the
Router(config)# interface interface-type interfaces to which you want to apply the accounting
interface-number
method list.
Step 3 Router(config-line)# accounting {arap | commands Applies the accounting method list to a line or set of
level | connection | exec} {default | list-name} lines.
or or
Router(config-if)# ppp accounting {default |
Applies the accounting method list to an interface or
list-name} set of interfaces.
Note System accounting does not use named method lists. For system accounting, you can define only the
default method list.
This section includes the following sections:
• Accounting Types
• Accounting Record Types
• Accounting Methods
Accounting Types
Named accounting method lists are specific to the indicated type of accounting.
• network—To create a method list to enable authorization for all network-related service requests
(including SLIP, PPP, PPP NCPs, and ARA protocols), use the network keyword. For example, to
create a method list that provides accounting information for ARAP (network) sessions, use the
arap keyword.
• exec—To create a method list that provides accounting records about user EXEC terminal sessions
on the network access server, including username, date, start and stop times, use the exec keyword.
• commands—To create a method list that provides accounting information about specific, individual
EXEC commands associated with a specific privilege level, use the commands keyword.
Cisco IOS Security Configuration Guide
SC-96
Configuring Accounting
AAA Accounting Configuration Task List
• connection—To create a method list that provides accounting information about all outbound
connections made from the network access server, use the connection keyword.
• resource—Creates a method list to provide accounting records for calls that have passed user
authentication or calls that failed to be authenticated.
Note System accounting does not support named method lists.
Accounting Record Types
For minimal accounting, use the stop-only keyword, which instructs the specified method (RADIUS or
TACACS+) to send a stop record accounting notice at the end of the requested user process. For more
accounting information, use the start-stop keyword to send a start accounting notice at the beginning of
the requested event and a stop accounting notice at the end of the event. To stop all accounting activities
on this line or interface, use the none keyword.
Accounting Methods
Table 12 lists the supported accounting methods.
Table 12 AAA Accounting Methods
Keyword Description
group radius Uses the list of all RADIUS servers for accounting.
group tacacs+ Uses the list of all TACACS+ servers for accounting.
group group-name Uses a subset of RADIUS or TACACS+ servers for accounting as defined by
the server group group-name.
The method argument refers to the actual method the authentication algorithm tries. Additional methods
of authentication are used only if the previous method returns an error, not if it fails. To specify that the
authentication should succeed even if all other methods return an error, specify additional methods in
the command. For example, to create a method list named acct_tac1 that specifies RADIUS as the
backup method of authentication in the event that TACACS+ authentication returns an error, enter the
following command:
aaa accounting network acct_tac1 stop-only group tacacs+ group radius
To create a default list that is used when a named list is not specified in the aaa accounting command,
use the default keyword followed by the methods you want used in default situations. The default
method list is automatically applied to all interfaces.
For example, to specify RADIUS as the default method for user authentication during login, enter the
following command:
aaa accounting network default stop-only group radius
Cisco IOS Security Configuration Guide
SC-97
Configuring Accounting
AAA Accounting Configuration Task List
AAA accounting supports the following methods:
• group tacacs—To have the network access server send accounting information to a TACACS+
security server, use the group tacacs+ method keyword. For more specific information about
configuring TACACS+ for accounting services, refer to the chapter “Configuring TACACS+”.
• group radius—To have the network access server send accounting information to a RADIUS
security server, use the group radius method keyword. For more specific information about
configuring RADIUS for accounting services, refer to the chapter “Configuring RADIUS”.
Note Accounting method lists for SLIP follow whatever is configured for PPP on the relevant interface. If
no lists are defined and applied to a particular interface (or no PPP settings are configured), the
default setting for accounting applies.
• group group-name—To specify a subset of RADIUS or TACACS+ servers to use as the accounting
method, use the aaa accounting command with the group group-name method. To specify and
define the group name and the members of the group, use the aaa group server command. For
example, use the aaa group server command to first define the members of group loginrad:
aaa group server radius loginrad
server [Link]
server 172.16.2 17
server [Link]
This command specifies RADIUS servers [Link], [Link], and [Link] as members of
the group loginrad.
To specify group loginrad as the method of network accounting when no other method list has been
defined, enter the following command:
aaa accounting network default start-stop group loginrad
Before you can use a group name as the accounting method, you need to enable communication with the
RADIUS or TACACS+ security server. For more information about establishing communication with a
RADIUS server, refer to the chapter “Configuring RADIUS”. For more information about establishing
communication with a TACACS+ server, refer to the chapter “Configuring TACACS+”.
Suppressing Generation of Accounting Records for Null Username Sessions
When AAA accounting is activated, the Cisco IOS software issues accounting records for all users on
the system, including users whose username string, because of protocol translation, is NULL. An
example of this is users who come in on lines where the aaa authentication login method-list none
command is applied. To prevent accounting records from being generated for sessions that do not have
usernames associated with them, use the following command in global configuration mode:
Command Purpose
Router(config)# aaa accounting suppress Prevents accounting records from being generated for users
null-username whose username string is NULL.
Cisco IOS Security Configuration Guide
SC-98
Configuring Accounting
AAA Accounting Configuration Task List
Generating Interim Accounting Records
To enable periodic interim accounting records to be sent to the accounting server, use the following
command in global configuration mode:
Command Purpose
Router(config)# aaa accounting update {[newinfo] Enables periodic interim accounting records to be sent to the
[periodic] number} accounting server.
When the aaa accounting update command is activated, the Cisco IOS software issues interim
accounting records for all users on the system. If the keyword newinfo is used, interim accounting
records will be sent to the accounting server every time there is new accounting information to report.
An example of this would be when IPCP completes IP address negotiation with the remote peer. The
interim accounting record will include the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by
the argument number. The interim accounting record contains all of the accounting information recorded
for that user up to the time the interim accounting record is sent.
Caution Using the aaa accounting update periodic command can cause heavy congestion when many users
are logged in to the network.
Generating Accounting Records for Failed Login or Session
When AAA accounting is activated, the Cisco IOS software does not generate accounting records for
system users who fail login authentication, or who succeed in login authentication but fail PPP
negotiation for some reason.
To specify that accounting stop records be generated for users who fail to authenticate at login or during
session negotiation, use the following command in global configuration mode:
Command Purpose
Router(config)# aaa accounting send stop-record Generates “stop” records for users who fail to authenticate at
authentication failure login or during session negotiation using PPP.
Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records
For PPP users who start EXEC terminal sessions, you can specify that NETWORK records be generated
before EXEC-stop records. In some cases, such as billing customers for specific services, is can be
desirable to keep network start and stop records together, essentially “nesting” them within the
framework of the EXEC start and stop messages. For example, a user dialing in using PPP can create the
following records: EXEC-start, NETWORK-start, EXEC-stop, NETWORK-stop. By nesting the
accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start,
NETWORK-start, NETWORK-stop, EXEC-stop.
Cisco IOS Security Configuration Guide
SC-99
Configuring Accounting
AAA Accounting Configuration Task List
To nest accounting records for user sessions, use the following command in global configuration mode:
Command Purpose
Router(config)# aaa accounting nested Nests network accounting records.
Configuring AAA Resource Failure Stop Accounting
To enable resource failure stop accounting, use the following command in global configuration:
Command Purpose
Router(config)# aaa accounting resource Generates a “stop” record for any calls that do not reach user
method-list stop-failure group server-group authentication.
Note Before configuring this feature, you must first perform the
tasks described in the section “AAA Accounting
Prerequisites” and enable Simple Network Management
Protocol on your network access server. For more
information about enabling SNMP on your Cisco router
or access server, refer to the chapter “Configuring SNMP”
of the Cisco IOS Configuration Fundamentals
Configuration Guide.
Configuring AAA Resource Accounting for Start-Stop Records
To enable full resource accounting for start-stop records, use the following command in global
configuration mode:
Command Purpose
Router(config)# aaa accounting resource Supports the ability to send a “start” record at each call setup.
method-list start-stop group server-group followed with a corresponding “stop” record at the call
disconnect.
Note Before configuring this feature, you must first perform the
tasks described in “AAA Accounting Prerequisites” and
enable Simple Network Management Protocol on your
network access server. For more information about
enabling SNMP on your Cisco router or access server,
refer to the chapter “Configuring SNMP” chapter of the
Cisco IOS Configuration Fundamentals Configuration
Guide.
Cisco IOS Security Configuration Guide
SC-100
Configuring Accounting
AAA Accounting Configuration Task List
Configuring AAA Broadcast Accounting
To configure AAA broadcast accounting, use the aaa accounting command in global configuration
mode. This command has been modified to allow the broadcast keyword.
Command Purpose
Router(config)# aaa accounting {system | network | exec | Enables sending accounting records to multiple
connection | commands level} {default | list-name} {start-stop AAA servers. Simultaneously sends accounting
| stop-only | none} [broadcast] method1 [method2...]
records to the first server in each group. If the first
server is unavailable, failover occurs using the
backup servers defined within that group.
Configuring Per-DNIS AAA Broadcast Accounting
To configure AAA broadcast accounting per Dialed Number Identification Service (DNIS), use the
aaa dnis map accounting network command in global configuration mode. This command has been
modified to allow the broadcast keyword and multiple server groups.
Command Purpose
Router(config)# aaa dnis map dnis-number accounting network Allows per-DNIS accounting configuration. This
[start-stop | stop-only | none] [broadcast] method1 command has precedence over the global aaa
[method2...]
accounting command.
Enables sending accounting records to multiple
AAA servers. Simultaneously sends accounting
records to the first server in each group. If the first
server is unavailable, failover occurs using the
backup servers defined within that group.
Configuring AAA Session MIB
Before configuring the AAA session MIB feature, you must perform the following tasks:
• Configure SNMP. For information on SNMP, see the chapter “Configuring SNMP Support” of the
Cisco IOS Configuration Fundamentals Configuration Guide.
• Configure AAA.
• Define the characteristics of your RADIUS or TACACS+ server.
Note Overusing SNMP can affect the overall performance of your system; therefore, normal network
management performance must be considered when this feature is used.
Cisco IOS Security Configuration Guide
SC-101
Configuring Accounting
Accounting Attribute-Value Pairs
To configure AAA session MIB, use the following command in global configuration mode
:
Command Purpose
Step 1 Router(config)# aaa session-mib disconnect Monitors and terminates authenticated client connec-
tions using SNMP.
To terminate the call, the disconnect keyword must
be used.
Monitoring Accounting
No specific show command exists for either RADIUS or TACACS+ accounting. To obtain accounting
records displaying information about users currently logged in, use the following command in privileged
EXEC mode:
Command Purpose
Router# show accounting Allows display of the active accountable events on the network
and helps collect information in the event of a data loss on the
accounting server.
Troubleshooting Accounting
To troubleshoot accounting information, use the following command in privileged EXEC mode:
Command Purpose
Router# debug aaa accounting Displays information on accountable events as they occur.
Accounting Attribute-Value Pairs
The network access server monitors the accounting functions defined in either TACACS+ attribute-value
(AV) pairs or RADIUS attributes, depending on which security method you have implemented. For a list
of supported RADIUS accounting attributes, refer to the appendix “RADIUS Attributes.” For a list of
supported TACACS+ accounting AV pairs, refer to the appendix “TACACS+ Attribute-Value Pairs.”
Accounting Configuration Examples
This section contains the following examples:
• Configuring Named Method List Example
• Configuring AAA Resource Accounting
• Configuring AAA Broadcast Accounting Example
• Configuring Per-DNIS AAA Broadcast Accounting Example
• AAA Session MIB Example
Cisco IOS Security Configuration Guide
SC-102
Configuring Accounting
Accounting Configuration Examples
Configuring Named Method List Example
The following example shows how to configure a Cisco AS5200 (enabled for AAA and communication
with a RADIUS security server) in order for AAA services to be provided by the RADIUS server. If the
RADIUS server fails to respond, then the local database will be queried for authentication and
authorization information, and accounting services will be handled by a TACACS+ server.
aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins goup radius local
aaa authorization network scoobee group radius local
aaa accounting network charley start-stop group radius group tacacs+
username root password ALongPassword
tacacs-server host [Link]
tacacs-server key goaway
radius-server host [Link]
radius-server key myRaDiUSpassWoRd
interface group-async 1
group-range 1 16
encapsulation ppp
ppp authentication chap dialins
ppp authorization scoobee
ppp accounting charley
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem dialin
The lines in this sample RADIUS AAA configuration are defined as follows:
• The aaa new-model command enables AAA network security services.
• The aaa authentication login admins local command defines a method list, “admins”, for login
authentication.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins”, which specifies that first RADIUS authentication and then (if the RADIUS
server does not respond) local authentication will be used on serial lines using PPP.
• The aaa authorization network scoobee group radius local command defines the network
authorization method list named “scoobee”, which specifies that RADIUS authorization will be used
on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization
will be performed.
• The aaa accounting network charley start-stop group radius group tacacs+ command defines
the network accounting method list named charley, which specifies that RADIUS accounting
services (in this case, start and stop records for specific events) will be used on serial lines using
PPP. If the RADIUS server fails to respond, accounting services will be handled by a TACACS+
server.
• The username command defines the username and password to be used for the PPP Password
Authentication Protocol (PAP) caller identification.
• The tacacs-server host command defines the name of the TACACS+ server host.
Cisco IOS Security Configuration Guide
SC-103
Configuring Accounting
Accounting Configuration Examples
• The tacacs-server key command defines the shared secret text string between the network access
server and the TACACS+ server host.
• The radius-server host command defines the name of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The interface group-async command selects and defines an asynchronous interface group.
• The group-range command defines the member asynchronous interfaces in the interface group.
• The encapsulation ppp command sets PPP as the encapsulation method used on the specified
interfaces.
• The ppp authentication chap dialins command selects Challenge Handshake Authentication
Protocol (CHAP) as the method of PPP authentication and applies the “dialins” method list to the
specified interfaces.
• The ppp authorization scoobee command applies the scoobee network authorization method list to
the specified interfaces.
• The ppp accounting charley command applies the charley network accounting method list to the
specified interfaces.
• The line command switches the configuration mode from global configuration to line configuration
and identifies the specific lines being configured.
• The autoselect ppp command configures the Cisco IOS software to allow a PPP session to start up
automatically on these selected lines.
• The autoselect during-login command is used to display the username and password prompt
without pressing the Return key. After the user logs in, the autoselect function (in this case, PPP)
begins.
• The login authentication admins command applies the admins method list for login authentication.
• The modem dialin command configures modems attached to the selected lines to only accept
incoming calls.
The show accounting command yields the following output for the preceding configuration:
Active Accounted actions on tty1, User rubble Priv 1
Task ID 5, Network Accounting record, [Link] Elapsed
task_id=5 service=ppp protocol=ip address=[Link]
Table 13 describes the fields contained in the preceding output.
Table 13 show accounting Field Descriptions
Field Description
Active Accounted actions on Terminal line or interface name user with which the user logged in.
User User’s ID.
Priv User’s privilege level.
Task ID Unique identifier for each accounting session.
Accounting Record Type of accounting session.
Elapsed Length of time (hh:mm:ss) for this session type.
attribute=value AV pairs associated with this accounting session.
Cisco IOS Security Configuration Guide
SC-104
Configuring Accounting
Accounting Configuration Examples
Configuring AAA Resource Accounting
The following example shows how to configure the resource failure stop accounting and resource
accounting for start-stop records functions:
!Enable AAA on your network access server.
aaa new-model
!Enable authentication at login and list the AOL string name to use for login
authentication.
aaa authentication login AOL group radius local
!Enable authentication for ppp and list the default method to use for PPP authentication.
aaa authentication ppp default group radius local
!Enable authorization for all exec sessions and list the AOL string name to use for
authorization.
aaa authorization exec AOL group radius if-authenticated
!Enable authorization for all network-related service requests and list the default method
to use for all network-related authorizations.
aaa authorization network default group radius if-authenticated
!Enable accounting for all exec sessions and list the default method to use for all
start-stop accounting services.
aaa accounting exec default start-stop group radius
!Enable accounting for all network-related service requests and list the default method to
use for all start-stop accounting services.
aaa accounting network default start-stop group radius
!Enable failure stop accounting.
aaa accounting resource default stop-failure group radius
!Enable resource accounting for start-stop records.
aaa accounting resource default start-stop group radius
Configuring AAA Broadcast Accounting Example
The following example shows how to turn on broadcast accounting using the global aaa accounting
command:
aaa group server radius isp
server [Link]
server [Link]
aaa group server tacacs+ isp_customer
server [Link]
aaa accounting network default start-stop broadcast group isp group isp_customer
radius-server host [Link]
radius-server host [Link]
radius-server key key1
tacacs-server host [Link] key key2
The broadcast keyword causes “start” and “stop” accounting records for network connections to be sent
simultaneously to server [Link] in the group isp and to server [Link] in the group isp_customer. If server
[Link] is unavailable, failover to server [Link] occurs. If server [Link] is unavailable, no failover occurs
because backup servers are not configured for the group isp_customer.
Cisco IOS Security Configuration Guide
SC-105
Configuring Accounting
Accounting Configuration Examples
Configuring Per-DNIS AAA Broadcast Accounting Example
The following example shows how to turn on per DNIS broadcast accounting using the global aaa dnis
map accounting network command:
aaa group server radius isp
server [Link]
server [Link]
aaa group server tacacs+ isp_customer
server [Link]
aaa dnis map enable
aaa dnis map 7777 accounting network start-stop broadcast group isp group isp_customer
radius-server host [Link]
radius-server host [Link]
radius-server key key_1
tacacs-server host [Link] key key_2
The broadcast keyword causes “start” and “stop” accounting records for network connection calls
having DNIS number 7777 to be sent simultaneously to server [Link] in the group isp and to server
[Link] in the group isp_customer. If server [Link] is unavailable, failover to server [Link] occurs. If
server [Link] is unavailable, no failover occurs because backup servers are not configured for the group
isp_customer.
AAA Session MIB Example
The following example shows how to set up the AAA session MIB feature to disconnect authenticated
client connections for PPP users:
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa session-mib disconnect
Cisco IOS Security Configuration Guide
SC-106
Security Server Protocols
Configuring RADIUS
This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system,
defines its operation, and identifies appropriate and inappropriate network environments for using
RADIUS technology. The “RADIUS Configuration Task List” section describes how to configure
RADIUS with the authentication, authorization, and accounting (AAA) command set.
For a complete description of the RADIUS commands used in this chapter, refer to the chapter “RADIUS
Commands” in the Cisco IOS Security Command Reference. To locate documentation of other
commands that appear in this chapter, use the command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software” chapter.
In This Chapter
This chapter includes the following sections:
• About RADIUS
• RADIUS Operation
• RADIUS Configuration Task List
• Monitoring and Maintaining RADIUS
• RADIUS Attributes
• RADIUS Configuration Examples
About RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a
central RADIUS server that contains all user authentication and network service access information.
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with
any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA
security protocols, such as TACACS+, Kerberos, and local username lookup. RADIUS is supported on
all Cisco platforms, but some RADIUS-supported features run only on specified platforms.
Cisco IOS Security Configuration Guide
SC-109
Configuring RADIUS
RADIUS Operation
RADIUS has been implemented in a variety of network environments that require high levels of security
while maintaining network access for remote users.
Use RADIUS in the following network environments that require access security:
• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
• Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a “smart card” access control system. In one case, RADIUS
has been used with Enigma’s security cards to validate users and grant access to network resources.
• Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This
might be the first step when you make a transition to a Terminal Access Controller Access Control
System Plus (TACACS+) server.
• Networks in which a user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point
Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having
authorization to run PPP using IP address [Link] and the defined access list is started.
• Networks that require resource accounting. You can use RADIUS accounting independent of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and
so on) used during the session. An Internet service provider (ISP) might use a freeware-based
version of RADIUS access control and accounting software to meet special security and billing
needs.
• Networks that wish to support preauthentication. Using the RADIUS server in your network, you
can configure AAA preauthentication and set up the preauthentication profiles. Preauthentication
enables service providers to better manage ports using their existing RADIUS solutions, and to
efficiently manage the use of shared resources to offer differing service-level agreements.
RADIUS is not suitable in the following network security situations:
• Multiprotocol access environments. RADIUS does not support the following protocols:
– AppleTalk Remote Access (ARA)
– NetBIOS Frame Control Protocol (NBFCP)
– NetWare Asynchronous Services Interface (NASI)
– X.25 PAD connections
• Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be
used to authenticate from one router to a non-Cisco router if the non-Cisco router requires RADIUS
authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.
RADIUS Operation
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps
occur:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
Cisco IOS Security Configuration Guide
SC-110
Configuring RADIUS
RADIUS Configuration Task List
3. The user receives one of the following responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is not authenticated and is prompted to reenter the username and password,
or access is denied.
c. CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional
data from the user.
d. CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select
a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network
authorization. You must first complete RADIUS authentication before using RADIUS authorization.
