C H A P T E R

Implementing the Server-Based AAA Subsystem

This chapter focuses on the following server-based AAA implementation topics:

4.1 Implementing Server-Based TACACS+ Dialup Authentication 4.2 Implementing Server-Based TACACS+ Dialup Authorization 4.3 Implementing Server-Based RADIUS Dialup Authentication 4.4 Implementing Server-Based RADIUS Dialup Authorization 4.5 Implementing Server-Based TACACS+ Router Authentication 4.6 Implementing Server-Based TACACS+ Router Authorization

Caution

The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment.

Note

See Chapter 2, Implementing the Local AAA Subsystem, for specifics of local AAA implementation. See 1.1 AAA Technology Summary, in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation.

Cisco AAA Implementation Case Study

4-1

Chapter 4 4.1 Implementing Server-Based TACACS+ Dialup Authentication

Implementing the Server-Based AAA Subsystem

Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based AAA components, including a AAA server and its associated AAA database.
Figure 4-1 Basic AAA Case Study Environment

Network element management server (NTP, Syslog, SNMP) Oracle dB server

Analog lines Clients Modems

PSTN

PRI lines

AAA server DNS server IP intranet Default gateway Internet firewall

Cisco AS5x00 with integrated modems

4.1 Implementing Server-Based TACACS+ Dialup Authentication

The following section focuses on server-based dialup authentication configuration. In this context, server-based refers to actions dependent upon an external AAA server. These actions are described in a series of general steps along with related commands, server configurations, and diagnostic steps as appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.
Figure 4-2 Server-Based Dial Environment (TACACS+)

Server-based dial access PSTN Modem IP

Cisco AAA Implementation Case Study

4-2

35051

AAA server

35089

Internet

Chapter 4

Implementing the Server-Based AAA Subsystem 4.1 Implementing Server-Based TACACS+ Dialup Authentication

These steps help you to accomplish the following tasks:

1. 2. 3. 4. 5. Step 1

Configure TACACS+ server-based authentication on NAS. Configure a user profile in the database. Verify the AAA server-based user configuration. Verify and troubleshoot authentication from the AAA server. Verify and troubleshoot PPP authentication from the NAS.

Configure TACACS+ server-based authentication on NAS. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ ! tacacs-server host 172.22.53.101 key ciscorules

Note

See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.

Step 2

Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules a 'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n

Caution

When entering AddProfile to create users or groups, it is possible to successfully create users or groups that have invalid database parameters that result in profile errors viewable in /var/log/csuslog. Verify the AAA server-based user configuration. Enter this server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial user = tac_dial{ profile_id = 23 profile_cycle = 1 password = pap "********" service=ppp { protocol=ip { set addr-pool=default set inacl=110 } protocol=lcp { } } }

Step 3

Cisco AAA Implementation Case Study

4-3

Chapter 4 4.2 Implementing Server-Based TACACS+ Dialup Authorization

Implementing the Server-Based AAA Subsystem

Step 4

Verify and troubleshoot authentication from the AAA server. Enter the tail command:.
<CSUserver>$tail -f /var/log/csuslog

Note

See C.1 Server-Based TACACS+ Dialup Authentication Diagnostics for a description of relevant diagnostic output.

Step 5

Verify and troubleshoot PPP authentication from the NAS. Enter the debug aaa authentication and debug ppp authentication commands to confirm authentication from the NAS perspective.

Note

See C.1 Server-Based TACACS+ Dialup Authentication Diagnostics for relevant diagnostic output.

4.2 Implementing Server-Based TACACS+ Dialup Authorization

This section focuses on implementing of server-based dialup authorization and presents applicable configuration segments, server commands and file listings, and diagnostic steps. These steps help you to accomplish the following tasks:
1. 2. 3. 4. 5. Step 1

Configure TACACS+ server-based authorization on the NAS. Configure a user profile in the database. Verify the AAA server-based user configuration. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Configure TACACS+ server-based authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authorization with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ aaa authorization exec default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated ! tacacs-server host x.x.x.x key ciscorules

Note

See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.

Cisco AAA Implementation Case Study

4-4

Chapter 4

Implementing the Server-Based AAA Subsystem 4.2 Implementing Server-Based TACACS+ Dialup Authorization

Step 2

Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules pw pap,ciscorules a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n

Step 3

Verify the AAA server-based user configuration. Enter this UNIX server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest

An example of a ViewProfile output of the user profile looks like this:

User Profile Information user = dialtest{ profile_id = 25 profile_cycle = 1 password = pap "********" service=shell { default_cmd=permit } service=ppp { protocol=ip { set addr-pool=default set inacl=110 } protocol=lcp { } } }

Step 4

Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. Enter the following UNIX server command to confirm that the authorization is operating correctly:
<CSUServer>$tail -f /var/log/csuslog

Note Step 5

See C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.

