AAA. Like an '88 for the network

Authentication, Authorization, and Accounting.

I thought I had all this set solid in my mind, until I had to sit down in a rush without my notes to do one from scratch. It wasn't working like I thought. So writing out my notes, especially as relates to the CCNA, is a good use of this Sunday afternoon.

Local Auth

First things first. Local authentication. Start by creating local users and enable secret password.

enable secret enablesecretword
username testadmin priviledge 15 secret secretpassword
username testuser priviledge 15 secret secretpassword

For me, it does not make sense to not use AAA new-model. The "old model" (non-aaa) requires fewer commands, but if I understand how to put in new-model, it is worth doing it. I'm not going to save a few commands to make things more difficult in the future. New-model will support local authentication as well as remote aaa, so I/we may as well get used to it.

After local usernames are in place, and the aaa new-model command is applied, the method lists need to be created.

aaa authentication login default local will use the local user database for the default group

aaa authentication login LOGIN local will create a Method List called LOGIN that can be used to authenticate against the local database. I prefer the explicit method list over the default, but there would be no harm in specifiying both. I would probably have the "default" authenticate against the Radius or TACACS server ahead of the local user database. Default would be used wherever a method list is not defined, but where authentication may be permitted. If I knew of an interface that would use default, I would specify a login method to be used. It is hard to specify a method list where I don't know it is going to be needed.

I heard about a Cisco Bug that made it advisable to have a method list on all of the vty ports, even if no authentication is possible. So if I never ever want to have line 5 to 15 authenticate, point a method list to a server that will not validate the username/password. like with an ACL. Line 0 to 4 could authenticate against the local database, but 5 15 would authenticate to a radius server that is blocked with an ACL.

Now that I have an authentication method list, I can apply it to my vty interfaces. IR800(config)#line vty 0 15
login authentication LOGIN
transport input SSH

probably should generate the crypto keys as well.

hostname TestRouter, ip domain-name example.test, crypto key generate rsa modulus 4096 or so, ip ssh version 2

test with ping and ssh while still connected over the console port. Nothing worse than getting shut out of your own router.

The console port needs to have methods applied as well. The Default method lists will not be applied automatically. You may want to have a LINECON method list, or just apply the VTY method list. I am going to try a method list for the VTY ports that authenticates to a TACACS+ or Radius server, then another method list that Authenticates to the local database first, then tries TACACS or Radius if the username is not in the local database.

local authorization

After the local aaa is set for Authentication, the next step is Authorization. Authentication permits a user to log in, Authorization sets what they can do.
TestRouter(config)#aaa authorization exec LOGIN local

Remote/Server Auth

TACACS has the advantage of encrypting the username and password and providing a more fine-grained permission(authorization) for users logging into the router, as opposed to through the router. Consider Device Administration vs. Network Access. (A.Woland, Network World, 26 Oct 2014)

Radius Authentication

Make sure the Radius Server is accessible from the router. Ping!!!!

Radius servers have to be config'd in order, or there will be errors thrown in the config.

radius server RAD01
address ipv4 auth-port 1812 acct-port 1813
key 7 {key here}

Now that the server is config'd, the next step is to create the group that will be used in the method list.
aaa group server radius RAD01GROUP
server name RAD01

What really confused me is that in the config, the Radius Server is at the bottom, the server group is at the top, and the method list in the middle. The config order is Radius Server first, server group second, and method list third.

TACACS+ Authentication