The additional data included with the ACCEPT or REJECT packets consists of the following:
• Services that the user can access, including Telnet, rlogin, or local-area transport (LAT)
connections, and PPP, Serial Line Internet Protocol (SLIP), or EXEC services.
• Connection parameters, including the host or client IP address, access list, and user timeouts.
RADIUS Configuration Task List
To configure RADIUS on your Cisco router or access server, you must perform the following tasks:
• Use the aaa new-model global configuration command to enable AAA. AAA must be configured
if you plan to use RADIUS. For more information about using the aaa new-model command, refer
to the “AAA Overview” chapter.
• Use the aaa authentication global configuration command to define method lists for RADIUS
authentication. For more information about using the aaa authentication command, refer to the
“Configuring Authentication” chapter.
• Use line and interface commands to enable the defined method lists to be used. For more
information, refer to the “Configuring Authentication” chapter.
The following configuration tasks are optional:
• You may use the aaa group server command to group selected RADIUS hosts for specific services.
For more information about using the aaa group server command, refer to the “Configuring AAA
Server Groups” section in this chapter.
• You may use the aaa dnis map command to select RADIUS server groups based on DNIS number.
To use this command, you must define RADIUS server groups using the aaa group server
command. For more information about using the aaa dnis map command, refer to the section
“Configuring AAA Server Group Selection Based on DNIS” in this chapter.
• You may use the aaa authorization global command to authorize specific user functions. For more
information about using the aaa authorization command, refer to the chapter “Configuring
Authorization.”
• You may use the aaa accounting command to enable accounting for RADIUS connections. For
more information about using the aaa accounting command, refer to the chapter “Configuring
Accounting.”
• You may use the dialer aaa interface configuration command to create remote site profiles that
contain outgoing call attributes on the AAA server. For more information about using the dialer aaa
command, refer to the section “Configuring Suffix and Password in RADIUS Access Requests” in
this chapter.
Cisco IOS Security Configuration Guide
SC-111
Configuring RADIUS
RADIUS Configuration Task List
This section describes how to set up RADIUS for authentication, authorization, and accounting on your
network, and includes the following sections:
• Configuring Router to RADIUS Server Communication (Required)
• Configuring Router to Use Vendor-Specific RADIUS Attributes (Optional)
• Configuring Router for Vendor-Proprietary RADIUS Server Communication (Optional)
• Configuring Router to Query RADIUS Server for Static Routes and IP Addresses (Optional)
• Configuring Router to Expand Network Access Server Port Information (Optional)
• Configuring AAA Server Groups (Optional)
• Configuring AAA Server Groups with Deadtime (Optional)
• Configuring AAA DNIS Authentication
• Configuring AAA Server Group Selection Based on DNIS (Optional)
• Configuring AAA Preauthentication
• Configuring a Guard Timer
• Specifying RADIUS Authentication
• Specifying RADIUS Authorization (Optional)
• Specifying RADIUS Accounting (Optional)
• Configuring RADIUS Login-IP-Host (Optional)
• Configuring RADIUS Prompt (Optional)
• Configuring Suffix and Password in RADIUS Access Requests (Optional)
For RADIUS configuration examples using the commands in this chapter, refer to the section “RADIUS
Configuration Examples” at the end of this chapter.
Configuring Router to RADIUS Server Communication
The RADIUS host is normally a multiuser system running RADIUS server software from Cisco
(CiscoSecure ACS), Livingston, Merit, Microsoft, or another software provider. Configuring router to
RADIUS server communication can have several components:
• Host name or IP address
• Authentication destination port
• Accounting destination port
• Timeout period
• Retransmission value
• Key string
RADIUS security servers are identified on the basis of their host name or IP address, host name and
specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP
address and UDP port number creates a unique identifier, allowing different ports to be individually
defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier
enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two
different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry configured acts as fail-over backup to the first one. Using this
Cisco IOS Security Configuration Guide
SC-112
Configuring RADIUS
RADIUS Configuration Task List
example, if the first host entry fails to provide accounting services, the network access server will try
the second host entry configured on the same device for accounting services. (The RADIUS host entries
will be tried in the order they are configured.)
A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange
[Link] configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the router.
The timeout, retransmission, and encryption key values are configurable globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the router, use the three unique global
commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these
values on a specific RADIUS server, use the radius-server host command.
Note You can configure both global and per-server timeout, retransmission, and key value commands
simultaneously on the same Cisco network access server. If both global and per-server functions are
configured on a router, the per-server timer, retransmission, and key value commands override global
timer, retransmission, and key value commands.
To configure per-server RADIUS server communication, use the following command in global
configuration mode:
Command Purpose
Router(config)# radius-server host {hostname | Specifies the IP address or host name of the remote RADIUS
ip-address} [auth-port port-number] [acct-port server host and assign authentication and accounting destination
port-number] [timeout seconds] [retransmit
retries] [key string] [alias {hostname |
port numbers. Use the auth-port port-number option to configure
ip address}] a specific UDP port on this RADIUS server to be used solely for
authentication. Use the acct-port port-number option to
configure a specific UDP port on this RADIUS server to be used
solely for accounting. Use the alias keyword to configure up to
eight multiple IP addresses for use when referring to RADIUS
servers.
To configure the network access server to recognize more than
one host entry associated with a single IP address, simply repeat
this command as many times as necessary, making sure that each
UDP port number is different. Set the timeout, retransmit, and
encryption key values to use with the specific RADIUS host.
If no timeout is set, the global value is used; otherwise, enter a
value in the range 1 to 1000. If no retransmit value is set, the
global value is used; otherwise enter a value in the range 1 to
1000. If no key string is specified, the global value is used.
Note The key is a text string that must match the encryption key
used on the RADIUS server. Always configure the key as
the last item in the radius-server host command syntax
because the leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in
your key, do not enclose the key in quotation marks unless
the quotation marks themselves are part of the key.
Cisco IOS Security Configuration Guide
SC-113
Configuring RADIUS
RADIUS Configuration Task List
To configure global communication settings between the router and a RADIUS server, use the following
radius-server commands in global configuration mode:
Command Purpose
Step 1 Router(config)# radius-server key {0 string | 7 Specifies the shared secret text string used between
string | string} the router and a RADIUS server. Use the 0 line
option to configure an unencrypted shared secret. Use
the 7 line option to configure an encrypted shared
secret.
Step 2 Router(config)# radius-server retransmit retries Specifies how many times the router transmits each
RADIUS request to the server before giving up (the
default is 3).
Step 3 Router(config)# radius-server timeout seconds Specifies for how many seconds a router waits for a
reply to a RADIUS request before retransmitting the
request.
Step 4 Router(config)# radius-server deadtime minutes Specifies for how many minutes a RADIUS server
that is not responding to authentication requests is
passed over by requests for RADIUS authentication.
Configuring Router to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the network access server and the RADIUS server by using the
vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their
own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one
vendor-specific option using the format recommended in the specification. Cisco’s vendor-ID is 9, and
the supported option has vendor-type 1, which is named “cisco-avpair.” The value is a string of the
following format:
protocol : attribute sep value *
“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization; protocols
that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP, AIRNET, OUTBOUND. “Attribute”
and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification,
and “sep” is “=” for mandatory attributes and “*” for optional attributes. This allows the full set of
features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be
activated during IP authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“
If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be
made optional.
cisco-avpair= ”ip:addr-pool*first“
The following example shows how to cause a user logging in from a network access server to have
immediate access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Cisco IOS Security Configuration Guide
SC-114
Configuring RADIUS
RADIUS Configuration Task List
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, refer to RFC 2138, Remote Authentication Dial-In User Service
(RADIUS).
To configure the network access server to recognize and use VSAs, use the following command in global
configuration mode:
Command Purpose
Router(config)# radius-server vsa send Enables the network access server to recognize and use VSAs as
[accounting | authentication] defined by RADIUS IETF attribute 26.
For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, refer
to the appendix “RADIUS Attributes.”
Configuring Router for Vendor-Proprietary RADIUS Server Communication
Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for
communicating vendor-proprietary information between the network access server and the RADIUS
server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software
supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you
must specify the host running the RADIUS server daemon and the secret text string it shares with the
Cisco device. You specify the RADIUS host and secret text string by using the radius-server
commands. To identify that the RADIUS server is using a vendor-proprietary implementation of
RADIUS, use the radius-server host non-standard command. Vendor-proprietary attributes will not
be supported unless you use the radius-server host non-standard command.
To specify a vendor-proprietary RADIUS server host and a shared secret text string, use the following
commands in global configuration mode:
Command Purpose
Step 1 Router(config)# radius-server host Specifies the IP address or host name of the remote
{hostname | ip-address} non-standard RADIUS server host and identifies that it is using a
vendor-proprietary implementation of RADIUS.
Step 2 Router(config)# radius-server key {0 string | Specifies the shared secret text string used between
7 string | string} the router and the vendor-proprietary RADIUS
server. The router and the RADIUS server use this
text string to encrypt passwords and exchange
responses.
Cisco IOS Security Configuration Guide
SC-115
Configuring RADIUS
RADIUS Configuration Task List
Configuring Router to Query RADIUS Server for Static Routes and IP Addresses
Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool
definitions on the RADIUS server instead of on each individual network access server in the network.
Each network access server then queries the RADIUS server for static route and IP pool information.
To have the Cisco router or access server query the RADIUS server for static routes and IP pool
definitions when the device first starts up, use the following command in global configuration mode:
Command Purpose
Router(config)# radius-server configure-nas Tells the Cisco router or access server to query the RADIUS
server for the static routes and IP pool definitions used throughout
its domain.
Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it
will not take effect until you issue a copy system:running config nvram:startup-config command.
Configuring Router to Expand Network Access Server Port Information
There are some situations when PPP or login authentication occurs on an interface different from the
interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP
authentication occurs on a virtual asynchronous interface “ttt” but the call itself occurs on one of the
channels of the ISDN interface.
The radius-server attribute nas-port extended command configures RADIUS to expand the size of
the NAS-Port attribute (RADIUS IETF attribute 5) field to 32 bits. The upper 16 bits of the NAS-Port
attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface
undergoing authentication.
To display expanded interface information in the NAS-Port attribute field, use the following command
in global configuration mode:
Command Purpose
Router(config)# radius-server attribute nas-port Expands the size of the NAS-Port attribute from 16 to 32 bits to
format display extended interface information.
Note This command replaces the radius-server extended-portnames command and the radius-server
attribute nas-port extended command.
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not
provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if
a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as
NAS-Port = 20101.
Once again, this is because of the 16-bit field size limitation associated with RADIUS IETF NAS-Port
attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute
(RADIUS IETF attribute 26). Cisco's vendor-ID is 9, and the Cisco-NAS-Port attribute is subtype 2.
Cisco IOS Security Configuration Guide
SC-116
Configuring RADIUS
RADIUS Configuration Task List
Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command.
The port information in this attribute is provided and configured using the aaa nas port extended
command.
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field
information, use the following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# radius-server vsa send Enables the network access server to recognize and
[accounting | authentication] use vendor-specific attributes as defined by RADIUS
IETF attribute 26.
Step 2 Router(config)# aaa nas port extended Expands the size of the VSA NAS-Port field from 16
to 32 bits to display extended interface information.
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want
this information to be sent, you can suppress it by using the no radius-server attribute nas-port
command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
For a complete list of RADIUS attributes, refer to the appendix “RADIUS Attributes.”
For information about configuring RADIUS port identification for PPP, see the Cisco IOS Wide-Area
Networking Configuration Guide.
Configuring AAA Server Groups
Configuring the router to use AAA server groups provides a way to group existing server hosts. This
allows you to select a subset of the configured server hosts and use them for a particular service. A server
group is used in conjunction with a global server-host list. The server group lists the IP addresses of the
selected server hosts.
Server groups also can include multiple host entries for the same server, as long as each entry has a
unique identifier. The combination of an IP address and a UDP port number creates a unique identifier,
allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a
server at the same IP address. If two different host entries on the same RADIUS server are configured
for the same service—for example, accounting—the second host entry configured acts as failover
backup to the first one. Using this example, if the first host entry fails to provide accounting services,
the network access server will try the second host entry configured on the same device for accounting
services. (The RADIUS host entries will be tried in the order in which they are configured.)
Cisco IOS Security Configuration Guide
SC-117
Configuring RADIUS
RADIUS Configuration Task List
To define a server host with a server group name, enter the following commands in global configuration
mode. The listed server must exist in global configuration mode:
Command Purpose
Step 1 Router(config)# radius-server host Specifies and defines the IP address of the server host
{hostname | ip-address} [auth-port port-number] before configuring the AAA server-group. Refer to
[acct-port port-number] [timeout seconds]
[retransmit retries] [key string] [alias {hostname |
the section “Configuring Router to RADIUS Server
ip address}] Communication” of this chapter for more information
on the radius-server host command.
Step 2 Router(config-if)# aaa group server Defines the AAA server group with a group name. All
{radius | tacacs+} group-name members of a group must be the same type; that is,
RADIUS or TACACS+. This command puts the
router in server group subconfiguration mode.
Step 3 Router(config-sg)# server ip-address Associates a particular RADIUS server with the
[auth-port port-number] [acct-port port-number] defined server group. Each security server is
identified by its IP address and UDP port number.
Repeat this step for each RADIUS server in the AAA
server group.
Note Each server in the group must be defined
previously using the radius-server host
command.
Configuring AAA Server Groups with Deadtime
After you have configured a server host with a server name, you can use the deadtime command to
configure each server per server group. Configuring deadtime within a server group allows you to direct
AAA traffic to separate groups of servers that have different operational characteristics.
Configuring deadtime is no longer limited to a global configuration. A separate timer has been attached
to each server host in every server group. Therefore, when a server is found to be unresponsive after
numerous retransmissions and timeouts, the server is assumed to be dead. The timers attached to each
server host in all server groups are triggered. In essence, the timers are checked and subsequent requests
to a server (once it is assumed to be dead) are directed to alternate timers, if configured. When the
network access server receives a reply from the server, it checks and stops all configured timers (if
running) for that server in all server groups.
If the timer has expired, only the server to which the timer is attached is assumed to be alive. This
becomes the only server that can be tried for later AAA requests using the server groups to which the
timer belongs.
Note Since one server has different timers and may have different deadtime values configured in the server
groups, the same server may in the future have different states (dead and alive) at the same time.
Note To change the state of a server, you must start and stop all configured timers in all server groups.
Cisco IOS Security Configuration Guide
SC-118
Configuring RADIUS
RADIUS Configuration Task List
The size of the server group will be slightly increased because of the addition of new timers and the
deadtime attribute. The overall impact of the structure depends on the number and size of the server
groups and how the servers are shared among server groups in a specific configuration.
To configure deadtime within a server group, use the following commands beginning in global
configuration mode:
Command Purpose
Step 1 Router(config)# aaa group server radius group1 Defines a RADIUS type server group.
Step 2 Router(config-sg)# deadtime 1 Configures and defines deadtime value in minutes.
Note Local server group deadtime will override
the global configuration. If omitted from
the local server group configuration, the
value will be inherited from the master
list.
Step 3 Router(config-sg)# exit Exits server group configuration mode.
Configuring AAA DNIS Authentication
DNIS preauthentication enables preauthentication at call setup based on the number dialed. The DNIS
number is sent directly to the security server when a call is received. If authenticated by AAA, the call
is accepted.
To configure DNIS authentication, perform the following tasks in global configuration mode:
Command Purpose
Step 1 Router# config term Enters global configuration mode.
Step 2 Router(config)# aaa preauth Enters AAA preauthentication mode.
Step 3 Router(config-preauth)# group {radius | tacacs+ | (Optional) Selects the security server to
server-group} use for AAA preauthentication requests.
The default is RADIUS.
Step 4 Router(config-preauth)# dnis [password string] Enables preauthentication using DNIS
and optionally specifies a password to
use in Access-Request packets.
Configuring AAA Server Group Selection Based on DNIS
Cisco IOS software allows you to assign a Dialed Number Identification Service (DNIS) number to a
particular AAA server group so that the server group can process authentication, authorization, and
accounting requests for users dialing in to the network using that particular DNIS. Any phone line (a
regular home phone or a commercial T1/PRI line) can be associated with several phone numbers. The
DNIS number identifies the number that was called to reach you.
For example, suppose you want to share the same phone number with several customers, but you want
to know which customer is calling before you pick up the phone. You can customize how you answer
the phone because DNIS allows you to know which customer is calling when you answer.
Cisco IOS Security Configuration Guide
SC-119
Configuring RADIUS
RADIUS Configuration Task List
Cisco routers with either ISDN or internal modems can receive the DNIS number. This functionality
allows users to assign different RADIUS server groups for different customers (that is, different
RADIUS servers for different DNIS numbers). Additionally, using server groups you can specify the
same server group for AAA services or a separate server group for each AAA service.
Cisco IOS software provides the flexibility to implement authentication and accounting services in
several ways:
• Globally—AAA services are defined using global configuration access list commands and applied
in general to all interfaces on a specific network access server.
• Per Interface—AAA services are defined using interface configuration commands and applied
specifically to the interface being configured on a specific network access server.
• DNIS mapping—You can use DNIS to specify an AAA server to supply AAA services.
Because each of these AAA configuration methods can be configured simultaneously, Cisco has
established an order of precedence to determine which server or groups of servers provide AAA services.
The order of precedence is as follows:
• Per DNIS—If you configure the network access server to use DNIS to identify/determine which
server group provides AAA services, then this method takes precedence over any additional AAA
selection method.
• Per interface—If you configure the network access server per interface to use access lists to
determine how a server provides AAA services, this method takes precedence over any global
configuration AAA access lists.
• Globally—If you configure the network access server by using global AAA access lists to determine
how the security server provides AAA services, this method has the least precedence.
Note Prior to configuring AAA Server Group Selection Based on DNIS, you must configure the list of
RADIUS server hosts and configure the AAA server groups. See the sections “Configuring Router
to RADIUS Server Communication” and “Configuring AAA Server Groups” of this chapter.
To configure the router to select a particular AAA server group based on the DNIS of the server group,
configure DNIS mapping. To map a server group with a group name with DNIS number, use the
following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa dnis map enable Enables DNIS mapping.
Step 2 Router(config)# aaa dnis map dnis-number Maps a DNIS number to a defined AAA server group;
authentication ppp group server-group-name the servers in this server group are being used for
authentication.
Step 3 Router(config)# aaa dnis map dnis-number Maps a DNIS number to a defined AAA server group;
authorization network group server-group-name the servers in this server group are being used for
authorization.
Step 4 Router(config)# aaa dnis map dnis-number accounting Maps a DNIS number to a defined AAA server group;
network [none | start-stop | stop-only] group the servers in this server group are being used for
server-group-name
accounting.
Cisco IOS Security Configuration Guide
SC-120
Configuring RADIUS
RADIUS Configuration Task List
Configuring AAA Preauthentication
Configuring AAA preauthentication with ISDN PRI or channel-associated signalling (CAS) allows
service providers to better manage ports using their existing RADIUS solutions and efficiently manage
the use of shared resources to offer differing service-level agreements. With ISDN PRI or CAS,
information about an incoming call is available to the network access server (NAS) before the call is
connected. The available call information includes the following:
• The Dialed Number Identification Service (DNIS) number, also referred to as the called number
• The Calling Line Identification (CLID) number, also referred to as the calling number
• The call type, also referred to as the bearer capability
This feature allows a Cisco NAS to decide—on the basis of the DNIS number, the CLID number, or the
call type—whether to connect an incoming call. (With ISDN PRI, it enables user authentication and
authorization before a call is answered. With CAS, the call must be answered; however, the call can be
dropped if preauthentication fails.)
When an incoming call arrives from the public network switch, but before it is connected, AAA
preauthentication enables the NAS to send the DNIS number, CLID number, and call type to a RADIUS
server for authorization. If the server authorizes the call, then the NAS accepts the call. If the server does
not authorize the call, then the NAS sends a disconnect message to the public network switch to reject
the call.
In the event that the RADIUS server application becomes unavailable or is slow to respond, a guard timer
can be set in the NAS. When the timer expires, the NAS uses a configurable parameter to accept or reject
the incoming call that has no authorization.
This feature supports the use of attribute 44 by the RADIUS server application and the use of RADIUS
attributes that are configured in the RADIUS preauthentication profiles to specify preauthentication
behavior. They may also be used, for instance, to specify whether subsequent authentication should
occur and, if so, what authentication method should be used.
The following restrictions apply to AAA preauthentication with ISDN PRI and CAS:
• Attribute 44 is available for CAS calls only when preauthentication or resource pooling is enabled.
• MMP is not available with ISDN PRI.
• AAA preauthentication is available only on the Cisco AS5300, Cisco AS5400, and Cisco AS5800
platforms.
Note Prior to configuring AAA preauthentication, you must enable the aaa new-model command and
make sure the supporting preauthentication application is running on a RADIUS server in your
network.
