Cisco AS5800 OAM&P Guide - Chap 4: Administration [Cisco AS5800 Series Universal Gateways]

Table Of Contents

Administration

Remote Monitor (RMON)

Enabling Management Protocols: NTP, SNMP, and Syslog

Understanding Network Management Basics

Enabling the Network Time Protocol

Enabling Syslog

Enabling SNMP

Disabling the Logging of Access Interfaces

Confirming the Final Running Configuration

Access Service Security

Local and Remote Server Authentication

Local Security Database

Remote Security Database

Configuring RADIUS

RADIUS Overview

RADIUS Operation

RADIUS Configuration Task List

Configure Router to RADIUS Server Communication

Configure Router to Use Vendor-Specific RADIUS Attributes

Configure Router for Vendor-Proprietary RADIUS Server Communication

Configure Router to Query RADIUS Server for Static Routes and IP Addresses

Configure Router to Expand Network Cisco AS5800 Port Information

Specify RADIUS Authentication

Specify RADIUS Authorization

Specify RADIUS Accounting

RADIUS Attributes

Vendor-Proprietary RADIUS Attributes

RADIUS Configuration Examples

RADIUS Cisco IOS Software Support

Configuring TACACS+

TACACS+ Authentication

Securing Access to Privileged EXEC and Configuration Mode

Communicating Between the Access and Security Servers

Configuring Authentication on a TACACS+ Server

Enabling AAA Globally

Defining Authentication Method Lists

Authentication Method List Examples

Applying Authentication Method Lists

TACACS+ Authorization

Configuring Authorization on the Security Server

Configuring Authorization (Network or EXEC)

Specifying an Authorization Method

Specifying Authorization Parameters on a TACACS+ Server

Authorization Examples

TACACS+ Security Examples

Administration

This chapter describes management protocols and Network Access Server (NAS) security and control functionality with AAA and RADIUS servers.

•Remote Monitor (RMON)

•Enabling Management Protocols: NTP, SNMP, and Syslog

–Enabling the Network Time Protocol

–Enabling Syslog

–Enabling SNMP

–Disabling the Logging of Access Interfaces

–Confirming the Final Running Configuration

•Local and Remote Server Authentication

–Configuring RADIUS

–Configuring TACACS+

Remote Monitor (RMON)

Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring standard (RFC 1757) that allows console systems and network monitors to exchange statistical and functional monitoring data, through RMON-compliant console managers and network probes. RMON provides network administrators with flexibility to satisfy networking demands through console and network monitoring probes to obtain fault diagnostics, planning, and performance information.

RMON delivers information in nine unique monitoring element groups that provide specific types of data, which satisfies common network-monitoring requirements. Some RMON groups are dependent upon others for support, but each is optional so that it is not necessary for vendors to support all groups within the management information base (MIB). See Table 4-1 for RMON group functions.

Table 4-1 RMON Groups

RMON Group

Description

Alarm

Periodic statistical sampling from event generated variables in the probe that compares configured thresholds.

Events

Controls the generation and notification of events from this device.

Filters

Enables packet matching by equation filtering to form data streams that may be captured or generate events.

History

Records and stores periodic statistical samples, number of samples, and items sampled from a network.

Host

Contains statistics associated with each discovered network host.

HostTopN

Creates tables describing hosts that top a list ordered by one of their rate-based statistics.

Matrix

Stores new conversation statistics detected on source and destination device.

Packet Capture

Enables packet capturing after it flows through a channel.

Statistics

Contains probe calculated statistics for each interface monitored on device.

Enabling Management Protocols: NTP, SNMP, and Syslog

This section describes how to enable basic management protocols on a Cisco AS5800 as part of a dial access service. It does not however, describe how to integrate the Cisco IOS software with NT or UNIX servers. Management protocols are described only from the perspective of the Cisco IOS software.

Understanding Network Management Basics

Figure 4-1 shows a logical perspective of how management protocols interact between the Cisco IOS software (client) and a network element management server. Dashed lines represent different protocols and functions.

•NTP synchronizes time between network devices.

•The SNMP element manager (EM) receives SNMP traps from the Cisco IOS software. The SNMP manager uses SNMP to query variables and set configurations.

•The Cisco IOS software sends logging messages to a syslog daemon.

Figure 4-1 NTP, SNMP, and Syslog Interactions

Table 4-2 provides the RFCs and URLs for the management protocols described in this section.

Table 4-2 Management Protocol RFCs

Management Protocol

RFC

URL

NTP

RFC 1305

http://www.ietf.org/rfc/rfc1305.txt

SNMP

RFC 1157

http://www.ietf.org/rfc/rfc1157.txt

For more information about system management, refer to Cisco IOS Release 12.0 Configuration Fundamentals Configuration Guide and Command Reference, available online at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/index.htm

Enabling the Network Time Protocol

The Network Time Protocol (NTP) provides a common time base for networked routers, servers, and other devices. A synchronized time enables you to correlate syslog and Cisco IOS debug output to specific events. For example, you can find call records for specific users within one millisecond.