Verify and troubleshoot shell-initiated PPP authorization on the NAS. Enter the debug aaa authorization command to verify server-based authorization is operating correctly for dial access.

Note

See C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.

Cisco AAA Implementation Case Study

4-5

Chapter 4 4.3 Implementing Server-Based RADIUS Dialup Authentication

Implementing the Server-Based AAA Subsystem

4.3 Implementing Server-Based RADIUS Dialup Authentication

This section focuses on the configuration of server-based, RADIUS dialup authentication configuration. In this context, server-based refers to actions that depend on an external AAA server. Figure 4-3 illustrates a simplified server-based dial environment. These steps help you to accomplish the following tasks:
1. 2. 3. 4.

Configure RADIUS server-based authentication on access server. Configure a user profile in the database. Verify the AAA server-based user configuration. Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.
Server-Based Dial Environment (RADIUS)

Figure 4-3

Server-based dial access PSTN Modem IP

Cisco AAA Implementation Case Study

4-6

35051

AAA server

Chapter 4

Implementing the Server-Based AAA Subsystem 4.3 Implementing Server-Based RADIUS Dialup Authentication

Step 1

Configure RADIUS server-based authentication on access server. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with RADIUS:
aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48 ! line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output lat pad telnet rlogin udptn v120 lapb-ta radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules

Note

See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.

Step 2

Configure a user profile in the database.

a.

Create a RADIUS NAS configuration by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a 'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary ="DICTIONARY.Cisco"\n }\n'

b.

Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'

Description of attributes specified in AddProfile configuration:

6=2 (meaning Framed-Protocol=ppp) 7=1 [meaning User-Service-Type (Framed-User)]

Cisco AAA Implementation Case Study

4-7

Chapter 4 4.4 Implementing Server-Based RADIUS Dialup Authorization

Implementing the Server-Based AAA Subsystem

Step 3

Verify the AAA server-based user configuration.

a.

Enter this server command to view the AAA server-based NAS configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105 User Profile Information user = NAS.172.22.53.105{ profile_id = 76 profile_cycle = 1 NASName="172.22.53.105" { SharedSecret="ciscorules" RadiusVendor="Cisco" Dictionary="DICTIONARY.Cisco" } }

b.

Enter this command to verify the AAA server user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial User Profile Information user = rad_dial{ profile_id = 62 profile_cycle = 1 password = pap "********" radius=Cisco { reply_attributes= { 6=2 7=1 } } }

Step 4

Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.

Note

See C.3 Server-Based RADIUS Dialup Authentication Diagnostics.

4.4 Implementing Server-Based RADIUS Dialup Authorization

These steps help you to accomplish the following tasks:
1. 2. 3. 4. 5.

Configure RADIUS server-based authorization on the NAS. Configure a user profile in the database. Verify the AAA server-based user configuration. Verify and troubleshoot RADIUS network authorization on the NAS. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.

Cisco AAA Implementation Case Study

4-8

Chapter 4

Implementing the Server-Based AAA Subsystem 4.4 Implementing Server-Based RADIUS Dialup Authorization

Step 1

Configure RADIUS server-based authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS authorization assigning access-list 110 to the user, rad_dial:
aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius if-authenticated ! radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules ! access-list 110 permit tcp any any eq telnet access-list 110 permit tcp any any eq ftp access-list 110 permit tcp any any eq ftp-data access-list 110 deny tcp any any

Note

See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.

Step 2

Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n' -a

Step 3

Verify the AAA server-based user configuration. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial User Profile Information user = rad_dial{ profile_id = 62 profile_cycle = 1 password = pap "********" radius=Cisco { reply_attributes= { 6=2 7=1 9,1="ip:inacl=110" } } }

Note

The Cisco AVP inacl=110 is included to enable an input access-list.

Step 4

Verify and troubleshoot RADIUS network authorization on the NAS. Enter the debug aaa authorization command to verify dial access server-based authorization is operating correctly for dial access.

Note

See C.4 Server-Based RADIUS Dialup Authorization Diagnostics.

Cisco AAA Implementation Case Study

4-9

Chapter 4 4.5 Implementing Server-Based TACACS+ Router Authentication

Implementing the Server-Based AAA Subsystem

Step 5

Verify that access-list 110 is assigned to user rad_dial with the show caller user command.

Note

See C.4 Server-Based RADIUS Dialup Authorization Diagnostics.