To configure AAA preauthentication, use the following commands beginning in global configuration
mode:
Command Purpose
Step 1 Router(config)# aaa preauth Enters AAA preauthentication configuration
mode.
Step 2 Router(config-preauth)# group server-group Specifies the AAA RADIUS server group to use
for preauthentication.
Cisco IOS Security Configuration Guide
SC-121
Configuring RADIUS
RADIUS Configuration Task List
Command Purpose
Step 3 Router(config-preauth)# clid [if-avail | required] Preauthenticates calls on the basis of the CLID
[accept-stop] [password string] number.
Step 4 Router(config-preauth)# ctype [if-avail | required] Preauthenticates calls on the basis of the call type.
[accept-stop] [password string]
Step 5 Router(config-preauth)# dnis [if-avail | required] Preauthenticates calls on the basis of the DNIS
[accept-stop] [password string] number.
Step 6 Router(config-preauth)# dnis bypass {dnis-group-name} Specifies a group of DNIS numbers that will be
bypassed for preauthentication.
To configure DNIS preauthentication, use the following commands beginning in global configuration
mode:
Command Purpose
Step 1 Router(config)# aaa preauth Enters AAA preauthentication mode.
Step 2 Router(config-preauth)# group {radius | tacacs+ | (Optional) Selects the security server to use for
server-group} AAA preauthentication requests. The default is
RADIUS.
Step 3 Router(config-preauth)# dnis [password string] Enables preauthentication using DNIS and
optionally specifies a password to use in
Access-Request packets.
In addition to configuring preauthentication on your Cisco router, you must set up the preauthentication
profiles on the RADIUS server. For information on setting up the preauthentication profiles, see the
following sections:
• Setting Up the RADIUS Profile for DNIS or CLID Preauthentication
• Setting Up the RADIUS Profile for Call Type Preauthentication
• Setting Up the RADIUS Profile for Preauthentication Enhancements for Callback
• Setting Up the RADIUS Profile for a Remote Host Name Used for Large-Scale Dial-Out
• Setting Up the RADIUS Profile for Modem Management
• Setting Up the RADIUS Profile for Subsequent Authentication
• Setting Up the RADIUS Profile for Subsequent Authentication Type
• Setting Up the RADIUS Profile to Include the Username
• Setting Up the RADIUS Profile for Two-Way Authentication
• Setting Up the RADIUS Profile to Support Authorization
Setting Up the RADIUS Profile for DNIS or CLID Preauthentication
To set up the RADIUS preauthentication profile, use the DNIS or CLID number as the username, and use
the password defined in the dnis or clid command as the password.
Cisco IOS Security Configuration Guide
SC-122
Configuring RADIUS
RADIUS Configuration Task List
Note The preauthentication profile must have “outbound” as the service type because the password is
predefined on the NAS. Setting up the preauthentication profile in this manner prevents users from
trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and
an obvious password. The “outbound” service type is also included in the access-request packet sent
to the RADIUS server.
Setting Up the RADIUS Profile for Call Type Preauthentication
To set up the RADIUS preauthentication profile, use the call type string as the username, and use the
password defined in the ctype command as the password. The following table shows the call type strings
that may be used in the preauthentication profile:
Call Type String ISDN Bearer Capabilities
digital Unrestricted digital, restricted digital.
speech Speech, 3.1 kHz audio, 7 kHz audio.
Note This is the only call type available for CAS.
v.110 Anything with V.110 user information layer.
v.120 Anything with V.120 user information layer.
Note The preauthentication profile must have “outbound” as the service type because the password is
predefined on the NAS. Setting up the preauthentication profile in this manner prevents users from
trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and
an obvious password. The “outbound” service type is also included in the access-request packet sent
to the RADIUS server and should be a check-in item if the RADIUS server supports check-in items.
Setting Up the RADIUS Profile for Preauthentication Enhancements for Callback
Callback allows remote network users such as telecommuters to dial in to the NAS without being
charged. When callback is required, the NAS hangs up the current call and dials the caller back. When
the NAS performs the callback, only information for the outgoing connection is applied. The rest of the
attributes from the preauthentication access-accept message are discarded.
Note The destination IP address is not required to be returned from the RADIUS server.
The following example shows a RADIUS profile configuration with a callback number of 555-1111 and
the service type set to outbound. The cisco-avpair = “preauth:send-name=<string>” uses the string
“andy” and the cisco-avpair = “preauth:send-secret=<string>” uses the password “cisco.”
5551111 password = “cisco”, Service-Type = Outbound
Service-Type = Callback-Framed
Framed-Protocol = PPP,
Dialback-No = “5551212”
Class = “ISP12”
cisco-avpair = “preauth:send-name=andy”
cisco-avpair = “preauth:send-secret=cisco”
Cisco IOS Security Configuration Guide
SC-123
Configuring RADIUS
RADIUS Configuration Task List
Setting Up the RADIUS Profile for a Remote Host Name Used for Large-Scale Dial-Out
The following example adds to the previous example by protecting against accidentally calling a valid
telephone number but accessing the wrong router by providing the name of the remote, for use in
large-scale dial-out:
5551111 password = "cisco", Service-Type = Outbound
Service-Type = Callback-Framed
Framed-Protocol = PPP,
Dialback-No = "5551212"
Class = "ISP12"
cisco-avpair = "preauth:send-name=andy"
cisco-avpair = "preauth:send-secret=cisco"
cisco-avpair = "preauth:remote-name=Router2"
Setting Up the RADIUS Profile for Modem Management
When DNIS, CLID, or call type preauthentication is used, the affirmative response from the RADIUS
server may include a modem string for modem management in the NAS through vendor-specific attribute
(VSA) 26. The modem management VSA has the following syntax:
cisco-avpair = “preauth:modem-service=modem min-speed <x> max-speed <y>
modulation <z> error-correction <a> compression <b>”
The modem management string within the VSA may contain the following:
Command Argument
min-speed <300 to 56000>, any
max-speed <300 to 56000>, any
modulation K56Flex, v22bis, v32bis, v34, v90, any
error-correction lapm, mnp4
compression mnp5, v42bis
When the modem management string is received from the RADIUS server in the form of a VSA, the
information is passed to the Cisco IOS software and applied on a per-call basis. Modem ISDN channel
aggregation (MICA) modems provide a control channel through which messages can be sent during the
call setup time. Hence, this modem management feature is supported only with MICA modems and
newer technologies. This feature is not supported with Microcom modems.
For more information on modem management, refer to the “Modem Configuration and Management”
chapter of the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.
Setting Up the RADIUS Profile for Subsequent Authentication
If preauthentication passes, you may use vendor-proprietary RADIUS attribute 201 (Require-Auth) in
the preauthentication profile to determine whether subsequent authentication is to be performed. If
attribute 201, returned in the access-accept message, has a value of 0, then subsequent authentication
will not be performed. If attribute 201 has a value of 1, then subsequent authentication will be performed
as usual.
Cisco IOS Security Configuration Guide
SC-124
Configuring RADIUS
RADIUS Configuration Task List
Attribute 201 has the following syntax:
cisco-avpair = “preauth:auth-required=<n>”
where <n> has the same value range as attribute 201 (that is, 0 or 1).
If attribute 201 is missing in the preauthentication profile, then a value of 1 is assumed, and subsequent
authentication is performed.
Note To perform subsequent authentication, you must set up a regular user profile in addition to a
preauthentication profile.
Setting Up the RADIUS Profile for Subsequent Authentication Type
If you have specified subsequent authentication in the preauthentication profile, you must also specify
the authentication types to be used for subsequent authentication. To specify the authentication types
allowed in subsequent authentication, use the following VSA:
cisco-avpair = “preauth:auth-type=<string>”
where <string> can be one of the following:
String Description
chap Requires username and password of CHAP for PPP authentication.
ms-chap Requires username and password of MS-CHAP for PPP authentication.
pap Requires username and password of PAP for PPP authentication.
To specify that multiple authentication types are allowed, you can configure more than one instance of
this VSA in the preauthentication profile. The sequence of the authentication type VSAs in the
preauthentication profile is significant because it specifies the order of authentication types to be used
in the PPP negotiation.
This VSA is a per-user attribute and replaces the authentication type list in the ppp authentication
interface command.
Note You should use this VSA only if subsequent authentication is required because it specifies the
authentication type for subsequent authentication.
Setting Up the RADIUS Profile to Include the Username
If only preauthentication is used to authenticate a call, the NAS could be missing a username when it
brings up the call. RADIUS may provide a username for the NAS to use through RADIUS attribute 1
(User-Name) or through a VSA returned in the access-accept packet. The VSA for specifying the
username has the following syntax:
cisco-avpair = “preauth:username=<string>”
If no username is specified, the DNIS number, CLID number, or call type is used, depending on the last
preauthentication command that has been configured (for example, if clid was the last preauthentication
command configured, the CLID number will be used as the username).
Cisco IOS Security Configuration Guide
SC-125
Configuring RADIUS
RADIUS Configuration Task List
If subsequent authentication is used to authenticate a call, there might be two usernames: one provided
by RADIUS and one provided by the user. In this case, the username provided by the user overrides the
one contained in the RADIUS preauthentication profile; the username provided by the user is used for
both authentication and accounting.
Setting Up the RADIUS Profile for Two-Way Authentication
In the case of two-way authentication, the calling networking device will need to authenticate the NAS.
The Password Authentication Protocol (PAP) username and password or Challenge Handshake
Authentication Protocol (CHAP) username and password need not be configured locally on the NAS.
Instead, username and password can be included in the access-accept messages for preauthentication.
Note The ppp authentication command must be configured with the radius method.
To apply for PAP, do not configure the ppp pap sent-name password command on the interface. The
vendor-specific attributes (VSAs) “preauth:send-name” and “preauth:send-secret” will be used as the
PAP username and PAP password for outbound authentication.
For CHAP, “preauth:send-name” will be used not only for outbound authentication, but also for inbound
authentication. For a CHAP inbound case, the NAS will use the name defined in “preauth:send-name”
in the challenge packet to the caller networking device. For a CHAP outbound case, both
“preauth:send-name” and “preauth:send-secret” will be used in the response packet.
The following example shows a configuration that specifies two-way authentication:
5551111 password = "cisco", Service-Type = Outbound
Service-Type = Framed-User
cisco-avpair = "preauth:auth-required=1"
cisco-avpair = "preauth:auth-type=pap"
cisco-avpair = "preauth:send-name=andy"
cisco-avpair = "preauth:send-secret=cisco"
class = "<some class>"
Note Two-way authentication does not work when resource pooling is enabled.
Setting Up the RADIUS Profile to Support Authorization
If only preauthentication is configured, then subsequent authentication will be bypassed. Note that
because the username and password are not available, authorization will also be bypassed. However, you
may include authorization attributes in the preauthentication profile to apply per-user attributes and
avoid having to return subsequently to RADIUS for authorization. To initiate the authorization process,
you must also configure the aaa authorization network command on the NAS.
You may configure authorization attributes in the preauthentication profile with one exception: the
service-type attribute (attribute 6). The service-type attribute must be converted to a VSA in the
preauthentication profile. This VSA has the following syntax:
cisco-avpair = “preauth:service-type=<n>”
where <n> is one of the standard RFC 2138 values for attribute 6. For a list of possible Service-Type
values, refer to the appendix RADIUS Attributes.
Cisco IOS Security Configuration Guide
SC-126
Configuring RADIUS
RADIUS Configuration Task List
Note If subsequent authentication is required, the authorization attributes in the preauthentication profile
will not be applied.
Configuring a Guard Timer
Because response times for preauthentication and authentication requests can vary, the guard timer
allows you to control the handling of calls. The guard timer starts when the DNIS is sent to the RADIUS
server. If the NAS does not receive a response from AAA before the guard timer expires, it accepts or
rejects the calls on the basis of the configuration of the timer.
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to an
authentication or preauthentication request, use one of the following commands in interface
configuration mode:
Command Purpose
Router(config-if)# isdn guard-timer milliseconds Sets an ISDN guard timer to accept or reject a call in the
[on-expiry {accept | reject}] event that the RADIUS server fails to respond to a
preauthentication request.
Router(control-config)# call guard-timer milliseconds Sets a CAS guard timer to accept or reject a call in the event
[on-expiry {accept | reject}] that the RADIUS server fails to respond to a
preauthentication request.
Specifying RADIUS Authentication
After you have identified the RADIUS server and defined the RADIUS authentication key, you must
define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through
AAA, you must enter the aaa authentication command, specifying RADIUS as the authentication
method. For more information, refer to the chapter “Configuring Authentication.”
Specifying RADIUS Authorization
AAA authorization lets you set parameters that restrict a user’s access to the network. Authorization
using RADIUS provides one method for remote access control, including one-time authorization or
authorization for each service, per-user account list and profile, user group support, and support of IP,
IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you must issue the
aaa authorization command, specifying RADIUS as the authorization method. For more information,
refer to the chapter “Configuring Authorization.”
Specifying RADIUS Accounting
The AAA accounting feature enables you to track the services users are accessing as well as the amount
of network resources they are consuming. Because RADIUS accounting is facilitated through AAA, you
must issue the aaa accounting command, specifying RADIUS as the accounting method. For more
information, refer to the chapter “Configuring Accounting.”
Cisco IOS Security Configuration Guide
SC-127
Configuring RADIUS
RADIUS Configuration Task List
Configuring RADIUS Login-IP-Host
To enable the network access server to attempt more than one login host when trying to connect a dial
in user, you can enter as many as three Login-IP-Host entries in the user’s profile on the RADIUS server.
The following example shows that three Login-IP-Host instances have been configured for the user
joeuser, and that TCP-Clear will be used for the connection:
joeuser Password = xyz
Service-Type = Login,
Login-Service = TCP-Clear,
Login-IP-Host = [Link],
Login-IP-Host = [Link],
Login-IP-Host = [Link],
Login-TCP-Port = 23
The order in which the hosts are entered is the order in which they are attempted. Use the
ip tcp synwait-time command to set the number of seconds that the network access server waits before
trying to connect to the next host on the list; the default is 30 seconds.
Your RADIUS server might permit more than three Login-IP-Host entries; however, the network access
server supports only three hosts in access-accept packets.
Configuring RADIUS Prompt
To control whether user responses to access-challenge packets are echoed to the screen, you can
configure the Prompt attribute in the user profile on the RADIUS server. This attribute is included only
in access-challenge packets. The following example shows the Prompt attribute set to No-Echo, which
prevents the user's responses from echoing:
joeuser Password = xyz
Service-Type = Login,
Login-Service = Telnet,
Prompt = No-Echo,
Login-IP-Host = [Link]
To allow user responses to echo, set the attribute to Echo. If the Prompt attribute is not included in the
user profile, responses are echoed by default.
This attribute overrides the behavior of the radius-server challenge-noecho command configured on
the access server. For example, if the access server is configured to suppress echoing, but the individual
user profile allows echoing, then the user responses are echoed.
Note To use the Prompt attribute, your RADIUS server must be configured to support access-challenge
packets.
Cisco IOS Security Configuration Guide
SC-128
Configuring RADIUS
Monitoring and Maintaining RADIUS
Configuring Suffix and Password in RADIUS Access Requests
Large-scale dial-out eliminates the need to configure dialer maps on every NAS for every destination.
Instead, you can create remote site profiles that contain outgoing call attributes on the AAA server. The
profile is downloaded by the NAS when packet traffic requires a call to be placed to a remote site.
You can configure the username in the access-request message to RADIUS. The default suffix of the
username, “-out,” is appended to the username. The format for composing the username attribute is IP
address plus configured suffix.
To provide username configuration capability for large-scale dial-out, the dialer aaa command is
implemented with the new suffix and password keywords.
Command Purpose
Step 1 Router(config)# aaa new-model Enables the AAA access control model.
Step 2 Router(config)# aaa route download min Enables the download static route feature and sets the
amount of time between downloads.
Step 3 Router(config)# aaa authorization configuration Downloads static route configuration information
default from the AAA server using TACACS+ or RADIUS.
Step 4 Router(config)# interface dialer 1 Defines a dialer rotary group.
Step 5 Router(config-if)# dialer aaa Allows a dialer to access the AAA server for dialing
information.
Step 6 Router(config-if)# dialer aaa suffix suffix password Allows a dialer to access the AAA server for dialing
password information and specifies a suffix and nondefault
password for authentication.
Monitoring and Maintaining RADIUS
To monitor and maintain RADIUS, use the following commands in privileged EXEC mode:
Command Purpose
Router# debug radius Displays information associated with RADIUS.
Router# show radius statistics Displays the RADIUS statistics for accounting and
authentication packets.
RADIUS Attributes
The network access server monitors the RADIUS authorization and accounting functions defined by
RADIUS attributes in each user-profile. For a list of supported RADIUS attributes, refer to the appendix
“RADIUS Attributes.”
This section includes the following sections:
• Vendor-Proprietary RADIUS Attributes
• RADIUS Tunnel Attributes
Cisco IOS Security Configuration Guide
SC-129
Configuring RADIUS
RADIUS Configuration Examples
Vendor-Proprietary RADIUS Attributes
An Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for
communicating vendor-proprietary information between the network access server and the RADIUS
server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco IOS
software supports a subset of vendor-proprietary RADIUS attributes. For a list of supported
vendor-proprietary RADIUS attributes, refer to the appendix “RADIUS Attributes.”
RADIUS Tunnel Attributes
RADIUS is a security server authentication, authorization, and accounting (AAA) protocol originally
developed by Livingston, Inc. RADIUS uses attribute value (AV) pairs to communicate information
between the security server and the network access server. RFC 2138 and RFC 2139 describe the basic
functionality of RADIUS and the original set of Internet Engineering Task Force (IETF)-standard AV
pairs used to send AAA information. Two draft IETF standards, “RADIUS Attributes for Tunnel
Protocol Support” and “RADIUS Accounting Modifications for Tunnel Protocol Support,” extend the
IETF-defined set of AV pairs to include attributes specific to virtual private networks (VPNs); these
attributes are used to carry the tunneling information between the RADIUS server and the
tunnel initiator. RFC 2865 and RFC 2868 extend the IETF-defined set of AV pairs to include attributes
specific to compulsory tunneling in VPNs by allowing the user to specify authentication names for the
network access server and the RADIUS server.
Cisco routers and access servers now support new RADIUS IETF-standard VPDN tunnel attributes.
These new RADIUS IETF-standard attributes are listed in the “RADIUS Attributes” appendix. Refer to
the following three configuration examples later in this chapter:
• RADIUS User Profile with RADIUS Tunneling Attributes Example
• L2TP Access Concentrator Examples
• L2TP Network Server Examples
For more information about L2F, L2TP, VPN, or VPDN, refer to the Cisco IOS Dial Technologies
Configuration Guide, Release 12.2.
RADIUS Configuration Examples
The following sections provide RADIUS configuration examples:
• RADIUS Authentication and Authorization Example
• RADIUS Authentication, Authorization, and Accounting Example
• Vendor-Proprietary RADIUS Configuration Example
• RADIUS Server with Server-Specific Values Example
• Multiple RADIUS Servers with Global and Server-Specific Values Example
• Multiple RADIUS Server Entries for the Same Server IP Address Example
• RADIUS Server Group Examples
• Multiple RADIUS Server Entries Using AAA Server Groups Example
• AAA Server Group Selection Based on DNIS Example
• AAA Preauthentication Examples
Cisco IOS Security Configuration Guide
SC-130
Configuring RADIUS
RADIUS Configuration Examples
• RADIUS User Profile with RADIUS Tunneling Attributes Example
• Guard Timer Examples
• L2TP Access Concentrator Examples
• L2TP Network Server Examples
RADIUS Authentication and Authorization Example
The following example shows how to configure the router to authenticate and authorize using RADIUS:
aaa authentication login use-radius group radius local
aaa authentication ppp user-radius if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius
The lines in this sample RADIUS authentication and authorization configuration are defined as follows:
• The aaa authentication login use-radius group radius local command configures the router to use
RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is
authenticated using the local database. In this example, use-radius is the name of the method list,
which specifies RADIUS and then local authentication.
• The aaa authentication ppp user-radius if-needed group radius command configures the
Cisco IOS software to use RADIUS authentication for lines using PPP with CHAP or PAP if the
user has not already been authorized. If the EXEC facility has authenticated the user, RADIUS
authentication is not performed. In this example, user-radius is the name of the method list defining
RADIUS as the if-needed authentication method.
• The aaa authorization exec default group radius command sets the RADIUS information that is
used for EXEC authorization, autocommands, and access lists.
• The aaa authorization network default group radius command sets RADIUS for network
authorization, address assignment, and access lists.