Comparing logs from various networks is essential for:

•Troubleshooting

•Fault analysis

•Security incident tracking

Without precise time synchronization between all the various logging, management, and AAA functions, time comparisons are not possible.

An NTP enabled network usually gets its time from an authoritative time source, such as a Cisco router, radio clock, or an atomic clock attached to a timeserver. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each another. NTP runs over UDP, which in turn runs over IP.

Step 1 Locate an authoritative clock source. For example, you can use a Cisco router or an atomic clock that is attached to a time server.

Step 2 Specify the primary NTP server IP address and automatic calendar updates as shown below:
!
ntp update-calendar
ntp server 172.22.66.18 prefer
!
Step 3 Verify that the clock is synchronized to the NTP server. Inspect the status and time association. Clock sources are identified by their stratum levels. The following example shows a stratum level five clock.
5800-NAS# show ntp status
Clock is synchronized, stratum 5, reference is 172.22.66.18
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is BB944312.4451C9E7 (23:11:30.266 PDT Wed Sep 22 1999)
clock offset is 0.5343 msec, root delay is 13.26 msec
root dispersion is 18.02 msec, peer dispersion is 0.09 msec
5800-NAS#
The following command identifies how often the NAS is polling and updating to the stratum clock. An asterisk (*) next to the NTP servers IP address indicates successful synchronization with the stratum clock.
5800-NAS# show ntp association
address         ref clock     st  when  poll reach  delay  offset    disp
*~172.22.66.18      172.60.8.1       16    46    64  377     1.0    0.53     0.1
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
5800-NAS#
Enabling Syslog

The Cisco IOS software can send syslog messages to one or more element manager servers. Syslog messages are then collected by a standard UNIX or NT type syslog daemon.

Syslog enables you to:

•Centrally log and analyze configuration events and system error messages such as interface status, security alerts, environmental conditions, and CPU process overloads.

•Capture client debug output sessions in a real-time scenario.

•Reserve Telnet sessions for making configurations changes and using show commands. This prevents Telnet sessions from getting cluttered up with debug output.

Figure 4-2 shows the Cisco IOS software sending syslog data to an element manager. Syslog data either stays in the Cisco IOS software buffer, or is pushed out and written to the element managers hard disk.

Figure 4-2 Syslog Messages Written to Hard Disk

Note Cisco System's UNIX syslog format is compatible with 4.3 BSD UNIX.

Step 1 Enable debug timestamps and include date, time, and milliseconds relative to the local time zone:
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!
Step 2 Verify that console logging is disabled. If it is enabled, the NAS will intermittently freeze up as soon as the console port is overloaded with log messages. See the field "1 flushes." Increments on this number represents bad logging behavior.
5800-NAS# show logging
Syslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)
    Console logging: level debugging, 1523 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 911 messages logged
    Trap logging: level informational, 44 message lines logged
5800-NAS(config)# no logging console
5800-NAS(config)# ^Z
5800-NAS# show logging
Syslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 912 messages logged
    Trap logging: level informational, 45 message lines logged
Caution Not entering the no logging console command might cause CPU interrupts, dropped packets, denial of service events, and router lock up.

Step 3 Specify the logging configuration:
!
logging 172.22.66.18
logging buffered 10000 debugging
logging trap debugging
!
Table 4-3 describes the commands in the previous configuration fragment.
Table 4-3 Syslog Commands
Command

Purpose
logging 172.22.66.18
Specifies the syslog servers IP address.
logging buffered 10000 debugging
Sets the internal log buffer to 10,000 bytes for debug output (newer messages overwrite older messages).
logging trap debugging
Allows logging up to the debug level (all 8 levels) for all messages sent to the syslog server.
If you are working with multiple network access servers, assign a different logging facility tag to each server. Syslog information can be collected and sorted into different files on the syslog server.

For example:

•Assign local1 to NAS1

•Assign local2 to NAS2

•Assign local3 to NAS3

Assigning a different tag to each device enables you to intelligently sort and view syslog messages:
!
logging facility local7
!
Step 4 Verify that local buffered logging is working:
5800-NAS# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 2 messages logged
    Trap logging: level debugging, 53 message lines logged
        Logging to 172.22.66.18, 2 message lines logged
Log Buffer (10000 bytes):
Sep 26 16:32:02.848 PDT: %SYS-5-CONFIG_I: Configured from console by admin on console
Sep 26 16:33:16.069 PDT: %SYS-5-CONFIG_I: Configured from console by admin on console
5800-NAS#
Enabling SNMP

The SNMP traps generated by Cisco routers provide:

•Potentially harmful environmental conditions

•Processor status

•Port status

•Security issues

The Cisco IOS software generates SNMP traps based on the features that the Cisco IOS software supports.