4.5 Implementing Server-Based TACACS+ Router Authentication

This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for a router. These steps help you to accomplish the following tasks:
1. 2. 3. 4. 5.

Configure TACACS+ server-based authentication on the router. Configure and verify the group rtr_basic: Create the member rtr_test and assign this user to group rtr_basic. Verify user rtr_test. Log in to the router and verify proper authentication.
Server-Based VTY Access (Telnet)

Figure 4-4

Server-based VTY access (Telnet) IP

AAA server

Cisco AAA Implementation Case Study

4-10

35050

Chapter 4

Implementing the Server-Based AAA Subsystem 4.5 Implementing Server-Based TACACS+ Router Authentication

Step 1

Configure TACACS+ server-based authentication on the router. Include the following Cisco IOS configuration commands in your configuration to enforce AAA server-based command authorization on a router (excluding the console port):
aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 login authentication NO_AUTHENT

Note

See A.2 Router AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.

Step 2

Configure and verify the group rtr_basic:

a.

Create the group rtr_basic by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a 'service=shell{\ndefault cmd=deny\n}\n' Profile Successfully Added

b.

Verify the group rtr_basic by entering the ViewProfile command

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basic Group Profile Information group = rtr_low{ profile_id = 66 profile_cycle = 1 service=shell { default cmd=deny } }

Step 3

Create the member rtr_test and assign this user to group rtr_basic. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr rtr_basic Profile Successfully Added

Cisco AAA Implementation Case Study

4-11

Chapter 4 4.5 Implementing Server-Based TACACS+ Router Authentication

Implementing the Server-Based AAA Subsystem

Step 4

Verify user rtr_test. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test User Profile Information user = rtr_test{ profile_id = 66 profile_cycle = 1 member = rtr_basic password = des "********" }

Step 5

Log in to the router and verify proper authentication. Enter the login command to access the router command interface and monitor the output of debug aaa authentication from a separate shell session. Monitor the output of the AAA server by consulting the csuslog file using the tail command.

Note

See C.5 Server-Based TACACS+ Router Authentication Diagnostics.

Cisco AAA Implementation Case Study

4-12

Chapter 4

Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization

4.6 Implementing Server-Based TACACS+ Router Authorization

The following examples, including authorization-related IOS command listings and AAA server profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups are created with low (rtr_low), medium (rtr_tech), and high (rtr_super) access. The default_cmd AVP (defined in the AAA server profile) is used to control access to privilege level 15 commands. In this case, privilege level 15 is the highest level of command access privilege allowed and is reserved for super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated with each of the administrative groups defined in this section.
Table 4-1 Group Profile Command Summary

Group Cisco IOS Command debug all debug * clear * reload show running-config write terminal copy running-config startup-config write memory configure terminal rtr_super Denied Permitted Permitted Permitted Permitted Permitted Permitted rtr_tech Denied Permitted Permitted Denied Denied Permitted Denied rtr_low Denied Denied Denied Denied Denied Denied Denied

Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization between a router and an AAA server. Troubleshooting and verifying is divided into three stages: authentication, EXEC authorization and command authorization. Each stage is accompanied by information particular to that stage:

Cisco IOS Configuration Fragments (on left) Troubleshooting and verification methods for the router and AAA server (on right)

Cisco AAA Implementation Case Study

4-13

Chapter 4 4.6 Implementing Server-Based TACACS+ Router Authorization

Implementing the Server-Based AAA Subsystem

Figure 4-5

TACACS+ Authentication and Authorization Verification Methodology

Cisco IOS Client Authentication Router user requests login to TACACS+ server. aaa new-model aaa authentication login default group tacacs+ tacacs-server host ip-address key secret-key

Decision Flow

Troubleshoot/Verify

Did No authentication succeed?

From Cisco IOS Client debug aaa authentication From AAA Server tail -f /var/log/csuslog Verify user user=rtr_geek password=des

Yes

EXEC Authorization AAA authorization begins (EXEC) aaa authorization exec default group tacacs+ if-authenticated Did No authorization succeed? From Cisco IOS Client debug aaa authorization From AAA Server tail -f /var/log/csuslog Verify user or group service=shell

Yes Command Authorization AAA authorization command begins (command) aaa authorization commands 15 default tacacs+ if-authenticated Did No authorization succeed?

From Cisco IOS Client debug aaa authorization From AAA Server tail -f /var/log/csuslog Verify user or group default_cmd=permit or priv_lvl=15 or cmd=permit
35076

Yes AAA accounting begins

These steps help you to accomplish the following tasks:

1. 2. 3. 4.