RADIUS Authentication, Authorization, and Accounting Example
The following example shows a general configuration using RADIUS with the AAA command set:
radius-server host [Link]
radius-server key myRaDiUSpassWoRd
username root password ALongPassword
aaa authentication ppp dialins group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa authentication login admins local
aaa authorization exec default local
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem ri-is-cd
interface group-async 1
encaps ppp
ppp authentication pap dialins
Cisco IOS Security Configuration Guide
SC-131
Configuring RADIUS
RADIUS Configuration Examples
The lines in this example RADIUS authentication, authorization, and accounting configuration are
defined as follows:
• The radius-server host command defines the IP address of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication and then (if the RADIUS server
does not respond) local authentication will be used on serial lines using PPP.
• The ppp authentication pap dialins command applies the “dialins” method list to the lines
specified.
• The aaa authorization network default group radius local command is used to assign an address
and other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa authentication login admins local command defines another method list, “admins,” for
login authentication.
• The login authentication admins command applies the “admins” method list for login
authentication.
Vendor-Proprietary RADIUS Configuration Example
The following example shows a general configuration using vendor-proprietary RADIUS with the AAA
command set:
radius-server host alcatraz non-standard
radius-server key myRaDiUSpassWoRd
radius-server configure-nas
username root password ALongPassword
aaa authentication ppp dialins group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa authentication login admins local
aaa authorization exec default local
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem ri-is-cd
interface group-async 1
encaps ppp
ppp authentication pap dialins
The lines in this example RADIUS authentication, authorization, and accounting configuration are
defined as follows:
• The radius-server host non-standard command defines the name of the RADIUS server host and
identifies that this RADIUS host uses a vendor-proprietary version of RADIUS.
• The radius-server key command defines the shared secret text string between the network access
server and the RADIUS server host.
• The radius-server configure-nas command defines that the Cisco router or access server will query
the RADIUS server for static routes and IP pool definitions when the device first starts up.
Cisco IOS Security Configuration Guide
SC-132
Configuring RADIUS
RADIUS Configuration Examples
• The aaa authentication ppp dialins group radius local command defines the authentication
method list “dialins,” which specifies that RADIUS authentication, and then (if the RADIUS server
does not respond) local authentication will be used on serial lines using PPP.
• The ppp authentication pap dialins command applies the “dialins” method list to the lines
specified.
• The aaa authorization network default group radius local command is used to assign an address
and other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa authentication login admins local command defines another method list, “admins,” for
login authentication.
• The login authentication admins command applies the “admins” method list for login
authentication.
RADIUS Server with Server-Specific Values Example
The following example shows how to configure server-specific timeout, retransmit, and key values for
the RADIUS server with IP address [Link]:
radius-server host [Link] timeout 6 retransmit 5 key rad123
Multiple RADIUS Servers with Global and Server-Specific Values Example
The following example shows how to configure two RADIUS servers with specific timeout, retransmit,
and key values. In this example, the aaa new-model command enables AAA services on the router,
while specific AAA commands define the AAA services. The radius-server retransmit command
changes the global retransmission value to 4 for all RADIUS servers. The radius-server host command
configures specific timeout, retransmission, and key values for the RADIUS server hosts with IP
addresses [Link] and [Link].
! Enable AAA services on the router and define those services.
aaa new-model
aaa authentication login default group radius
aaa authentication login console-login none
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable password tryit1
!
! Change the global retransmission value for all RADIUS servers.
radius-server retransmit 4
!
! Configure per-server specific timeout, retransmission, and key values.
! Change the default auth-port and acct-port values.
radius-server host [Link] auth-port 1612 acct-port 1616 timeout 3 retransmit 3 key
radkey
!
! Configure per-server specific timeout and key values. This server uses the global
! retransmission value.
radius-server host [Link] timeout 6 key rad123
Cisco IOS Security Configuration Guide
SC-133
Configuring RADIUS
RADIUS Configuration Examples
Multiple RADIUS Server Entries for the Same Server IP Address Example
The following example shows how to configure the network access server to recognize several RADIUS
host entries with the same IP address. Two different host entries on the same RADIUS server are
configured for the same services—authentication and accounting. The second host entry configured acts
as fail-over backup to the first one. (The RADIUS host entries will be tried in the order they are
configured.)
! This command enables AAA.
aaa new-model
! The next command configures default RADIUS parameters.
aaa authentication ppp default group radius
! The next set of commands configures multiple host entries for the same IP address.
radius-server host [Link] auth-port 1000 acct-port 1001
radius-server host [Link] auth-port 2000 acct-port 2000
RADIUS Server Group Examples
The following example shows how to create server group radgroup1 with three different RADIUS server
members, each using the default authentication port (1645) and accounting port (1646):
aaa group server radius radgroup1
server [Link]
server [Link]
server [Link]
The following example shows how to create server group radgroup2 with three RADIUS server
members, each with the same IP address but with unique authentication and accounting ports:
aaa group server radius radgroup2
server [Link] auth-port 1000 acct-port 1001
server [Link] auth-port 2000 acct-port 2001
server [Link] auth-port 3000 acct-port 3001
Multiple RADIUS Server Entries Using AAA Server Groups Example
The following example shows how to configure the network access server to recognize two different
RADIUS server groups. One of these groups, group1, has two different host entries on the same
RADIUS server configured for the same services. The second host entry configured acts as failover
backup to the first one. Each group is individually configured for deadtime; deadtime for group 1 is one
minute, and deadtime for group 2 is two minutes.
Note In cases where both global commands and server commands are used, the server command will take
precedence over the global command.
! This command enables AAA.
aaa new-model
! The next command configures default RADIUS parameters.
aaa authentication ppp default group group1
! The following commands define the group1 RADIUS server group and associate servers
! with it and configures a deadtime of one minute.
aaa group server radius group1
server [Link] auth-port 1645 acct-port 1646
server [Link] auth-port 2000 acct-port 2001
deadtime 1
Cisco IOS Security Configuration Guide
SC-134
Configuring RADIUS
RADIUS Configuration Examples
! The following commands define the group2 RADIUS server group and associate servers
! with it and configures a deadtime of two minutes.
aaa group server radius group2
server [Link] auth-port 2000 acct-port 2001
server [Link] auth-port 1645 acct-port 1646
deadtime 2
! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined server groups.
radius-server host [Link] auth-port 1645 acct-port 1646
radius-server host [Link] auth-port 2000 acct-port 2001
radius-server host [Link] auth-port 1645 acct-port 1646
AAA Server Group Selection Based on DNIS Example
The following example shows how to select RADIUS server groups based on DNIS to provide specific
AAA services:
! This command enables AAA.
aaa new-model
!
! The following set of commands configures the RADIUS attributes for each server
! that will be associated with one of the defined server groups.
radius-server host [Link] auth-port 1645 acct-port 1646 key cisco1
radius-server host [Link] auth-port 1645 acct-port 1646 key cisco2
radius-server host [Link] auth-port 1645 acct-port 1646 key cisco3
radius-server host [Link] auth-port 1645 acct-port 1646 key cisco4
radius-server host [Link] auth-port 1645 acct-port 1646 key cisco5
! The following commands define the sg1 RADIUS server group and associate servers
! with it.
aaa group server radius sg1
server [Link]
server [Link]
! The following commands define the sg2 RADIUS server group and associate a server
! with it.
aaa group server radius sg2
server [Link]
! The following commands define the sg3 RADIUS server group and associate a server
! with it.
aaa group server radius sg3
server [Link]
! The following commands define the default-group RADIUS server group and associate
! a server with it.
aaa group server radius default-group
server [Link]
!
! The next set of commands configures default-group RADIUS server group parameters.
aaa authentication ppp default group default-group
aaa accounting network default start-stop group default-group
!
Cisco IOS Security Configuration Guide
SC-135
Configuring RADIUS
RADIUS Configuration Examples
! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined
! RADIUS server groups. In this configuration, all PPP connection requests using
! DNIS 7777 are sent to the sg1 server group. The accounting records for these
! connections (specifically, start-stop records) are handled by the sg2 server group.
! Calls with a DNIS of 8888 use server group sg3 for authentication and server group
! default-group for accounting. Calls with a DNIS of 9999 use server group
! default-group for authentication and server group sg3 for accounting records
! (stop records only). All other calls with DNIS other than the ones defined use the
! server group default-group for both authentication and stop-start accounting records.
aaa dnis map enable
aaa dnis map 7777 authentication ppp group sg1
aaa dnis map 7777 accounting network start-stop group sg2
aaa dnis map 8888 authentication ppp group sg3
aaa dnis map 9999 accounting network stop-only group sg3
AAA Preauthentication Examples
The following example shows a simple configuration that specifies that the DNIS number be used for
preauthentication:
aaa preauth
group radius
dnis required
The following example shows a configuration that specifies that both the DNIS number and the CLID
number be used for preauthentication. DNIS preauthentication will be performed first, followed by
CLID preauthentication.
aaa preauth
group radius
dnis required
clid required
The following example specifies that preauthentication be performed on all DNIS numbers except the
two DNIS numbers specified in the DNIS group called “hawaii”:
aaa preauth
group radius
dnis required
dnis bypass hawaii
dialer dnis group hawaii
number 12345
number 12346
The following example shows a sample AAA configuration with DNIS preauthentication:
aaa new-model
aaa authentication login CONSOLE none
aaa authentication login RADIUS_LIST group radius
aaa authentication login TAC_PLUS group tacacs+ enable
aaa authentication login V.120 none
aaa authentication enable default enable group tacacs+
aaa authentication ppp RADIUS_LIST if-needed group radius
aaa authorization exec RADIUS_LIST group radius if-authenticated
aaa authorization exec V.120 none
aaa authorization network default group radius if-authenticated
aaa authorization network RADIUS_LIST if-authenticated group radius
aaa authorization network V.120 group radius if-authenticated
aaa accounting suppress null-username
aaa accounting exec default start-stop group radius
aaa accounting commands 0 default start-stop group radius
Cisco IOS Security Configuration Guide
SC-136
Configuring RADIUS
RADIUS Configuration Examples
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa preauth
dnis password Cisco-DNIS
aaa nas port extended
!
radius-server configure-nas
radius-server host [Link] auth-port 1645 acct-port 1646 non-standard
radius-server host [Link] auth-port 1645 acct-port 1646 non-standard
radius-server retransmit 2
radius-server deadtime 1
radius-server attribute nas-port format c
radius-server unique-ident 18
radius-server key MyKey
Note To configure preauthentication, you must also set up preauthentication profiles on the RADIUS
server.
RADIUS User Profile with RADIUS Tunneling Attributes Example
The following example shows a RADIUS user profile (Merit Daemon format) that includes RADIUS
tunneling attributes. This entry supports two tunnels, one for L2F and the other for L2TP. The tag entries
with :1 support L2F tunnels, and the tag entries with :2 support L2TP tunnels.
[Link] Password = "cisco", Service-Type = Outbound
Service-Type = Outbound,
Tunnel-Type = :1:L2F,
Tunnel-Medium-Type = :1:IP,
Tunnel-Client-Endpoint = :1:"[Link]",
Tunnel-Server-Endpoint = :1:"[Link]",
Tunnel-Client-Auth-Id = :1:"l2f-cli-auth-id",
Tunnel-Server-Auth-Id = :1:"l2f-svr-auth-id",
Tunnel-Assignment-Id = :1:"l2f-assignment-id",
Cisco-Avpair = "vpdn:nas-password=l2f-cli-pass",
Cisco-Avpair = "vpdn:gw-password=l2f-svr-pass",
Tunnel-Preference = :1:1,
Tunnel-Type = :2:L2TP,
Tunnel-Medium-Type = :2:IP,
Tunnel-Client-Endpoint = :2:"[Link]",
Tunnel-Server-Endpoint = :2:"[Link]",
Tunnel-Client-Auth-Id = :2:"l2tp-cli-auth-id",
Tunnel-Server-Auth-Id = :2:"l2tp-svr-auth-id",
Tunnel-Assignment-Id = :2:"l2tp-assignment-id",
Cisco-Avpair = "vpdn:l2tp-tunnel-password=l2tp-tnl-pass",
Tunnel-Preference = :2:2
Cisco IOS Security Configuration Guide
SC-137
Configuring RADIUS
RADIUS Configuration Examples
Guard Timer Examples
The following example shows an ISDN guard timer that is set at 8000 milliseconds. A call will be
rejected if the RADIUS server has not responded to a preauthentication request when the timer expires.
interface serial1/0/0:23
isdn guard-timer 8000 on-expiry reject
aaa preauth
group radius
dnis required
The following example shows a CAS guard timer that is set at 20,000 milliseconds. A call will be
accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
controller T1 0
framing esf
clock source line primary
linecode b8zs
ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis
cas-custom 0
call guard-timer 20000 on-expiry accept
aaa preauth
group radius
dnis required
L2TP Access Concentrator Examples
The following example shows a basic L2TP configuration for the L2TP access concentrator (LAC) for
the topology shown in Figure 13. The local name is not defined, so the host name used is the local name.
Because the L2TP tunnel password is not defined, the username password is used. In this example,
VPDN is configured locally on the LAC and does not take advantage of the new RADIUS
tunnel attributes.
Figure 13 Topology for Configuration Examples
Dial client Corporate
network
LAC = DJ
ISP or PSTN LT2P tunnel
22108
LNS = partner
! Enable AAA globally.
aaa new-model
! Enable AAA authentication for PPP and list the default method to use for PPP
! authentication.
aaa authentication ppp default local
! Define the username as “DJ.”
username DJ password 7 030C5E070A00781B
! Enable VPDN.
vpdn enable
! Define VPDN group number 1.
vpdn-group 1
Cisco IOS Security Configuration Guide
SC-138
Configuring RADIUS
RADIUS Configuration Examples
! Allow the LAC to respond to dialin requests using L2TP from IP address [Link]
! domain “[Link].”
request dialin
protocol l2tp
domain [Link]
initiate-ip to [Link]
local name nas-1
The following example shows how to configure the LAC if RADIUS tunnel attributes are supported. In
this example, there is no local VPDN configuration on the LAC; the LAC, instead, is configured to query
the remote RADIUS security server.
! Enable global AAA securities services.
aaa new-model
! Enable AAA authentication for PPP and list RADIUS as the default method to use
! for PPP authentication.
aaa authentication ppp default group radius local
! Enable AAA (network) authorization and list RADIUS as the default method to use for
! authorization.
aaa authorization network default group radius
! Define the username as “DJ.”
username DJ password 7 030C5E070A00781B
! Enable VPDN.
vpdn enable
! Configure the LAC to interface with the remote RADIUS security server.
radius host [Link] auth-port 1645 acct-port 1646
radius-server key cisco
L2TP Network Server Examples
The following example shows a basic L2TP configuration with corresponding comments on the L2TP
network server (LNS) for the topology shown in Figure 13:
! Enable AAA globally.
aaa new-model
! Enable AAA authentication for PPP and list the default method to use for PPP
! authentication.
aaa authentication ppp default local
! Define the username as “partner.”
username partner password 7 030C5E070A00781B
! Create virtual-template 1 and assign all values for virtual access interfaces.
interface Virtual-Template1
! Borrow the IP address from interface ethernet 1.
ip unnumbered Ethernet0
! Disable multicast fast switching.
no ip mroute-cache
! Use CHAP to authenticate PPP.
ppp authentication chap
! Enable VPDN.
vpdn enable
! Create vpdn-group number 1.
vpdn-group 1
! Accept all dialin l2tp tunnels from virtual-template 1 from remote peer DJ.
accept dialin l2tp virtual-template 1 remote DJ
protocol any
virtual-template 1
terminate-from hostname nas1
local name hgw1
Cisco IOS Security Configuration Guide
SC-139
Configuring RADIUS
RADIUS Configuration Examples
The following example shows how to configure the LNS with a basic L2F and L2TP configuration using
RADIUS tunneling attributes:
aaa new-model
aaa authentication login default none
aaa authentication login console none
aaa authentication ppp default local group radius
aaa authorization network default group radius if-authenticated
!
username l2f-cli-auth-id password 0 l2f-cli-pass
username l2f-svr-auth-id password 0 l2f-svr-pass
username l2tp-svr-auth-id password 0 l2tp-tnl-pass
!
vpdn enable
vpdn search-order domain
!
vpdn-group 1
accept-dialin
protocol l2f
virtual-template 1
terminate-from hostname l2f-cli-auth-id
local name l2f-svr-auth-id
!
vpdn-group 2
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname l2tp-cli-auth-id
local name l2tp-svr-auth-id
!
interface Ethernet1/0
ip address [Link] [Link]
no ip route-cache
no ip mroute-cache
!
interface Virtual-Template1
ip unnumbered Ethernet1/0
ppp authentication pap
!
interface Virtual-Template2
ip unnumbered Ethernet1/0
ppp authentication pap
!
radius-server host [Link] auth-port 1645 acct-port 1646
radius-server key <deleted>
!
Cisco IOS Security Configuration Guide
SC-140
Configuring TACACS+
This chapter discusses how to enable and configure TACACS+, which provides detailed accounting
information and flexible administrative control over authentication and authorization processes.
TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
For a complete description of the TACACS+ commands used in this chapter, refer to the chapter
“TACACS+ Commands” in the Cisco IOS Security Command Reference. To locate documentation of
other commands that appear in this chapter, use the command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature, or refer to the software
release notes for a specific release. For more information, see the section “Identifying Supported
Platforms” in the chapter “Using Cisco IOS Software.”
In This Chapter
This chapter includes the following sections:
• About TACACS+
• TACACS+ Operation
• TACACS+ Configuration Task List
• TACACS+ AV Pairs
• TACACS+ Configuration Examples
About TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain access
to a router or network access server. TACACS+ services are maintained in a database on a TACACS+
daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must
configure a TACACS+ server before the configured TACACS+ features on your network access server
are available.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each
service—authentication, authorization, and accounting—independently. Each service can be tied into its
own database to take advantage of other services available on that server or on the network, depending
on the capabilities of the daemon.
Cisco IOS Security Configuration Guide
SC-141
Configuring TACACS+
TACACS+ Operation
The goal of TACACS+ is to provide a methodology for managing multiple network access points from
a single management service. The Cisco family of access servers and routers and the Cisco IOS user
interface (for both routers and access servers) can be network access servers.
Network access points enable traditional “dumb” terminals, terminal emulators, workstations, personal
computers (PCs), and routers in conjunction with suitable adapters (for example, modems or ISDN
adapters) to communicate using protocols such as Point-to-Point Protocol (PPP), Serial Line Internet
Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access (ARA) protocol. In other
words, a network access server provides connections to a single user, to a network or subnetwork, and
to interconnected networks. The entities connected to the network through a network access server are
called network access clients; for example, a PC running PPP over a voice-grade circuit is a network
access client. TACACS+, administered through the AAA security services, can provide the following
services:
• Authentication—Provides complete control of authentication through login and password dialog,
challenge and response, messaging support.
The authentication facility provides the ability to conduct an arbitrary dialog with the user
(for example, after a login and password are provided, to challenge a user with a number of
questions, like home address, mother’s maiden name, service type, and social security number). In
addition, the TACACS+ authentication service supports sending messages to user screens. For
example, a message could notify users that their passwords must be changed because of the
company’s password aging policy.
• Authorization—Provides fine-grained control over user capabilities for the duration of the user’s
session, including but not limited to setting autocommands, access control, session duration, or
protocol support. You can also enforce restrictions on what commands a user may execute with the
TACACS+ authorization feature.
• Accounting—Collects and sends information used for billing, auditing, and reporting to the
TACACS+ daemon. Network managers can use the accounting facility to track user activity for a
security audit or to provide information for user billing. Accounting records include user identities,
start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
The TACACS+ protocol provides authentication between the network access server and the TACACS+
daemon, and it ensures confidentiality because all protocol exchanges between a network access server
and a TACACS+ daemon are encrypted.
You need a system running TACACS+ daemon software to use the TACACS+ functionality on your
network access server.
Cisco makes the TACACS+ protocol specification available as a draft RFC for those customers
interested in developing their own TACACS+ software.
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a network access server using
TACACS+, the following process typically occurs:
1. When the connection is established, the network access server will contact the TACACS+ daemon
to obtain a username prompt, which is then displayed to the user. The user enters a username and
the network access server then contacts the TACACS+ daemon to obtain a password prompt. The
network access server displays the password prompt to the user, the user enters a password, and the
password is then sent to the TACACS+ daemon.
Cisco IOS Security Configuration Guide
SC-142
Configuring TACACS+
TACACS+ Configuration Task List
Note TACACS+ allows an arbitrary conversation to be held between the daemon and the user until the
daemon receives enough information to authenticate the user. This is usually done by prompting for
a username and password combination, but may include other items, such as mother’s maiden name,
all under the control of the TACACS+ daemon.
2. The network access server will eventually receive one of the following responses from the
TACACS+ daemon:
a. ACCEPT—The user is authenticated and service may begin. If the network access server is
configured to requite authorization, authorization will begin at this time.
b. REJECT—The user has failed to authenticate. The user may be denied further access, or will
be prompted to retry the login sequence depending on the TACACS+ daemon.
c. ERROR—An error occurred at some time during authentication. This can be either at the
daemon or in the network connection between the daemon and the network access server. If an
ERROR response is received, the network access server will typically try to use an alternative
method for authenticating the user.
d. CONTINUE—The user is prompted for additional authentication information.
