AAA - Login with Centralized Authentication HowTo

About

This document aims to show how to set up an AAA method in the system with centralized authentication, and how it is connected to the login service.

For an overview of all available configuration settings for AAA refer to the configuration guide:

Introduction

Centralized authentication can be used to simplify account administration, this holds especially true when networks grow in size. Instead of manually adding each user and its credentials to each device, the device itself can be instructed to ask a remote server if the provided user information is valid and should provide access.

Support exist in the system for two different types of remote authentication protocols, RADIUS (Remote Authentication Dial-IN User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus).

Both are client/server protocols that will host a database of usernames and associated credentials on the server. The client will forward provided credentials to the server to verify if they are valid.

Currently the device can only act as a client, no support exist to serve as a server for either of the protocols.

Configure

This section will cover how to configure a remote server AAA method and how to connect it to the login service.

Remote Server

When a central authentication server is defined in the system, a numeric ID is provided that will be associated with it. This ID will be used when mapping this specific method to a service with AAA support, e.g. the login service. The following example shows how to create a remote-server method using RADIUS:

Notes on the configuration:

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#> remote-server 1
Creating new remote server 1
example:/config/aaa/remote-server-1/#> password RADiuSseCret
example:/config/aaa/remote-server-1/#> address 192.168.1.1
example:/config/aaa/remote-server-1/#> type radius
example:/config/aaa/remote-server-1/#> auth-port 1812
example:/config/aaa/remote-server-1/#> end
example:/config/aaa/#>

Notes on the configurations:

  • The provided address is the location of the RADIUS server, with its associated password required for access to the server.

  • The type of remote server is specified as a RADIUS server. The auth-port is also configured to the RADIUS default port 1812.

In case the desired method is to use TACACS+ instead, simply change the type and the auth-port:

example:/config/aaa/#> remote-server 1
example:/config/aaa/remote-server-1/#> type tacacs
example:/config/aaa/remote-server-1/#> auth-port 49
example:/config/aaa/remote-server-1/#> end
example:/config/aaa/#>

Server Group

If multiple different remote servers are utilized for redundancy purposes (both servers have identical user databases and are of the same type) they can be added to a server group.

  • If the device gets a response from one server (accept or reject), it will not try the other server(s) in the server group.

  • If the request sent to one server times out, it tries to send the request to the next server. This goes on until a response is received or until all servers in the groups have been tried.

When a server group is defined in the system, a numeric ID is provided that will be associated with it. This ID will be used when mapping this specific method to a service with AAA support, e.g. the login service. Creation of a server-group is carried out as follows:

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#> remote-server 1
Creating new remote server 1
example:/config/aaa/remote-server-1/#> password RADiuSseCret
example:/config/aaa/remote-server-1/#> address 192.168.1.1
example:/config/aaa/remote-server-1/#> type radius
example:/config/aaa/remote-server-1/#> auth-port 1812
example:/config/aaa/remote-server-1/#> end
example:/config/aaa/#> remote-server 2
Creating new remote server 2
example:/config/aaa/remote-server-2/#> password RADiuSseCret2
example:/config/aaa/remote-server-2/#> address 10.0.1.1
example:/config/aaa/remote-server-2/#> type radius
example:/config/aaa/remote-server-2/#> auth-port 1812
example:/config/aaa/remote-server-2/#> end
example:/config/aaa/#> server-group 1
Creating new server group 1
example:/config/aaa/server-group-1/#> server 1,2
example:/config/aaa/server-group-1/#> type tacacs
example:/config/aaa/server-group-1/#> end

Attach to login service

In order to configure the login service to authenticate users logging in against a remote-server, the ID of the created method needs to be supplied in the following manner:

example:/config/aaa/#> login
example:/config/aaa/login/#> method server 1
example:/config/aaa/login/#> end
example:/config/aaa/#>

Any login attempt to the device will try to authenticate against the configured server. If the request sent to the server results in reject or timeout, the device falls back to using the built-in accounts (e.g. the admin account).