Configure TACACS+ server-based authorization from the console port on the router. Configure, verify, and test operation of the AAA server group rtr_low. Configure, verify, and test operation of the AAA server group rtr_tech. Configure, verify, and test operation of AAA server Group rtr_super.

Cisco AAA Implementation Case Study

4-14

Chapter 4

Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization

Note

Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see Appendix B, AAA Impact on Maintenance Tasks.

Step 1

Configure TACACS+ server-based authorization from the console port on the router. Include the following Cisco IOS configuration commands in your configuration to enforce router-based security with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none aaa authorization commands 15 NO_AUTHOR none aaa authorization exec default group tacacs+ aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default group tacacs+ ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT

Note

See A.2 Router AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.

Cisco AAA Implementation Case Study

4-15

Chapter 4 4.6 Implementing Server-Based TACACS+ Router Authorization

Implementing the Server-Based AAA Subsystem

Step 2

Configure, verify, and test operation of the AAA server group rtr_low. The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the requirements specified in Table 4-1:
a.

Create the group rtr_low. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a 'service=shell{\ndefault cmd=deny\n}\n' Profile Successfully Added

b.

Verify the group rtr_low. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low Group Profile Information group = rtr_low{ profile_id = 66 profile_cycle = 1 service=shell { default cmd=deny } }

c.

Create the member rtr_dweeb and assign this user to group rtr_low. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw des,ciscorules Profile Successfully Added

d.

Verify the user rtr_dweeb. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweeb User Profile Information user = rtr_dweeb{ profile_id = 66 profile_cycle = 1 member = rtr_low password = des "********" }

e.

Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:
Simultaneously monitor the output of debug aaa authorization from a console shell session

and the AAA server csuslog file.

Log in to the router by using a new terminal window with the rtr_dweeb account and enter the

commands shown in Table 4-1.

From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog

Note

See C.6 Server-Based TACACS+ Router Authorization Diagnostics.

Cisco AAA Implementation Case Study

4-16

Chapter 4

Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization

Step 3

Configure, verify, and test operation of the AAA server group rtr_tech. The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the requirements specified in Table 4-1:
a.

Create the group rtr_tech. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny all\n}\ncmd=configure{\ndeny .*}\n}\n'

b.

Verify the group rtr_tech. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_tech Group Profile Information group = rtr_tech{ profile_id = 47 profile_cycle = 1 service=shell { default cmd=permit cmd=debug { deny all permit .* } cmd=reload { deny all } cmd=configure { deny .* } } }

c.

Create the member rtr_techie and assign this user to group rtr_tech. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw des,ciscorules Profile Successfully Added

d.

Verify the user rtr_techie. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techie User Profile Information user = rtr_techie{ profile_id = 39 profile_cycle = 1 member = rtr_tech password = des "********" }

e.

Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:
Simultaneously monitor the output of debug aaa authorization from a console shell session

and the AAA server csuslog file.

Log in to the router by using a new terminal window with the rtr_techie account and enter the

commands shown in Table 4-1.

Cisco AAA Implementation Case Study

4-17

Chapter 4 4.6 Implementing Server-Based TACACS+ Router Authorization

Implementing the Server-Based AAA Subsystem

From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog

Note Step 4

See C.6 Server-Based TACACS+ Router Authorization Diagnostics.

Configure, verify, and test operation of AAA server Group rtr_super. The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with the requirements specified in Table 4-1:
a.

Create the group rtr_super. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n' Profile Successfully Added

b.

Verify the group rtr_super. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_super Group Profile Information group = rtr_super{ profile_id = 40 profile_cycle = 1 service=shell { default cmd=permit cmd=debug { deny all permit .* } } }

c.

Create the member rtr_geek and assign this user to group rtr_super. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek des,ciscorules Profile Successfully -pr rtr_super -pw

d.

Verify the user rtr_geek. Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geek User Profile Information user = rtr_geek{ profile_id = 45 profile_cycle = 1 member = rtr_super password = des "********" }

e.

Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:
Simultaneously monitor the output of debug aaa authorization from a console shell session

and the AAA server csuslog file.

Cisco AAA Implementation Case Study

4-18

Chapter 4

Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization

Log in to the router by using a new terminal window with the rtr_geek account and enter the

commands shown in Table 4-1.

From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog

Note

See C.6 Server-Based TACACS+ Router Authorization Diagnostics.

Cisco AAA Implementation Case Study

4-19

Chapter 4 4.6 Implementing Server-Based TACACS+ Router Authorization

Implementing the Server-Based AAA Subsystem

Cisco AAA Implementation Case Study

4-20