3. A PAP login is similar to an ASCII login, except that the username and password arrive at the
network access server in a PAP protocol packet instead of being typed in by the user, so the user is
not prompted. PPP CHAP logins are also similar in principle.
Following authentication, the user will also be required to undergo an additional authorization phase, if
authorization has been enabled on the network access server. Users must first successfully complete
TACACS+ authentication before proceeding to TACACS+ authorization.
4. If TACACS+ authorization is required, the TACACS+ daemon is again contacted and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response will
contain data in the form of attributes that are used to direct the EXEC or NETWORK session for
that user, determining services that the user can access.
Services include the following:
a. Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC
services
b. Connection parameters, including the host or client IP address, access list, and user timeouts
TACACS+ Configuration Task List
To configure your router to support TACACS+, you must perform the following tasks:
• Use the aaa new-model global configuration command to enable AAA. AAA must be configured if
you plan to use TACACS+. For more information about using the aaa new-model command, refer
to the chapter “AAA Overview”.
• Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons.
Use the tacacs-server key command to specify an encryption key that will be used to encrypt all
exchanges between the network access server and the TACACS+ daemon. This same key must also
be configured on the TACACS+ daemon.
• Use the aaa authentication global configuration command to define method lists that use
TACACS+ for authentication. For more information about using the aaa authentication command,
refer to the chapter “Configuring Authentication”.
Cisco IOS Security Configuration Guide
SC-143
Configuring TACACS+
TACACS+ Configuration Task List
• Use line and interface commands to apply the defined method lists to various interfaces. For more
information, refer to the chapter “Configuring Authentication”.
• If needed, use the aaa authorization global command to configure authorization for the network
access server. Unlike authentication, which can be configured per line or per interface, authorization
is configured globally for the entire network access server. For more information about using the
aaa authorization command, refer to the “Configuring Authorization” chapter.
• If needed, use the aaa accounting command to enable accounting for TACACS+ connections. For
more information about using the aaa accounting command, refer to the “Configuring Accounting”
chapter.
To configure TACACS+, perform the tasks in the following sections:
• Identifying the TACACS+ Server Host (Required)
• Setting the TACACS+ Authentication Key (Optional)
• Configuring AAA Server Groups (Optional)
• Configuring AAA Server Group Selection Based on DNIS (Optional)
• Specifying TACACS+ Authentication (Required)
• Specifying TACACS+ Authorization (Optional)
• Specifying TACACS+ Accounting (Optional)
For TACACS+ configuration examples using the commands in this chapter, refer to the “TACACS+
Configuration Examples” section at the end of the this chapter.
Identifying the TACACS+ Server Host
The tacacs-server host command enables you to specify the names of the IP host or hosts maintaining
a TACACS+ server. Because the TACACS+ software searches for the hosts in the order specified, this
feature can be useful for setting up a list of preferred daemons.
To specify a TACACS+ host, use the following command in global configuration mode:
Command Purpose
Router(config)# tacacs-server host hostname Specifies a TACACS+ host.
[single-connection] [port integer] [timeout
integer] [key string]
Using the tacacs-server host command, you can also configure the following options:
• Use the single-connection keyword to specify single-connection (only valid with CiscoSecure
Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the daemon
each time it must communicate, the single-connection option maintains a single open connection
between the router and the daemon. This is more efficient because it allows the daemon to handle a
higher number of TACACS operations.
Note The daemon must support single-connection mode for this to be effective, otherwise the
connection between the network access server and the daemon will lock up or you will
receive spurious errors.
Cisco IOS Security Configuration Guide
SC-144
Configuring TACACS+
TACACS+ Configuration Task List
• Use the port integer argument to specify the TCP port number to be used when making connections
to the TACACS+ daemon. The default port number is 49.
• Use the timeout integer argument to specify the period of time (in seconds) the router will wait for
a response from the daemon before it times out and declares an error.
Note Specifying the timeout value with the tacacs-server host command overrides the default
timeout value set with the tacacs-server timeout command for this server only.
• Use the key string argument to specify an encryption key for encrypting and decrypting all traffic
between the network access server and the TACACS+ daemon.
Note Specifying the encryption key with the tacacs-server host command overrides the
default key set by the global configuration tacacs-server key command for this server
only.
Because some of the parameters of the tacacs-server host command override global settings made by
the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance
security on your network by uniquely configuring individual TACACS+ connections.
Setting the TACACS+ Authentication Key
To set the global TACACS+ authentication key and encryption key, use the following command in global
configuration mode:
Command Purpose
Router(config)# tacacs-server key key Sets the encryption key to match that used on the TACACS+ daemon.
Note You must configure the same key on the TACACS+ daemon for encryption to be successful.
Configuring AAA Server Groups
Configuring the router to use AAA server groups provides a way to group existing server hosts. This
allows you to select a subset of the configured server hosts and use them for a particular service. A server
group is used in conjunction with a global server-host list. The server group lists the IP addresses of the
selected server hosts.
Server groups can include multiple host entries as long as each entry has a unique IP address. If two
different host entries in the server group are configured for the same service—for example,
accounting—the second host entry configured acts as fail-over backup to the first one. Using this
example, if the first host entry fails to provide accounting services, the network access server will try the
second host entry for accounting services. (The TACACS+ host entries will be tried in the order in which
they are configured.)
Cisco IOS Security Configuration Guide
SC-145
Configuring TACACS+
TACACS+ Configuration Task List
To define a server host with a server group name, enter the following commands starting in global
configuration mode. The listed server must exist in global configuration mode:
Command Purpose
Step 1 Router(config)# tacacs-server host name Specifies and defines the IP address of the server host
[single-connection] [port integer] [timeout integer] before configuring the AAA server-group. Refer to
[key string]
the “Identifying the TACACS+ Server Host” section
of this chapter for more information on the
tacacs-server host command.
Step 2 Router(config-if)# aaa group server {radius | Defines the AAA server-group with a group name.
tacacs+} group-name All members of a group must be the same type; that
is, RADIUS or TACACS+. This command puts the
router in server group subconfiguration mode.
Step 3 Router(config-sg)# server ip-address [auth-port Associates a particular TACACS+ server with the
port-number] [acct-port port-number] defined server group. Use the auth-port port-number
option to configure a specific UDP port solely for
authentication. Use the acct-port port-number option
to configure a specific UDP port solely for
accounting.
Repeat this step for each TACACS+ server in the
AAA server group.
Note Each server in the group must be defined
previously using the tacacs-server host
command.
Configuring AAA Server Group Selection Based on DNIS
Cisco IOS software allows you to authenticate users to a particular AAA server group based on the
Dialed Number Identification Service (DNIS) number of the session. Any phone line (a regular home
phone or a commercial T1/PRI line) can be associated with several phone numbers. The DNIS number
identifies the number that was called to reach you.
For example, suppose you want to share the same phone number with several customers, but you want
to know which customer is calling before you pick up the phone. You can customize how you answer the
phone because DNIS allows you to know which customer is calling when you answer.
Cisco routers with either ISDN or internal modems can receive the DNIS number. This functionality
allows users to assign different TACACS+ server groups for different customers (that is, different
TACACS+ servers for different DNIS numbers). Additionally, using server groups you can specify the
same server group for AAA services or a separate server group for each AAA service.
Cisco IOS software provides the flexibility to implement authentication and accounting services in
several ways:
• Globally—AAA services are defined using global configuration access list commands and applied
in general to all interfaces on a specific network access server.
• Per interface—AAA services are defined using interface configuration commands and applied
specifically to the interface being configured on a specific network access server.
• DNIS mapping—You can use DNIS to specify an AAA server to supply AAA services.
Cisco IOS Security Configuration Guide
SC-146
Configuring TACACS+
TACACS+ Configuration Task List
Because AAA configuration methods can be configured simultaneously, Cisco has established an order
of precedence to determine which server or groups of servers provide AAA services. The order of
precedence is as follows:
• Per DNIS—If you configure the network access server to use DNIS to identify which server group
provides AAA services, then this method takes precedence over any additional AAA selection
method.
• Per interface—If you configure the network access server per interface to use access lists to
determine how a server provides AAA services, this method takes precedence over any global
configuration AAA access lists.
• Globally—If you configure the network access server by using global AAA access lists to determine
how the security server provides AAA services, this method has the lowest precedence.
Note Prior to configuring AAA Server Group Selection Based on DNIS, you must configure the remote
security servers associated with each AAA server group. See the sections “Identifying the TACACS+
Server Host” and “Configuring AAA Server Groups” in this chapter.
To configure the router to select a particular AAA server group based on the DNIS of the server group,
configure DNIS mapping. To map a server group with a group name with DNIS number, use the
following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa dnis map enable Enables DNIS mapping.
Step 2 Router(config)# aaa dnis map dnis-number Maps a DNIS number to a defined AAA server group;
authentication ppp group server-group-name the servers in this server group are being used for
authentication.
Step 3 Router(config)# aaa dnis map dnis-number accounting Maps a DNIS number to a defined AAA server group;
network [none | start-stop | stop-only] group the servers in this server group are being used for
server-group-name
accounting.
Specifying TACACS+ Authentication
After you have identified the TACACS+ daemon and defined an associated TACACS+ encryption key,
you must define method lists for TACACS+ authentication. Because TACACS+ authentication is
operated via AAA, you need to issue the aaa authentication command, specifying TACACS+ as the
authentication method. For more information, refer to the chapter “Configuring Authentication.”
Specifying TACACS+ Authorization
AAA authorization enables you to set parameters that restrict a user’s access to the network.
Authorization via TACACS+ may be applied to commands, network connections, and EXEC sessions.
Because TACACS+ authorization is facilitated through AAA, you must issue the aaa authorization
command, specifying TACACS+ as the authorization method. For more information, refer to the chapter
“Configuring Authorization.”
Cisco IOS Security Configuration Guide
SC-147
Configuring TACACS+
TACACS+ AV Pairs
Specifying TACACS+ Accounting
AAA accounting enables you to track the services users are accessing as well as the amount of network
resources they are consuming. Because TACACS+ accounting is facilitated through AAA, you must
issue the aaa accounting command, specifying TACACS+ as the accounting method. For more
information, refer to the chapter “Configuring Accounting.”
TACACS+ AV Pairs
The network access server implements TACACS+ authorization and accounting functions by
transmitting and receiving TACACS+ attribute-value (AV) pairs for each user session. For a list of
supported TACACS+ AV pairs, refer to the appendix “TACACS+ Attribute-Value Pairs.”
TACACS+ Configuration Examples
The following sections provide TACACS+ configuration examples:
• TACACS+ Authentication Examples
• TACACS+ Authorization Example
• TACACS+ Accounting Example
• TACACS+ Server Group Example
• AAA Server Group Selection Based on DNIS Example
• TACACS+ Daemon Configuration Example
TACACS+ Authentication Examples
The following example shows how to configure TACACS+ as the security protocol for PPP
authentication:
aaa new-model
aaa authentication ppp test group tacacs+ local
tacacs-server host [Link]
tacacs-server key goaway
interface serial 0
ppp authentication chap pap test
The lines in the preceding sample configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “test,” to be used on serial interfaces
running PPP. The keyword group tacacs+ means that authentication will be done through
TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the keyword local
indicates that authentication will be attempted using the local database on the network access server.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link]. The tacacs-server key command defines the shared encryption key to be “goaway.”
• The interface command selects the line, and the ppp authentication command applies the test
method list to this line.
Cisco IOS Security Configuration Guide
SC-148
Configuring TACACS+
TACACS+ Configuration Examples
The following example shows how to configure TACACS+ as the security protocol for PPP
authentication, but instead of the “test” method list, the “default” method list is used.
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
tacacs-server host [Link]
tacacs-server key goaway
interface serial 0
ppp authentication default
The lines in the preceding sample configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “default,” to be used on serial interfaces
running PPP. The keyword default means that PPP authentication is applied by default to all
interfaces. The if-needed keyword means that if the user has already authenticated by going through
the ASCII login procedure, then PPP authentication is not necessary and can be skipped. If
authentication is needed, the keyword group tacacs+ means that authentication will be done
through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the
keyword local indicates that authentication will be attempted using the local database on the
network access server.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link]. The tacacs-server key command defines the shared encryption key to be “goaway.”
• The interface command selects the line, and the ppp authentication command applies the default
method list to this line.
The following example shows how to create the same authentication algorithm for PAP, but it calls the
method list “MIS-access” instead of “default”:
aaa new-model
aaa authentication pap MIS-access if-needed group tacacs+ local
tacacs-server host [Link]
tacacs-server key goaway
interface serial 0
ppp authentication pap MIS-access
The lines in the preceding sample configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “MIS-access,” to be used on serial
interfaces running PPP. The method list, “MIS-access,” means that PPP authentication is applied to
all interfaces. The if-needed keyword means that if the user has already authenticated by going
through the ASCII login procedure, then PPP authentication is not necessary and can be skipped. If
authentication is needed, the keyword group tacacs+ means that authentication will be done
through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the
keyword local indicates that authentication will be attempted using the local database on the
network access server.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link]. The tacacs-server key command defines the shared encryption key to be “goaway.”
• The interface command selects the line, and the ppp authentication command applies the default
method list to this line.
Cisco IOS Security Configuration Guide
SC-149
Configuring TACACS+
TACACS+ Configuration Examples
The following example shows the configuration for a TACACS+ daemon with an IP address of [Link]
and an encryption key of “apple”:
aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host [Link]
tacacs-server key apple
The lines in the preceding sample configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines the default method list. Incoming ASCII logins on all
interfaces (by default) will use TACACS+ for authentication. If no TACACS+ server responds, then
the network access server will use the information contained in the local username database for
authentication.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link]. The tacacs-server key command defines the shared encryption key to be “apple.”
TACACS+ Authorization Example
The following example shows how to configure TACACS+ as the security protocol for PPP
authentication using the default method list; it also shows how to configure network authorization via
TACACS+:
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization network default group tacacs+
tacacs-server host [Link]
tacacs-server key goaway
interface serial 0
ppp authentication default
The lines in the preceding sample configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “default,” to be used on serial interfaces
running PPP. The keyword default means that PPP authentication is applied by default to all
interfaces. The if-needed keyword means that if the user has already authenticated by going through
the ASCII login procedure, then PPP authentication is not necessary and can be skipped. If
authentication is needed, the keyword group tacacs+ means that authentication will be done
through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the
keyword local indicates that authentication will be attempted using the local database on the
network access server.
• The aaa authorization command configures network authorization via TACACS+. Unlike
authentication lists, this authorization list always applies to all incoming network connections made
to the network access server.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link]. The tacacs-server key command defines the shared encryption key to be “goaway.”
• The interface command selects the line, and the ppp authentication command applies the default
method list to this line.
Cisco IOS Security Configuration Guide
SC-150
Configuring TACACS+
TACACS+ Configuration Examples
TACACS+ Accounting Example
The following example shows how to configure TACACS+ as the security protocol for PPP
authentication using the default method list; it also shows how to configure accounting via TACACS+:
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa accounting network default stop-only group tacacs+
tacacs-server host [Link]
tacacs-server key goaway
interface serial 0
ppp authentication default
The lines in the preceding sample configuration are defined as follows:
• The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “default,” to be used on serial interfaces
running PPP. The keyword default means that PPP authentication is applied by default to all
interfaces. The if-needed keyword means that if the user has already authenticated by going through
the ASCII login procedure, then PPP authentication is not necessary and can be skipped. If
authentication is needed, the keyword group tacacs+ means that authentication will be done
through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the
keyword local indicates that authentication will be attempted using the local database on the
network access server.
• The aaa accounting command configures network accounting via TACACS+. In this example,
accounting records describing the session that just terminated will be sent to the TACACS+ daemon
whenever a network connection terminates.
• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of
[Link]. The tacacs-server key command defines the shared encryption key to be “goaway.”
• The interface command selects the line, and the ppp authentication command applies the default
method list to this line.
TACACS+ Server Group Example
The following example shows how to create a server group with three different TACACS+ servers
members:
aaa group server tacacs tacgroup1
server [Link]
server [Link]
server [Link]
AAA Server Group Selection Based on DNIS Example
The following example shows how to select TACAC+ server groups based on DNIS to provide specific
AAA services:
! This command enables AAA.
aaa new-model
!
! The following set of commands configures the TACACS+ servers that will be associated
! with one of the defined server groups.
tacacs-server host [Link]
tacacs-server host [Link]
Cisco IOS Security Configuration Guide
SC-151
Configuring TACACS+
TACACS+ Configuration Examples
tacacs-server host [Link]
tacacs-server host [Link]
tacacs-server host [Link]
tacacs-server key abcdefg
! The following commands define the sg1 TACACS+ server group and associate servers
! with it.
aaa group server tacacs sg1
server [Link]
server [Link]
! The following commands define the sg2 TACACS+ server group and associate a server
! with it.
aaa group server tacacs sg2
server [Link]
! The following commands define the sg3 TACACS+ server group and associate a server
! with it.
aaa group server tacacs sg3
server [Link]
! The following commands define the default-group TACACS+ server group and associate
! a server with it.
aaa group server tacacs default-group
server [Link]
!
! The next set of commands configures default-group tacacs server group parameters.
aaa authentication ppp default group default-group
aaa accounting network default start-stop group default-group
!
! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined
! RADIUS server groups. In this configuration, all PPP connection requests using DNIS
! 7777 are sent to the sg1 server group. The accounting records for these connections
! (specifically, start-stop records) are handled by the sg2 server group. Calls with a
! DNIS of 8888 use server group sg3 for authentication and server group default-group
! for accounting. Calls with a DNIS of 9999 use server group default-group for
! authentication and server group sg3 for accounting records (stop records only). All
! other calls with DNIS other than the ones defined use the server group default-group
! for both authentication and stop-start accounting records.
aaa dnis map enable
aaa dnis map 7777 authentication ppp group sg1
aaa dnis map 7777 accounting network start-stop group sg2
aaa dnis map 8888 authentication ppp group sg3
aaa dnis map 9999 accounting network stop-only group sg3
TACACS+ Daemon Configuration Example
The following example shows a sample configuration of the TACACS+ daemon. The precise syntax used
by your TACACS+ daemon may be different from what is included in this example.
user = mci_customer1 {
chap = cleartext “some chap password”
service = ppp protocol = ip {
inacl#1=”permit ip any any precedence immediate”
inacl#2=”deny igrp [Link] [Link] any”
}
}
Cisco IOS Security Configuration Guide
SC-152
Configuring Kerberos
This chapter describes the Kerberos security system. For a complete description of the Kerberos
commands used in this chapter, refer to the “Kerberos Commands” chapter in the Cisco IOS Security
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature, or refer to the software
release notes for a specific release. For more information, see the section “Identifying Supported
Platforms” in the chapter “Using Cisco IOS Software.”
In This Chapter
This chapter includes the following topics and tasks:
• About Kerberos
• Kerberos Client Support Operation
• Kerberos Configuration Task List
• Kerberos Configuration Examples
About Kerberos
Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of
Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for
encryption and authentication. Kerberos was designed to authenticate requests for network resources.
Kerberos, like other secret-key systems, is based on the concept of a trusted third party that performs
secure verification of users and services. In the Kerberos protocol, this trusted third party is called the
key distribution center (KDC).
The primary use of Kerberos is to verify that users and the network services they use are really who and
what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets,
which have a limited lifespan, are stored in a user’s credential cache and can be used in place of the
standard username-and-password authentication mechanism.
The Kerberos credential scheme embodies a concept called “single logon.” This process requires
authenticating a user once, and then allows secure authentication (without encrypting another password)
wherever that user’s credential is accepted.
Cisco IOS Security Configuration Guide
SC-153
Configuring Kerberos
About Kerberos
Starting with Cisco IOS Release 11.2, Cisco IOS software includes Kerberos 5 support, which allows
organizations already deploying Kerberos 5 to use the same Kerberos authentication database on their
routers that they are already using on their other network hosts (such as UNIX servers and PCs).
The following network services are supported by the Kerberos authentication capabilities in Cisco IOS
software:
• Telnet
• rlogin
• rsh
• rcp
Note Cisco Systems’ implementation of Kerberos client support is based on code developed by CyberSafe,
which was derived from the MIT code. As a result, the Cisco Kerberos implementation has
successfully undergone full compatibility testing with the CyberSafe Challenger commercial
Kerberos server and MIT’s server code, which is freely distributed.
Table 14 lists common Kerberos-related terms and their definitions.
Table 14 Kerberos Terminology
Term Definition
authentication A process by which a user or service identifies itself to another service. For
example, a client can authenticate to a router or a router can authenticate to
another router.
authorization A means by which the router determines what privileges you have in a network
or on the router and what actions you can perform.
credential A general term that refers to authentication tickets, such as ticket granting tickets
(TGTs) and service credentials. Kerberos credentials verify the identity of a user
or service. If a network service decides to trust the Kerberos server that issued a
ticket, it can be used in place of retyping in a username and password.
Credentials have a default lifespan of eight hours.
instance An authorization level label for Kerberos principals. Most Kerberos principals
are of the form user@REALM (for example, smith@[Link]). A
Kerberos principal with a Kerberos instance has the form
user/instance@REALM (for example, smith/admin@[Link]). The
Kerberos instance can be used to specify the authorization level for the user if
authentication is successful. It is up to the server of each network service to
implement and enforce the authorization mappings of Kerberos instances. Note
that the Kerberos realm name must be in uppercase characters.
Kerberized Applications and services that have been modified to support the Kerberos
credential infrastructure.
Kerberos realm A domain consisting of users, hosts, and network services that are registered to
a Kerberos server. The Kerberos server is trusted to verify the identity of a user
or network service to another user or network service. Kerberos realms must
always be in uppercase characters.
Kerberos server A daemon running on a network host. Users and network services register their
identity with the Kerberos server. Network services query the Kerberos server to
authenticate to other network services.
Cisco IOS Security Configuration Guide
SC-154
Configuring Kerberos
Kerberos Client Support Operation
Table 14 Kerberos Terminology (continued)
Term Definition
key distribution A Kerberos server and database program running on a network host.
center (KDC)
principal Also known as a Kerberos identity, this is who you are or what a service is
according to the Kerberos server.
service credential A credential for a network service. When issued from the KDC, this credential is
encrypted with the password shared by the network service and the KDC, and
with the user’s TGT.
SRVTAB A password that a network service shares with the KDC. The network service
authenticates an encrypted service credential by using the SRVTAB (also known
as a KEYTAB) to decrypt it.
ticket granting A credential that the key distribution center (KDC) issues to authenticated users.
ticket (TGT) When users receive a TGT, they can authenticate to network services within the
Kerberos realm represented by the KDC.
Kerberos Client Support Operation
This section describes how the Kerberos security system works with a Cisco router functioning as the
security server. Although (for convenience or technical reasons) you can customize Kerberos in a
number of ways, remote users attempting to access network services must pass through three layers of
security before they can access network services.
This section includes the following sections:
• Authenticating to the Boundary Router
• Obtaining a TGT from a KDC
• Authenticating to Network Services
Authenticating to the Boundary Router
This section describes the first layer of security that remote users must pass through when they attempt
to access a network. The first step in the Kerberos authentication process is for users to authenticate
themselves to the boundary router. The following process describes how users authenticate to a boundary
router:
1. The remote user opens a PPP connection to the corporate site router.
2. The router prompts the user for a username and password.
3. The router requests a TGT from the KDC for this particular user.
4. The KDC sends an encrypted TGT to the router that includes (among other things) the user’s
identity.
5. The router attempts to decrypt the TGT using the password the user entered. If the decryption is
successful, the remote user is authenticated to the router.
Cisco IOS Security Configuration Guide
SC-155
Configuring Kerberos
Kerberos Client Support Operation
A remote user who successfully initiates a PPP session and authenticates to the boundary router is inside
the firewall but still must authenticate to the KDC directly before being allowed to access network
services. This is because the TGT issued by the KDC is stored on the router and is not useful for
additional authentication unless the user physically logs on to the router.
Obtaining a TGT from a KDC
This section describes how remote users who are authenticated to the boundary router authenticate
themselves to a KDC.
When a remote user authenticates to a boundary router, that user technically becomes part of the
network; that is, the network is extended to include the remote user and the user’s machine or network.
To gain access to network services, however, the remote user must obtain a TGT from the KDC. The
following process describes how remote users authenticate to the KDC:
1. The remote user, at a workstation on a remote site, launches the KINIT program (part of the client
software provided with the Kerberos protocol).
2. The KINIT program finds the user’s identity and requests a TGT from the KDC.
3. The KDC creates a TGT, which contains the identity of the user, the identity of the KDC, and the
expiration time of the TGT.
4. Using the user’s password as a key, the KDC encrypts the TGT and sends the TGT to the
workstation.
5. When the KINIT program receives the encrypted TGT, it prompts the user for a password (this is
the password that is defined for the user in the KDC).
6. If the KINIT program can decrypt the TGT with the password the user enters, the user is
authenticated to the KDC, and the KINIT program stores the TGT in the user’s credential cache.
At this point, the user has a TGT and can communicate securely with the KDC. In turn, the TGT allows
the user to authenticate to other network services.
Authenticating to Network Services
The following process describes how a remote user with a TGT authenticates to network services within
a given Kerberos realm. Assume the user is on a remote workstation (Host A) and wants to log in to
Host B.
1. The user on Host A initiates a Kerberized application (such as Telnet) to Host B.
2. The Kerberized application builds a service credential request and sends it to the KDC. The service
credential request includes (among other things) the user’s identity and the identity of the desired
network service. The TGT is used to encrypt the service credential request.
3. The KDC tries to decrypt the service credential request with the TGT it issued to the user on Host A.
If the KDC can decrypt the packet, it is assured that the authenticated user on Host A sent the
request.
4. The KDC notes the network service identity in the service credential request.
5. The KDC builds a service credential for the appropriate network service on Host B on behalf of the
user on Host A. The service credential contains the client’s identity and the desired network
service’s identity.
Cisco IOS Security Configuration Guide
SC-156
Configuring Kerberos
Kerberos Configuration Task List
6. The KDC then encrypts the service credential twice. It first encrypts the credential with the
SRVTAB that it shares with the network service identified in the credential. It then encrypts the
resulting packet with the TGT of the user (who, in this case, is on Host A).
7. The KDC sends the twice-encrypted credential to Host A.
8. Host A attempts to decrypt the service credential with the user’s TGT. If Host A can decrypt the
service credential, it is assured the credential came from the real KDC.
9. Host A sends the service credential to the desired network service. Note that the credential is still
encrypted with the SRVTAB shared by the KDC and the network service.
10. The network service attempts to decrypt the service credential using its SRVTAB.
11. If the network service can decrypt the credential, it is assured the credential was in fact issued from
the KDC. Note that the network service trusts anything it can decrypt from the KDC, even if it
receives it indirectly from a user. This is because the user first authenticated with the KDC.
At this point, the user is authenticated to the network service on Host B. This process is repeated each
time a user wants to access a network service in the Kerberos realm.
Kerberos Configuration Task List
For hosts and the KDC in your Kerberos realm to communicate and mutually authenticate, you must
identify them to each other. To do this, you add entries for the hosts to the Kerberos database on the KDC
and add SRVTAB files generated by the KDC to all hosts in the Kerberos realm. You also make entries
for users in the KDC database.
This section describes how to set up a Kerberos-authenticated server-client system and contains the
following topics:
• Configuring the KDC Using Kerberos Commands
• Configuring the Router to Use the Kerberos Protocol
This section assumes that you have installed the Kerberos administrative programs on a UNIX host,
known as the KDC, initialized the database, and selected a Kerberos realm name and password. For
instructions about completing these tasks, refer to documentation that came with your Kerberos
software.
Note Write down the host name or IP address of the KDC, the port number you want the KDC to monitor
for queries, and the name of the Kerberos realm it will serve. You need this information to configure
the router.
Configuring the KDC Using Kerberos Commands
After you set up a host to function as the KDC in your Kerberos realm, you must make entries to the
KDC database for all principals in the realm. Principals can be network services on Cisco routers and
hosts or they can be users.
Cisco IOS Security Configuration Guide
SC-157
Configuring Kerberos
Kerberos Configuration Task List
To use Kerberos commands to add services to the KDC database (and to modify existing database
information), complete the tasks in the following sections:
• Adding Users to the KDC Database
• Creating SRVTABs on the KDC
• Extracting SRVTABs
Note All Kerberos command examples are based on Kerberos 5 Beta 5 of the original MIT implementation.
Later versions use a slightly different interface.
Adding Users to the KDC Database
To add users to the KDC and create privileged instances of those users, use the su command to become
root on the host running the KDC and use the kdb5_edit program to use the following commands in
privileged EXEC mode:
Command Purpose
Step 1 Router# ank username@REALM Use the ank (add new key) command to add a user to
the KDC. This command prompts for a password,
which the user must enter to authenticate to the
router.
Step 2 Router# ank username/instance@REALM Use the ank command to add a privileged instance of
a user.
For example, to add user loki of Kerberos realm [Link], enter the following Kerberos command:
ank loki@[Link]
Note The Kerberos realm name must be in uppercase characters.
You might want to create privileged instances to allow network administrators to connect to the router
at the enable level, for example, so that they need not enter a clear text password (and compromise
security) to enter enable mode.
To add an instance of loki with additional privileges (in this case, enable, although it could be anything)
enter the following Kerberos command:
ank loki/enable@[Link]
In each of these examples, you are prompted to enter a password, which you must give to user loki to
use at login.
The “Enabling Kerberos Instance Mapping” section describes how to map Kerberos instances to various
Cisco IOS privilege levels.
Creating SRVTABs on the KDC
All routers that you want to authenticate to use the Kerberos protocol must have an SRVTAB. This
section and the “Extracting SRVTABs” section describe how to create and extract SRVTABs for a router
called router1. The section “Copying SRVTAB Files” describes how to copy SRVTAB files to the router.
Cisco IOS Security Configuration Guide
SC-158
Configuring Kerberos
Kerberos Configuration Task List
To make SRVTAB entries on the KDC, use the following command in privileged EXEC mode:
Command Purpose
Router# ark SERVICE/HOSTNAME@REALM Use the ark (add random key) command to add a network
service supported by a host or router to the KDC.
For example, to add a Kerberized authentication service for a Cisco router called router1 to the Kerberos
realm [Link], enter the following Kerberos command:
ark host/[Link]@[Link]
Make entries for all network services on all Kerberized hosts that use this KDC for authentication.
Extracting SRVTABs
SRVTABs contain (among other things) the passwords or randomly generated keys for the service
principals you entered into the KDC database. Service principal keys must be shared with the host
running that service. To do this, you must save the SRVTAB entries to a file, then copy the file to the
router and all hosts in the Kerberos realm. Saving SRVTAB entries to a file is called extracting
SRVTABs. To extract SRVTABs, use the following command in privileged EXEC mode:
Command Purpose
Router# xst router-name host Use the kdb5_edit command xst to write an SRVTAB entry to a file.
For example, to write the host/[Link]@[Link] SRVTAB to a file, enter the following
Kerberos command:
xst [Link]@[Link] host
Use the quit command to exit the kdb5_edit program.
Configuring the Router to Use the Kerberos Protocol
To configure a Cisco router to function as a network security server and authenticate users using the
Kerberos protocol, complete the tasks in the following sections:
• Defining a Kerberos Realm
• Copying SRVTAB Files
• Specifying Kerberos Authentication
• Enabling Credentials Forwarding
• Opening a Telnet Session to the Router
• Establishing an Encrypted Kerberized Telnet Session
• Enabling Mandatory Kerberos Authentication
• Enabling Kerberos Instance Mapping
• Monitoring and Maintaining Kerberos
Cisco IOS Security Configuration Guide
SC-159
Configuring Kerberos
Kerberos Configuration Task List
Defining a Kerberos Realm
For a router to authenticate a user defined in the Kerberos database, it must know the host name or IP
address of the host running the KDC, the name of the Kerberos realm and, optionally, be able to map the
host name or Domain Name System (DNS) domain to the Kerberos realm.
To configure the router to authenticate to a specified KDC in a specified Kerberos realm, use the
following commands in global configuration mode. Note that DNS domain names must begin with a
leading dot (.):
Command Purpose
Step 1 Router(config)# kerberos local-realm kerberos-realm Defines the default realm for the router.
Step 2 Router(config)# kerberos server kerberos-realm Specifies to the router which KDC to use in a given
{hostname | ip-address} [port-number] Kerberos realm and, optionally, the port number that
the KDC is monitoring. (The default is 88.)
Step 3 Router(config)# kerberos realm {dns-domain | host} (Optional) Maps a host name or DNS domain to a
kerberos-realm Kerberos realm.
Note Because the machine running the KDC and all Kerberized hosts must interact within a 5-minute
window or authentication fails, all Kerberized machines, and especially the KDC, should be running
the Network Time Protocol (NTP).
The kerberos local-realm, kerberos realm, and kerberos server commands are equivalent to the UNIX
[Link] file. Table 15 identifies mappings from the Cisco IOS configuration commands to a Kerberos 5
configuration file ([Link]).
Table 15 Kerberos 5 Configuration File and Commands
[Link] File Cisco IOS Configuration Command
[libdefaults] (in configuration mode)
default_realm = [Link] kerberos local-realm [Link]
[domain_realm] (in configuration mode)
.[Link] = [Link] kerberos [Link] [Link]
[Link] = [Link] kerberos realm [Link] [Link]
[realms] (in configuration mode)
kdc = [Link] kerberos server [Link] [Link]
admin_server = [Link] ([Link] is the example IP address for
default_domain = [Link] [Link])
For an example of defining a Kerberos realm, see the section “Defining a Kerberos Realm” later in this
chapter.
Copying SRVTAB Files
To make it possible for remote users to authenticate to the router using Kerberos credentials, the router
must share a secret key with the KDC. To do this, you must give the router a copy of the SRVTAB you
extracted on the KDC.
Cisco IOS Security Configuration Guide
SC-160
Configuring Kerberos
Kerberos Configuration Task List
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto
physical media and go to each host in turn and manually copy the files onto the system. To copy SRVTAB
files to the router, which does not have a physical media drive, you must transfer them via the network
using TFTP.
To remotely copy SRVTAB files to the router from the KDC, use the following command in global
configuration mode:
Command Purpose
Router(config)# kerberos srvtab remote Retrieves an SRVTAB file from the KDC.
{hostname | ip-address} {filename}
When you copy the SRVTAB file from the router to the KDC, the kerberos srvtab remote command
parses the information in this file and stores it in the router’s running configuration in the kerberos
srvtab entry format. To ensure that the SRVTAB is available (does not need to be acquired from the
KDC) when you reboot the router, use the write memory configuration command to write your running
configuration (which contains the parsed SRVTAB file) to NVRAM.
For an example of copying SRVTAB files, see the section “SRVTAB File Copying Example” later in this
chapter.
Specifying Kerberos Authentication
You have now configured Kerberos on your router. This makes it possible for the router to authenticate
using Kerberos. The next step is to tell it to do so. Because Kerberos authentication is facilitated through
AAA, you need to enter the aaa authentication command, specifying Kerberos as the authentication
method. For more information, refer to the chapter “Configuring Authentication”.
Enabling Credentials Forwarding
With Kerberos configured thus far, a user authenticated to a Kerberized router has a TGT and can use it
to authenticate to a host on the network. However, if the user tries to list credentials after authenticating
to a host, the output will show no Kerberos credentials present.
You can optionally configure the router to forward users’ TGTs with them as they authenticate from the
router to Kerberized remote hosts on the network when using Kerberized Telnet, rcp, rsh, and rlogin
(with the appropriate flags).
To force all clients to forward users’ credentials as they connect to other hosts in the Kerberos realm, use
the following command in global configuration mode:
Command Purpose
Router(config)# kerberos credentials forward Forces all clients to forward user credentials upon successful
Kerberos authentication.
With credentials forwarding enabled, users’ TGTs are automatically forwarded to the next host they
authenticate to. In this way, users can connect to multiple hosts in the Kerberos realm without running
the KINIT program each time to get a new TGT.
Cisco IOS Security Configuration Guide
SC-161
Configuring Kerberos
Kerberos Configuration Task List
Opening a Telnet Session to the Router
To use Kerberos to authenticate users opening a Telnet session to the router from within the network, use
the following command in global configuration mode:
Command Purpose
Router(config)# aaa authentication login Sets login authentication to use the Kerberos 5 Telnet authentication
{default | list-name} krb5_telnet protocol when using Telnet to connect to the router.
Although Telnet sessions to the router are authenticated, users must still enter a clear text password if
they want to enter enable mode. The kerberos instance map command, discussed in a later section,
allows them to authenticate to the router at a predefined privilege level.
Establishing an Encrypted Kerberized Telnet Session
Another way for users to open a secure Telnet session is to use Encrypted Kerberized Telnet. With
Encrypted Kerberized Telnet, users are authenticated by their Kerberos credentials before a Telnet
session is established. The Telnet session is encrypted using 56-bit Data Encryption Standard (DES)
encryption with 64-bit Cipher Feedback (CFB). Because data sent or received is encrypted, not clear
text, the integrity of the dialed router or access server can be more easily controlled.
Note This feature is available only if you have the 56-bit encryption image. 56-bit DES encryption is
subject to U.S. Government export control regulations.
To establish an encrypted Kerberized Telnet session from a router to a remote host, use either of the
following commands in EXEC command mode:
Command Purpose
Router(config)# connect host [port] /encrypt kerberos Establishes an encrypted Telnet session.
or
Router(config)# telnet host [port] /encrypt kerberos
When a user opens a Telnet session from a Cisco router to a remote host, the router and remote host
negotiate to authenticate the user using Kerberos credentials. If this authentication is successful, the
router and remote host then negotiate whether or not to use encryption. If this negotiation is successful,
both inbound and outbound traffic is encrypted using 56-bit DES encryption with 64-bit CFB.
When a user dials in from a remote host to a Cisco router configured for Kerberos authentication, the
host and router will attempt to negotiate whether or not to use encryption for the Telnet session. If this
negotiation is successful, the router will encrypt all outbound data during the Telnet session.
If encryption is not successfully negotiated, the session will be terminated and the user will receive a
message stating that the encrypted Telnet session was not successfully established.
For information about enabling bidirectional encryption from a remote host, refer to the documentation
specific to the remote host device.
For an example of using encrypted Kerberized Telnet to open a secure Telnet session, see the section
“Encrypted Telnet Session Example” later in this chapter.
Cisco IOS Security Configuration Guide
SC-162
Configuring Kerberos
Kerberos Configuration Task List
Enabling Mandatory Kerberos Authentication
As an added layer of security, you can optionally configure the router so that, after remote users
authenticate to it, these users can authenticate to other services on the network only with Kerberized
Telnet, rlogin, rsh, and rcp. If you do not make Kerberos authentication mandatory and Kerberos
authentication fails, the application attempts to authenticate users using the default method of
authentication for that network service; for example, Telnet and rlogin prompt for a password, and rsh
attempts to authenticate using the local rhost file.
To make Kerberos authentication mandatory, use the following command in global configuration mode:
Command Purpose
Router(config)# kerberos clients mandatory Sets Telnet, rlogin, rsh, and rcp to fail if they cannot negotiate the
Kerberos protocol with the remote server.
Enabling Kerberos Instance Mapping
As mentioned in the section “Creating SRVTABs on the KDC,” you can create administrative instances
of users in the KDC database. The kerberos instance map command allows you to map those instances
to Cisco IOS privilege levels so that users can open secure Telnet sessions to the router at a predefined
privilege level, obviating the need to enter a clear text password to enter enable mode.
To map a Kerberos instance to a Cisco IOS privilege level, use the following command in global
configuration mode:
Command Purpose
Router(config)# kerberos instance map Maps a Kerberos instance to a Cisco IOS privilege level.
instance privilege-level
If there is a Kerberos instance for user loki in the KDC database (for example, loki/admin), user loki can
now open a Telnet session to the router as loki/admin and authenticate automatically at privilege level
15, assuming instance “admin” is mapped to privilege level 15. (See the section “Adding Users to the
KDC Database” earlier in this chapter.)
Cisco IOS commands can be set to various privilege levels using the privilege level command.
After you map a Kerberos instance to a Cisco IOS privilege level, you must configure the router to check
for Kerberos instances each time a user logs in. To run authorization to determine if a user is allowed to
run an EXEC shell based on a mapped Kerberos instance, use the aaa authorization command with the
krb5-instance keyword. For more information, refer to the chapter “Configuring Authorization.”
Cisco IOS Security Configuration Guide
SC-163
Configuring Kerberos
Kerberos Configuration Examples
Monitoring and Maintaining Kerberos
To display or remove a current user’s credentials, use the following commands in EXEC mode:
Command Purpose
Step 1 Router# show kerberos creds Lists the credentials in a current user’s credentials cache.
Step 2 Router# clear kerberos creds Destroys all credentials in a current user’s credentials cache, including
those forwarded.
For an example of Kerberos configuration, see the section “Kerberos Configuration Examples”.
Kerberos Configuration Examples
The following sections provide Kerberos configuration examples:
• Kerberos Realm Definition Examples
• SRVTAB File Copying Example
• Kerberos Configuration Examples
• Encrypted Telnet Session Example
Kerberos Realm Definition Examples
To define [Link] as the default Kerberos realm, use the following command:
kerberos local-realm [Link]
To tell the router that the [Link] KDC is running on host [Link] at port number 170, use the
following Kerberos command:
kerberos server [Link] [Link] 170
To map the DNS domain [Link] to the Kerberos realm [Link], use the following command:
kerberos [Link] [Link]
SRVTAB File Copying Example
To copy over the SRVTAB file on a host named [Link] for a router named [Link],
the command would look like this:
kerberos srvtab remote [Link] [Link]-new-srvtab
Kerberos Configuration Examples
This section provides a typical non-Kerberos router configuration and shows output for this
configuration from the write term command, then builds on this configuration by adding optional
Kerberos functionality. Output for each configuration is presented for comparison against the previous
configuration.
Cisco IOS Security Configuration Guide
SC-164
Configuring Kerberos
Kerberos Configuration Examples
This example shows how to use the kdb5_edit program to perform the following configuration tasks:
• Adding user chet to the Kerberos database
• Adding a privileged Kerberos instance of user chet (chet/admin) to the Kerberos database
• Adding a restricted instance of chet (chet/restricted) to the Kerberos database
• Adding workstation [Link]
• Adding router [Link] to the Kerberos database
• Adding workstation [Link] to the Kerberos database
• Extracting SRVTABs for the router and workstations
• Listing the contents of the KDC database (with the ldb command)
Note that, in this sample configuration, host chet-ss20 is also the KDC:
chet-ss20# sbin/kdb5_edit
kdb5_edit: ank chet
Enter password:
Re-enter password for verification:
kdb5_edit: ank chet/admin
Enter password:
Re-enter password for verification:
kdb5_edit: ank chet/restricted
Enter password:
Re-enter password for verification:
kdb5_edit: ark host/[Link]
kdb5_edit: ark host/[Link]
kdb5_edit: xst [Link] host
'host/[Link]@[Link]' added to keytab
'WRFILE:[Link]-new-srvtab'
kdb5_edit: xst [Link] host
'host/[Link]@[Link]' added to keytab
'WRFILE:[Link]-new-srvtab'
kdb5_edit: ldb
entry: host/[Link]@[Link]
entry: chet/restricted@[Link]
entry: chet@[Link]
entry: K/M@[Link]
entry: host/[Link]@[Link]
entry: krbtgt/[Link]@[Link]
entry: chet/admin@[Link]
kdb5_edit: q
chet-ss20#
The following example shows output from a write term command, which displays the configuration of
router chet-2500. This is a typical configuration with no Kerberos authentication.
chet-2500# write term
Building configuration...
Current configuration:
!
! Last configuration
change at [Link] PDT Mon May 13 1996
!
version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname chet-2500
!
clock timezone PST -8
Cisco IOS Security Configuration Guide
SC-165
Configuring Kerberos
Kerberos Configuration Examples
clock summer-time PDT recurring
aaa new-model
aaa authentication login console none
aaa authentication ppp local local
enable password sMudgKin
!
username chet-2500 password 7 sMudgkin
username chet-3000 password 7 sMudgkin
username chetin password 7 sMudgkin
!
interface Ethernet0
ip address [Link] [Link]
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no fair-queue
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network [Link]
no auto-summary
!
ip default-gateway [Link]
ip domain-name [Link]
ip name-server [Link]
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
Cisco IOS Security Configuration Guide
SC-166
Configuring Kerberos
Kerberos Configuration Examples
!
ntp clock-period 17179703
ntp peer [Link]
ntp peer [Link]
end
The following example shows how to enable user authentication on the router via the Kerberos database.
To enable user authentication via the Kerberos database, you would perform the following tasks:
• Entering configuration mode
• Defining the Kerberos local realm
• Identifying the machine hosting the KDC
• Enabling credentials forwarding
• Specifying Kerberos as the method of authentication for login
• Exiting configuration mode (CTL-Z)
• Writing the new configuration to the terminal
chet-2500# configure term
Enter configuration commands, one per line. End with CNTL/Z.
chet-2500(config)# kerberos local-realm [Link]
chet-2500(config)# kerberos server [Link] chet-ss20
Translating "chet-ss20"...domain server ([Link]) [OK]
chet-2500(config)# kerberos credentials forward
chet-2500(config)# aaa authentication login default krb5
chet-2500(config)#
chet-2500#
%SYS-5-CONFIG_I: Configured from console by console
chet-2500# write term
Compare the following configuration with the previous one. In particular, look at the lines beginning
with the words “aaa,” “username,” and “kerberos” (lines 10 through 20) in this new configuration.
Building configuration...
Current configuration:
!
! Last configuration change at [Link] PDT Mon May 13 1996
!
version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname chet-2500
!
clock timezone PST -8
clock summer-time PDT recurring
aaa new-model
aaa authentication login default krb5
aaa authentication login console none
aaa authentication ppp local local
enable password sMudgKin
!
username chet-2500 password 7 sMudgkin
username chet-3000 password 7 sMudgkin
username chetin password 7 sMudgkin
kerberos local-realm [Link]
kerberos server [Link] [Link]
kerberos credentials forward
!
Cisco IOS Security Configuration Guide
SC-167
Configuring Kerberos
Kerberos Configuration Examples
interface Ethernet0
ip address [Link] [Link]
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no fair-queue
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network [Link]
no auto-summary
!
ip default-gateway [Link]
ip domain-name [Link]
ip name-server [Link]
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
ntp peer [Link]
ntp peer [Link]
end
Cisco IOS Security Configuration Guide
SC-168
Configuring Kerberos
Kerberos Configuration Examples
With the router configured thus far, user chet can log in to the router with a username and password and
automatically obtain a TGT, as illustrated in the next example. With possession of a credential, user chet
successfully authenticates to host chet-ss20 without entering a username/password.
chet-ss20% telnet chet-2500
Trying [Link] ...
Connected to [Link].
Escape character is '^]'.
User Access Verification
Username: chet
Password:
chet-2500> show kerberos creds
Default Principal: chet@[Link]
Valid Starting Expires Service Principal
13-May-1996 [Link] 13-May-1996 [Link] krbtgt/[Link]@[Link]
chet-2500> telnet chet-ss20
Trying [Link] ([Link])... Open
Kerberos: Successfully forwarded credentials
SunOS UNIX (chet-ss20) (pts/7)
Last login: Mon May 13 [Link] from [Link].c
Sun Microsystems Inc. SunOS 5.4 Generic July 1994
unknown mode: new
chet-ss20%
The following example shows how to authenticate to the router using Kerberos credentials. To
authenticate using Kerberos credentials, you would perform the following tasks:
• Entering configuration mode
• Remotely copying over the SRVTAB file from the KDC
• Setting authentication at login to use the Kerberos 5 Telnet authentication protocol when using
Telnet to connect to the router
• Writing the configuration to the terminal
Note that the new configuration contains a kerberos srvtab entry line. This line is created by the
kerberos srvtab remote command.
chet-2500# configure term
Enter configuration commands, one per line. End with CNTL/Z.
chet-2500(config)# kerberos srvtab remote earth chet/[Link]-new-srvtab
Translating "earth"...domain server ([Link]) [OK]
Loading chet/[Link]-new-srvtab from [Link] (via Ethernet0): !
[OK - 66/1000 bytes]
chet-2500(config)# aaa authentication login default krb5-telnet krb5
chet-2500(config)#
chet-2500#
%SYS-5-CONFIG_I: Configured from console by console
chet-2500# write term
Building configuration...
Current configuration:
!
Cisco IOS Security Configuration Guide
SC-169
Configuring Kerberos
Kerberos Configuration Examples
! Last configuration change at [Link] PDT Mon May 13 1996
!
version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname chet-2500
!
clock timezone PST -8
clock summer-time PDT recurring
aaa new-model
aaa authentication login default krb5-telnet krb5
aaa authentication login console none
aaa authentication ppp local local
enable password sMudgKin
!
username chet-2500 password 7 sMudgkin
username chet-3000 password 7 sMudgkin
username chetin password 7 sMudgkin
kerberos local-realm [Link]
kerberos srvtab entry host/[Link]@[Link] 0 832015393 1 1 8 7 sMudgkin
kerberos server [Link] [Link]
kerberos credentials forward
!
interface Ethernet0
ip address [Link] [Link]
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no fair-queue
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network [Link]
no auto-summary
!
ip default-gateway [Link]
Cisco IOS Security Configuration Guide
SC-170
Configuring Kerberos
Kerberos Configuration Examples
ip domain-name [Link]
ip name-server [Link]
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
ntp peer [Link]
ntp peer [Link]
end
chet-2500#
With this configuration, the user can Telnet in to the router using Kerberos credentials, as illustrated in
the next example:
chet-ss20% bin/telnet -a -F chet-2500
Trying [Link]...
Connected to [Link].
Escape character is '^]'.
[ Kerberos V5 accepts you as "chet@[Link]" ]
User Access Verification
chet-2500>[ Kerberos V5 accepted forwarded credentials ]
chet-2500> show kerberos creds
Default Principal: chet@[Link]
Valid Starting Expires Service Principal
13-May-1996 [Link] 14-May-1996 [Link] krbtgt/[Link]@[Link]
chet-2500>q
Connection closed by foreign host.
chet-ss20%
The following example shows how to map Kerberos instances to Cisco’s privilege levels. To map
Kerberos instances to privilege levels, you would perform the following tasks:
• Entering configuration mode
• Mapping the Kerberos instance admin to privilege level 15
• Mapping the Kerberos instance restricted to privilege level 3
• Specifying that the instance defined by the kerberos instance map command be used for AAA
Authorization
• Writing the configuration to the terminal
chet-2500# configure term
Enter configuration commands, one per line. End with CNTL/Z.
chet-2500(config)# kerberos instance map admin 15
chet-2500(config)# kerberos instance map restricted 3
chet-2500(config)# aaa authorization exec default krb5-instance
chet-2500(config)#
chet-2500#
Cisco IOS Security Configuration Guide
SC-171
Configuring Kerberos
Kerberos Configuration Examples
%SYS-5-CONFIG_I: Configured from console by console
chet-2500# write term
Building configuration...
Current configuration:
!
! Last configuration change at [Link] PDT Mon May 13 1996
!
version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname chet-2500
!
aaa new-model
aaa authentication login default krb5-telnet krb5
aaa authentication login console none
aaa authentication ppp default krb5 local
aaa authorization exec default krb5-instance
enable password sMudgKin
!
username chet-2500 password 7 sMudgkin
username chet-3000 password 7 sMudgkin
username chetin password 7 sMudgkin
ip domain-name [Link]
ip name-server [Link]
kerberos local-realm [Link]
kerberos srvtab entry host/[Link]@[Link] 0 832015393 1 1 8 7 sMudgkin
kerberos server [Link] [Link]
kerberos instance map admin 15
kerberos instance map restricted 3
kerberos credentials forward
clock timezone PST -8
clock summer-time PDT recurring
!
interface Ethernet0
ip address [Link] [Link]
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no fair-queue
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
Cisco IOS Security Configuration Guide
SC-172
Configuring Kerberos
Kerberos Configuration Examples
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network [Link]
no auto-summary
!
ip default-gateway [Link]
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
ntp peer [Link]
ntp peer [Link]
end
chet-2500#
The following example shows output from the three types of sessions now possible for user chet with
Kerberos instances turned on:
chet-ss20% telnet chet-2500
Trying [Link] ...
Connected to [Link].
Escape character is '^]'.
User Access Verification
Username: chet
Password:
chet-2500> show kerberos creds
Default Principal: chet@[Link]
Valid Starting Expires Service Principal
13-May-1996 [Link] 13-May-1996 [Link] krbtgt/[Link]@[Link]
chet-2500> show privilege
Current privilege level is 1
chet-2500> q
Connection closed by foreign host.
chet-ss20% telnet chet-2500
Trying [Link] ...
Connected to [Link].
Escape character is '^]'.
User Access Verification
Username: chet/admin
Password:
chet-2500# show kerberos creds
Cisco IOS Security Configuration Guide
SC-173
Configuring Kerberos
Kerberos Configuration Examples
Default Principal: chet/admin@[Link]
Valid Starting Expires Service Principal
13-May-1996 [Link] 13-May-1996 [Link] krbtgt/[Link]@[Link]
chet-2500# show privilege
Current privilege level is 15
chet-2500# q
Connection closed by foreign host.
chet-ss20% telnet chet-2500
Trying [Link] ...
Connected to [Link].
Escape character is '^]'.
User Access Verification
Username: chet/restricted
Password:
chet-2500# show kerberos creds
Default Principal: chet/restricted@[Link]
Valid Starting Expires Service Principal
13-May-1996 [Link] 13-May-1996 [Link] krbtgt/[Link]@[Link]
chet-2500# show privilege
Current privilege level is 3
chet-2500# q
Connection closed by foreign host.
chet-ss20%
Encrypted Telnet Session Example
The following example shows how to establish an encrypted Telnet session from a router to a remote
host named “host1”:
Router> telnet host1 /encrypt kerberos
Cisco IOS Security Configuration Guide
SC-174
Traffic Filtering and Firewalls
Access Control Lists: Overview and Guidelines
Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists).
Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the
packets of those protocols as the packets pass through a router.
You can configure access lists at your router to control access to a network: access lists can prevent
certain traffic from entering or exiting a network.
In This Chapter
This chapter describes access lists as part of a security solution. This chapter includes tips, cautions,
considerations, recommendations, and general guidelines for how to use access lists.
This chapter has these sections:
• About Access Control Lists
• Overview of Access List Configuration
• Finding Complete Configuration and Command Information for Access Lists
About Access Control Lists
This section briefly describes what access lists do; why and when you should configure access lists; and
basic versus advanced access lists.
This section has the following sections:
• What Access Lists Do
• Why You Should Configure Access Lists
• When to Configure Access Lists
• Basic Versus Advanced Access Lists
What Access Lists Do
Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the
router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet,
on the basis of the criteria you specified within the access lists.
Cisco IOS Security Configuration Guide
SC-177
Access Control Lists: Overview and Guidelines
About Access Control Lists
Access list criteria could be the source address of the traffic, the destination address of the traffic, the
upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully
evade or fool basic access lists because no authentication is required.
Why You Should Configure Access Lists
There are many reasons to configure access lists; for example, you can use access lists to restrict contents
of routing updates or to provide traffic flow control. One of the most important reasons to configure
access lists is to provide security for your network, which is the focus of this chapter.
You should use access lists to provide a basic level of security for accessing your network. If you do not
configure access lists on your router, all packets passing through the router could be allowed onto all
parts of your network.
Access lists can allow one host to access a part of your network and prevent another host from accessing
the same area. In Figure 14, host A is allowed to access the Human Resources network, and host B is
prevented from accessing the Human Resources network.
Figure 14 Using Traffic Filters to Prevent Traffic from Being Routed to a Network
Host A
Host B
Human Research &
S5032
Resources Development
network network
You can also use access lists to decide which types of traffic are forwarded or blocked at the router
interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all
Telnet traffic.
When to Configure Access Lists
Access lists should be used in “firewall” routers, which are often positioned between your internal
network and an external network such as the Internet. You can also use access lists on a router positioned
between two parts of your network, to control traffic entering or exiting a specific part of your internal
network.
To provide the security benefits of access lists, you should at a minimum configure access lists on border
routers—routers situated at the edges of your networks. This provides a basic buffer from the outside
network, or from a less controlled area of your own network into a more sensitive area of your network.
Cisco IOS Security Configuration Guide
SC-178
Access Control Lists: Overview and Guidelines
Overview of Access List Configuration
On these routers, you should configure access lists for each network protocol configured on the router
interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered
on an interface.
Access lists must be defined on a per-protocol basis. In other words, you should define access lists for
every protocol enabled on an interface if you want to control traffic flow for that protocol.
Note Some protocols refer to access lists as filters.
Basic Versus Advanced Access Lists
This chapter describes how to use standard and static extended access lists, which are the basic types of
access lists. Some type of basic access list should be used with each routed protocol that you have
configured for router interfaces.
Besides the basic types of access lists described in this chapter, there are also more advanced access lists
available, which provide additional security features and give you greater control over packet
transmission. These advanced access lists and features are described in the other chapters within the part
“Traffic Filtering and Firewalls.”
Overview of Access List Configuration
Each protocol has its own set of specific tasks and rules that are required in order for you to provide
traffic filtering. In general, most protocols require at least two basic steps to be accomplished. The first
step is to create an access list definition, and the second step is to apply the access list to an interface.
The following sections describe these two steps:
• Creating Access Lists
• Applying Access Lists to Interfaces
Note that some protocols refer to access lists as filters and refer to the act of applying the access lists to
interfaces as filtering.
Creating Access Lists
Create access lists for each protocol you wish to filter, per router interface. For some protocols, you
create one access list to filter inbound traffic, and one access list to filter outbound traffic.
To create an access list, you specify the protocol to filter, you assign a unique name or number to the
access list, and you define packet filtering criteria. A single access list can have multiple filtering criteria
statements.
Cisco recommends that you create your access lists on a TFTP server and then download the access lists
to your router. This approach can considerably simplify maintenance of your access lists. For details, see
the “Creating and Editing Access List Statements on a TFTP Server” section later in this chapter.
Cisco IOS Security Configuration Guide
SC-179
Access Control Lists: Overview and Guidelines
Overview of Access List Configuration
The protocols for which you can configure access lists are identified in Table 16.
This section has the following sections:
• Assigning a Unique Name or Number to Each Access List
• Defining Criteria for Forwarding or Blocking Packets
• Creating and Editing Access List Statements on a TFTP Server
Assigning a Unique Name or Number to Each Access List
When configuring access lists on a router, you must identify each access list uniquely within a protocol
by assigning either a name or a number to the protocol’s access list.
Note Access lists of some protocols must be identified by a name, and access lists of other protocols must
be identified by a number. Some protocols can be identified by either a name or a number. When a
number is used to identify an access list, the number must be within the specific range of numbers
that is valid for the protocol.
You can specify access lists by names for the following protocols:
• Apollo Domain
• IP
• IPX
• ISO CLNS
• NetBIOS IPX
• Source-route bridging NetBIOS
You can specify access lists by numbers for the protocols listed in Table 16. Table 16 also lists the range
of access list numbers that is valid for each protocol.
Table 16 Protocols with Access Lists Specified by Numbers
Protocol Range
IP 1–99, 1300–1999
Extended IP 100–199, 2000–2699
Ethernet type code 200–299
Ethernet address 700–799
Transparent bridging (protocol type) 200–299
Transparent bridging (vendor code) 700–799
Extended transparent bridging 1100–1199
DECnet and extended DECnet 300–399
XNS 400–499
Extended XNS 500–599
AppleTalk 600–699
Source-route bridging (protocol type) 200–299
Source-route bridging (vendor code) 700–799
Cisco IOS Security Configuration Guide
SC-180
Access Control Lists: Overview and Guidelines
Overview of Access List Configuration
Table 16 Protocols with Access Lists Specified by Numbers (continued)
Protocol Range
IPX 800–899
Extended IPX 900–999
IPX SAP 1000–1099
Standard VINES 1–100
Extended VINES 101–200
Simple VINES 201–300
Defining Criteria for Forwarding or Blocking Packets
When creating an access list, you define criteria that are applied to each packet that is processed by the
router; the router decides whether to forward or block each packet on the basis of whether or not the
packet matches the criteria.
Typical criteria you define in access lists are packet source addresses, packet destination addresses, and
upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can
be defined.
For a single access list, you can define multiple criteria in multiple, separate access list statements. Each
of these statements should reference the same identifying name or number, to tie the statements to the
same access list. You can have as many criteria statements as you want, limited only by the available
memory. Of course, the more statements you have, the more difficult it will be to comprehend and
manage your access lists.
The Implied “Deny All Traffic” Criteria Statement
At the end of every access list is an implied “deny all traffic” criteria statement. Therefore, if a packet
does not match any of your criteria statements, the packet will be blocked.
Note For most protocols, if you define an inbound access list for traffic filtering, you should include
explicit access list criteria statements to permit routing updates. If you do not, you might effectively
lose communication from the interface when routing updates are blocked by the implicit “deny all
traffic” statement at the end of the access list.
The Order in Which You Enter Criteria Statements
Note that each additional criteria statement that you enter is appended to the end of the access list
statements. Also note that you cannot delete individual statements after they have been created. You can
only delete an entire access list.
The order of access list statements is important! When the router is deciding whether to forward or block
a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the
statements were created. After a match is found, no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be
checked. If you need additional statements, you must delete the access list and retype it with the new
entries.
Cisco IOS Security Configuration Guide
SC-181
Access Control Lists: Overview and Guidelines
Finding Complete Configuration and Command Information for Access Lists
Creating and Editing Access List Statements on a TFTP Server
Because the order of access list criteria statements is important, and because you cannot reorder or delete
criteria statements on your router, Cisco recommends that you create all access list statements on a TFTP
server, and then download the entire access list to your router.
To use a TFTP server, create the access list statements using any text editor, and save the access list in
ASCII format to a TFTP server that is accessible by your router. Then, from your router, use the copy
tftp:file_id system:running-config command to copy the access list to your router. Finally, perform the
copy system:running-config nvram:startup-config command to save the access list to your router’s
NVRAM.
Then, if you ever want to make changes to an access list, you can make them to the text file on the TFTP
server, and copy the edited file to your router as before.
Note The first command of an edited access list file should delete the previous access list (for example,
type a no access-list command at the beginning of the file). If you do not first delete the previous
version of the access list, when you copy the edited file to your router you will merely be appending
additional criteria statements to the end of the existing access list.
Applying Access Lists to Interfaces
For some protocols, you can apply up to two access lists to an interface: one inbound access list and one
outbound access list. With other protocols, you apply only one access list which checks both inbound
and outbound packets.
If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access
list’s criteria statements for a match. If the packet is permitted, the software continues to process the
packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, the software
checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits
the packet. If the packet is denied, the software discards the packet.
Note Access lists that are applied to interfaces do not filter traffic that originates from that router.
Finding Complete Configuration and Command Information for
Access Lists
The guidelines discussed in this chapter apply in general to all protocols. The specific instructions for
creating access lists and applying them to interfaces vary from protocol to protocol, and this specific
information is not included in this chapter.
To find complete configuration and command information to configure access lists for a specific
protocol, see the corresponding chapters in the Cisco IOS configuration guides and command
references. For example, to configure access lists for the IP protocol, refer to the “Configuring IP ACess
Lists” chapter in the Cisco IOS IP Configuration Guide at the following url:
[Link]
Cisco IOS Security Configuration Guide
SC-182
Access Control Lists: Overview and Guidelines
Finding Complete Configuration and Command Information for Access Lists
For information on dynamic access lists, see the chapter “Configuring Lock-and-Key Security (Dynamic
Access Lists)” later in this book.
For information on reflexive access lists, see the chapter “Configuring IP Session Filtering (Reflexive
Access Lists)” later in this book.
Cisco IOS Security Configuration Guide
SC-183
Access Control Lists: Overview and Guidelines
Finding Complete Configuration and Command Information for Access Lists
Cisco IOS Security Configuration Guide
SC-184
Cisco IOS Firewall Overview
This chapter describes how you can configure your Cisco networking device to function as a firewall,
using Cisco IOS Firewall security features.
This chapter has the following sections:
• About Firewalls
• The Cisco IOS Firewall Solution
• Creating a Customized Firewall
• Other Guidelines for Configuring Your Firewall
About Firewalls
Firewalls are networking devices that control access to your organization’s network assets. Firewalls are
positioned at the entrance points into your network. If your network has multiple entrance points, you
must position a firewall at each point to provide effective network access control.
Firewalls are often placed in between the internal network and an external network such as the Internet.
With a firewall between your network and the Internet, all traffic coming from the Internet must pass
through the firewall before entering your network.
Firewalls can also be used to control access to a specific part of your network. For example, you can
position firewalls at all the entry points into a research and development network to prevent unauthorized
access to proprietary information.
The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate,
depending on your network requirements. Simple firewalls are usually easier to configure and manage.
However, you might require the flexibility of a more elaborate firewall.
The Cisco IOS Firewall Solution
Cisco IOS software provides an extensive set of security features, allowing you to configure a simple or
elaborate firewall, according to your particular requirements. You can configure a Cisco device as a
firewall if the device is positioned appropriately at a network entry point. Security features that provide
firewall functionality are listed in the “Creating a Customized Firewall” section.
In addition to the security features available in standard Cisco IOS feature sets, Cisco IOS Firewall gives
your router additional firewall capabilities.
Cisco IOS Security Configuration Guide
SC-185
Cisco IOS Firewall Overview
Creating a Customized Firewall
The Cisco IOS Firewall Feature Set
The Cisco IOS Firewall feature set combines existing Cisco IOS firewall technology and the
Context-based Access Control (CBAC) feature. When you configure the Cisco IOS Firewall on your
Cisco router, you turn your router into an effective, robust firewall.
The Cisco IOS Firewall features are designed to prevent unauthorized external individuals from gaining
access to your internal network and to block attacks on your network, while at the same time allowing
authorized users to access network resources.
You can use the Cisco IOS Firewall features to configure your Cisco IOS router as one of the following:
• An Internet firewall or part of an Internet firewall
• A firewall between groups in your internal network
• A firewall providing secure connections to or from branch offices
• A firewall between your company’s network and your company’s partners’ networks
The Cisco IOS Firewall features provide the following benefits:
• Protection of internal networks from intrusion
• Monitoring of traffic through network perimeters
• Enabling of network commerce via the World Wide Web
Creating a Customized Firewall
To create a firewall customized to fit your organization’s security policy, you should determine which
Cisco IOS Firewall features are appropriate, and configure those features. At a minimum, you must
configure basic traffic filtering to provide a basic firewall. You can configure your Cisco networking
device to function as a firewall by using the following Cisco IOS Firewall features:
• Standard Access Lists and Static Extended Access Lists
• Lock-and-Key (Dynamic Access Lists)
• Reflexive Access Lists
• TCP Intercept
• Context-based Access Control
• Cisco IOS Firewall Intrusion Detection System
• Authentication Proxy
• Port to Application Mapping
• Security Server Support
• Network Address Translation
• IPSec Network Security
• Neighbor Router Authentication
• Event Logging
• User Authentication and Authorization
Cisco IOS Security Configuration Guide
SC-186
Cisco IOS Firewall Overview
Creating a Customized Firewall
In addition to configuring these features, you should follow the guidelines listed in the “Other Guidelines
for Configuring Your Firewall” section. This section outlines important security practices to protect your
firewall and network. Table 17 describes Cisco IOS security features.
Table 17 Cisco IOS Features for a Robust Firewall
Feature Chapter Comments
Standard Access Lists and “Access Control Lists: Standard and static extended access lists provide basic traffic
Static Extended Access Overview and Guidelines” filtering capabilities. You configure criteria that describe
Lists which packets should be forwarded, and which packets
should be dropped at an interface, based on each packet’s
network layer information. For example, you can block all
UDP packets from a specific source IP address or address
range. Some extended access lists can also examine transport
layer information to determine whether to block or forward
packets.
To configure a basic firewall, you should at a minimum
configure basic traffic filtering. You should configure basic
access lists for all network protocols that will be routed
through your firewall, such as IP, IPX, AppleTalk, and so
forth.
Lock-and-Key (Dynamic “Configuring Lock-and-Key Lock-and-Key provides traffic filtering with the ability to
Access Lists) Security (Dynamic Access allow temporary access through the firewall for certain
Lists)” individuals. These individuals must first be authenticated (by
a username/password mechanism) before the firewall allows
their traffic through the firewall. Afterwards, the firewall
closes the temporary opening. This provides tighter control
over traffic at the firewall than with standard or static
extended access lists.
Reflexive Access Lists “Configuring IP Session Reflexive access lists filter IP traffic so that TCP or UDP
Filtering (Reflexive Access “session” traffic is only permitted through the firewall if the
Lists)” session originated from within the internal network.
You would only configure Reflexive Access Lists when not
using Context-based Access Control.
TCP Intercept “Configuring TCP Intercept TCP Intercept protects TCP servers within your network
(Preventing Denial-of-Service from TCP SYN-flooding attacks, a type of denial-of-service
Attacks)” attack.
You would only configure TCP Intercept when not using
Context-based Access Control.
Cisco IOS Security Configuration Guide
SC-187
Cisco IOS Firewall Overview
Creating a Customized Firewall
Table 17 Cisco IOS Features for a Robust Firewall (continued)
Feature Chapter Comments
Context-based Access “Configuring Context-Based Context-based Access Control (CBAC) examines not only
Control Access Control” network layer and transport layer information, but also
examines the application-layer protocol information (such as
FTP information) to learn about the state of TCP and UDP
connections. CBAC maintains connection state information
for individual connections. This state information is used to
make intelligent decisions about whether packets should be
permitted or denied, and dynamically creates and deletes
temporary openings in the firewall.
CBAC also generates real-time alerts and audit trails.
Enhanced audit trail features use SYSLOG to track all
network transactions. Real-time alerts send SYSLOG error
messages to central management consoles upon detecting
suspicious activity. Using CBAC inspection rules, you can
configure alerts and audit trail information on a
per-application protocol basis.
CBAC is only available in the Cisco IOS Firewall feature set.
Cisco IOS Firewall “Configuring Cisco IOS The Cisco IOS Firewall Intrusion Detection System (IDS)
Intrusion Detection System Firewall Intrusion Detection acts as an in-line intrusion detection sensor, watching packets
System” and sessions as they flow through the router, scanning each to
match any of the IDS signatures. When it detects suspicious
activity, it responds before network security can be
compromised and logs the event through Cisco IOS syslog.
The network administrator can configure the IDS system to
choose the appropriate response to various threats. When
packets in a session match a signature, the IDS system can be
configured to:
• Send an alarm to a syslog server or a Cisco NetRanger
Director (centralized management interface)
• Drop the packet
• Reset the TCP connection
Authentication Proxy “Configuring Authentication The Cisco IOS Firewall authentication proxy feature allows
Proxy” network administrators to apply specific security policies on
a per-user basis. Previously, user identity and related
authorized access was associated with a user’s IP address, or
a single security policy had to be applied to an entire user
group or sub network. Now, users can be identified and
authorized on the basis of their per-user policy, and access
privileges tailored on an individual basis are possible, as
opposed to general policy applied across multiple users.
Cisco IOS Security Configuration Guide
SC-188
Cisco IOS Firewall Overview
Creating a Customized Firewall
Table 17 Cisco IOS Features for a Robust Firewall (continued)
Feature Chapter Comments
Port to Application “Configuring Port to Port to Application Mapping (PAM) is a feature of Cisco IOS
Mapping Application Mapping” Firewall. PAM allows you to customize TCP or UDP port
numbers for network services or applications. PAM uses this
information to support network environments that run
services using ports that are different from the registered or
well-known ports associated with an application. The
information in the PAM table enables CBAC supported
services to run on nonstandard ports.
Security Server Support “Configuring TACACS+,” The Cisco IOS Firewall feature set can be configured as a
“Configuring RADIUS,” and client of the following supported security servers:
“Configuring Kerberos”
• TACACS+ (including CiscoSecure)
• RADIUS
• Kerberos
You can use any of these security servers to store a database
of user profiles. To gain access into your firewall or to gain
access through the firewall into another network, users must
enter authentication information (such as a username and
password), which is matched against the information on the
security server. When users pass authentication, they are
granted access according to their specified privileges.
Network Address “Configuring IP Addressing” You can use Network Address Translation (NAT) to hide
Translation chapter in the Cisco IOS IP internal IP network addresses from the world outside the
Configuration Guide firewall.
NAT was designed to provide IP address conservation and for
internal IP networks that have unregistered (not globally
unique) IP addresses: NAT translates these unregistered IP
addresses into legal addresses at the firewall. NAT can also be
configured to advertise only one address for the entire
internal network to the outside world. This provides security
by effectively hiding the entire internal network from the
world.
NAT gives you limited spoof protection because internal
addresses are hidden. Additionally, NAT removes all your
internal services from the external name space.
NAT does not work with the application-layer protocols RPC,
VDOLive, or SQL*Net “Redirected.” (NAT does work with
SQL*Net “Bequeathed.”) Do not configure NAT with
networks that will carry traffic for these incompatible
protocols.
Cisco IOS Security Configuration Guide
SC-189
Cisco IOS Firewall Overview
Other Guidelines for Configuring Your Firewall
Table 17 Cisco IOS Features for a Robust Firewall (continued)
Feature Chapter Comments
IPSec Network Security “Configuring IPSec Network IPSec is a framework of open standards developed by the
Security” Internet Engineering Task Force (IETF) that provides
security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec acts at the
network layer, protecting and authenticating IP packets
between participating IPSec devices (“peers”) such as
Cisco routers.
Neighbor Router “Neighbor Router Neighbor router authentication requires the firewall to
Authentication Authentication: Overview and authenticate all neighbor routers before accepting any route
Guidelines” updates from that neighbor. This ensures that the firewall
receives legitimate route updates from a trusted source.
Event Logging “Troubleshooting the Router” Event logging automatically logs output from system error
chapter in the “System messages and other events to the console terminal. You can
Management” part of the also redirect these messages to other destinations such as
Cisco IOS Configuration virtual terminals, internal buffers, or syslog servers. You can
Fundamentals Configuration also specify the severity of the event to be logged, and you
Guide can configure the logged output to be timestamped. The
logged output can be used to assist real-time debugging and
management, and to track potential security breaches or other
nonstandard activities throughout a network.
User Authentication and “Configuring Authentication” Authentication and authorization help protect your network
Authorization and “Configuring from access by unauthorized users.
Authorization”
Other Guidelines for Configuring Your Firewall
As with all networking devices, you should always protect access into the firewall by configuring
passwords as described in the chapter “Configuring Passwords and Privileges.” You should also consider
configuring user authentication, authorization, and accounting as described in the chapters in the
“Authentication, Authorization, and Accounting (AAA)” part of this guide.
You should also consider the following recommendations:
• When setting passwords for privileged access to the firewall, use the enable secret command rather
than the enable password command, which does not have as strong an encryption algorithm.
• Put a password on the console port. In authentication, authorization, and accounting (AAA)
environments, use the same authentication for the console as for elsewhere. In a non-AAA
environment, at a minimum configure the login and password password commands.
• Think about access control before you connect a console port to the network in any way, including
attaching a modem to the port. Be aware that a break on the console port might give total control of
the firewall, even with access control configured.
• Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who
can Telnet into your router.
Cisco IOS Security Configuration Guide
SC-190
Cisco IOS Firewall Overview
Other Guidelines for Configuring Your Firewall
• Do not enable any local service (such as SNMP or NTP) that you do not use. Cisco Discovery
Protocol (CDP) and Network Time Protocol (NTP) are on by default, and you should turn these off
if you do not need them.
To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp
disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only
to certain peers.
Any enabled service could present a potential security risk. A determined, hostile party might be
able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring access lists to deny packets for
the services at specific interfaces.
• Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from
the other side. You could protect against spoofing by configuring input access lists at all interfaces
to pass only traffic from expected source addresses, and to deny all other traffic.
You should also disable source routing. For IP, enter the no ip source-route global configuration
command. Disabling source routing at all routers can also help prevent spoofing.
You should also disable minor services. For IP, enter the no service tcp-small-servers and no
service udp-small-servers global configuration commands.
• Prevent the firewall from being used as a relay by configuring access lists on any asynchronous
Telnet ports.
• Normally, you should disable directed broadcasts for all applicable protocols on your firewall and
on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP
networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.
Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because
every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts
have other intrinsic security risks present when handling broadcasts.
• Configure the no ip proxy-arp command to prevent internal addresses from being revealed. (This
is important to do if you do not already have NAT configured to prevent internal addresses from
being revealed.)
• Keep the firewall in a secured (locked) room.
Cisco IOS Security Configuration Guide
SC-191
Cisco IOS Firewall Overview
Other Guidelines for Configuring Your Firewall
Cisco IOS Security Configuration Guide
SC-192
Configuring Lock-and-Key Security
(Dynamic Access Lists)
This chapter describes how to configure lock-and-key security at your router. Lock-and-key is a traffic
filtering security feature available for the IP protocol.
For a complete description of lock-and-key commands, refer to the “Lock-and-Key Commands” chapter
of the Cisco IOS Security Command Reference. To locate documentation of other commands that appear
in this chapter, use the command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on [Link] to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the chapter “Identifying Supported
Platforms” section in the “Using Cisco IOS Software.”
In This Chapter
This chapter has the following sections:
• About Lock-and-Key
• Compatibility with Releases Before Cisco IOS Release 11.1
• Risk of Spoofing with Lock-and-Key
• Router Performance Impacts with Lock-and-Key
• Prerequisites to Configuring Lock-and-Key
• Configuring Lock-and-Key
• Verifying Lock-and-Key Configuration
• Maintaining Lock-and-Key
• Lock-and-Key Configuration Examples
Cisco IOS Security Configuration Guide
SC-193
Configuring Lock-and-Key Security (Dynamic Access Lists)
About Lock-and-Key
About Lock-and-Key
Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic.
Lock-and-key is configured using IP dynamic extended access lists. Lock-and-key can be used in
conjunction with other standard access lists and static extended access lists.
When lock-and-key is configured, designated users whose IP traffic is normally blocked at a router can
gain temporary access through the router. When triggered, lock-and-key reconfigures the interface’s
existing IP access list to permit designated users to reach their designated host(s). Afterwards,
lock-and-key reconfigures the interface back to its original state.
For a user to gain access to a host through a router with lock-and-key configured, the user must first open
a Telnet session to the router. When a user initiates a standard Telnet session to the router, lock-and-key
automatically attempts to authenticate the user. If the user is authenticated, they will then gain temporary
access through the router and be able to reach their destination host.
This section has the following sections:
• Benefits of Lock-and-Key
• When to Use Lock-and-Key
• How Lock-and-Key Works
Benefits of Lock-and-Key
Lock-and-key provides the same benefits as standard and static extended access lists (these benefits are
discussed in the chapter “Access Control Lists: Overview and Guidelines”). However, lock-and-key also
has the following security benefits over standard and static extended access lists:
• Lock-and-key uses a challenge mechanism to authenticate individual users.
• Lock-and-key provides simpler management in large internetworks.
• In many cases, lock-and-key reduces the amount of router processing required for access lists.
• Lock-and-key reduces the opportunity for network break-ins by network hackers.
With lock-and-key, you can specify which users are permitted access to which source and destination
hosts. These users must pass a user authentication process before they are permitted access to their
designated hosts. Lock-and-key creates dynamic user access through a firewall, without compromising
other configured security restrictions.
When to Use Lock-and-Key
Two examples of when you might use lock-and-key follow:
• When you want a specific remote user (or group of remote users) to be able to access a host within
your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the
user, then permits limited access through your firewall router for the individual’s host or subnet, for
a finite period of time.
• When you want a subset of hosts on a local network to access a host on a remote network protected
by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set
of local user’s hosts. Lock-and-key require the users to authenticate through a TACACS+ server, or
other security server, before allowing their hosts to access the remote hosts.
Cisco IOS Security Configuration Guide
SC-194
Configuring Lock-and-Key Security (Dynamic Access Lists)
Compatibility with Releases Before Cisco IOS Release 11.1
How Lock-and-Key Works
The following process describes the lock-and-key access operation:
1. A user opens a Telnet session to a border (firewall) router configured for lock-and-key. The user
connects via the virtual terminal port on the router.
2. The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password,
and performs a user authentication process. The user must pass authentication before access through
the router is allowed. The authentication process can be done by the router or by a central access
security server such as a TACACS+ or RADIUS server.
3. When the user passes authentication, they are logged out of the Telnet session, and the software
creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry
can limit the range of networks to which the user is given temporary access.)
4. The user exchanges data through the firewall.
5. The software deletes the temporary access list entry when a configured timeout is reached, or when
the system administrator manually clears it. The configured timeout can either be an idle timeout or
an absolute timeout.
Note The temporary access list entry is not automatically deleted when the user terminates a session. The
temporary access list entry remains until a configured timeout is reached or until it is cleared by the
system administrator.
Compatibility with Releases Before Cisco IOS Release 11.1
Enhancements to the access-list command are used for lock-and-key. These enhancements are backward
compatible—if you migrate from a release before Cisco IOS Release 11.1 to a newer release, your
access lists will be automatically converted to reflect the enhancements. However, if you try to use
lock-and-key with a release before Cisco IOS Release 11.1, you might encounter problems as described
in the following caution paragraph:
Caution Cisco IOS releases before Release 11.1 are not upwardly compatible with the lock-and-key access
list enhancements. Therefore, if you save an access list with software older than Release 11.1, and
then use this software, the resulting access list will not be interpreted correctly. This could cause you
severe security problems. You must save your old configuration files with Cisco IOS Release 11.1 or
later software before booting an image with these files.
Cisco IOS Security Configuration Guide
SC-195
Configuring Lock-and-Key Security (Dynamic Access Lists)
Risk of Spoofing with Lock-and-Key
Risk of Spoofing with Lock-and-Key
Caution Lock-and-key access allows an external event (a Telnet session) to place an opening in the firewall.
While this opening exists, the router is susceptible to source address spoofing.
When lock-and-key is triggered, it creates a dynamic opening in the firewall by temporarily
reconfiguring an interface to allow user access. While this opening exists, another host might spoof the
authenticated user’s address to gain access behind the firewall. Lock-and-key does not cause the address
spoofing problem; the problem is only identified here as a concern to the user. Spoofing is a problem
inherent to all access lists, and lock-and-key does not specifically address this problem.
To prevent spoofing, configure encryption so that traffic from the remote host is encrypted at a secured
remote router, and decrypted locally at the router interface providing lock-and-key. You want to ensure
that all traffic using lock-and-key will be encrypted when entering