Figure 4-3 shows the interactions and timing of the SNMP protocol between the EM (SNMP manager) and the NAS (SNMP agent). Traps are unsolicited messages sent from the NAS to the EM. Four functions of SNMP include: trap, get request, get next, and set request.

Figure 4-3 SNMP Event Interaction and Timing

Note For a listing of all SNMP traps supported by Cisco, refer to Cisco IOS SNMP Traps Supported and How to Configure Them, available online at
http://www.cisco.com/warp/public/477/SNMP/snmp_traps.html

Step 1 Configure the Cisco IOS software to support basic SNMP functions. Access lists 5 and 8 are used for SNMP community strings:

•The read only (RO) community string is called "poptarts." It uses access list 8 as a filter.

•The read write (RW) community string is called "pixysticks." It uses access list 5 as a filter.
!
snmp-server contact admin user@the.doc
snmp-server location 5800-NAS-corporate
snmp-server community poptarts RO 8
snmp-server community pixysticks RW 5
snmp-server host 172.22.66.18 maddog 
snmp-server trap-source Loopback0
snmp-server enable traps snmp
!
access-list 5 permit 172.22.67.1
access-list 5 permit 0.0.0.1 172.22.68.20
access-list 8 permit 172.22.67.1
access-list 8 permit 0.0.0.1 172.22.68.20
!
Table 4-4 describes commands in the previous configuration fragment.
Table 4-4 SNMP Commands
Command

Purpose
snmp-server contact admin user@the.doc
Specifies a contact name to notify whenever a MIB problems occurs.
snmp-server location 5800-NAS-corporate
Specifies a geographic location name for the router.
snmp-server community poptarts RO 8
Assigns a read only (RO) community string. Only queries and get requests can be performed.

The community string (poptarts) allows polling but no configuration changes. Without the correct community string on both machines, SNMP will not let you do the authorization to get or set the request.
snmp-server community pixysticks RW 5
Assigns a read write (RW) community string.

This community string (pixysticks) enables configuration changes to be performed. For example, you can shut down an interface, download a configuration file, or change a password.
snmp-server host 172.22.66.18 maddog 
Identifies the IP address of the SNMP host followed by a password.
snmp-server trap-source Loopback0
Associates SNMP traps with a loopback interface. In this way, an Ethernet shutdown will not disrupt SNMP management flow.
snmp-server enable traps
Enables traps for unsolicited notifications for configuration changes, environmental variables, and device conditions.
access-list 5 permit 172.22.67.1
access-list 8 permit 172.22.67.1
Permits access from a single element management server.
access-list 5 permit 0.0.0.1 172.22.68.20
access-list 8 permit 0.0.0.1 172.22.68.20
Permits access from a block of addresses at your network operations center.
Caution If you are not using SNMP, make sure to turn it off. Never use a configuration that uses "public" or "private" as community strings—these strings are well known in the industry and are common defaults on hardware. These strings are open invitations to attacks, regardless if you use filters.

Step 2 Monitor SNMP input and output statistics. For example, display a real-time view of who is polling the NAS for statistics and how often.

Excessive polling will:

•Consume much of the CPU resources

•Cause packets to be dropped

•Crash the NAS
5800-NAS# show snmp
Chassis: 11811596
Contact: admin user@the.doc
Location: 5800-NAS-corporate
0 SNMP packets input
    0 Bad SNMP version errors
    0 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    0 Number of requested variables
    0 Number of altered variables
    0 Get-request PDUs
    0 Get-next PDUs
    0 Set-request PDUs
0 SNMP packets output
    0 Too big errors (Maximum packet size 1500)
    0 No such name errors
    0 Bad values errors
    0 General errors
    0 Response PDUs
    0 Trap PDUs
SNMP logging: enabled
    Logging to 172.22.66.18.162, 0/10, 0 sent, 0 dropped.
5800-NAS#
Disabling the Logging of Access Interfaces

Limit the amount of output logged from the group-async interface and ISDN D channels. Carefully choose the data sources for system management purposes. AAA accounting and the modem-call record terse feature provides the best data set for analyzing ISDN remote node device activity.

Link status up-down events and SNMP trap signals:

•Occur regularly on access interfaces. Dialer interfaces going up and down is normal behavior and does not indicate a problem.

•Should not be logged or sent to a management server.

The following configuration fragment disables logging on access interfaces:
!
interface Serial 0:23
 no logging event link-status
 no snmp trap link-status
!
interface Serial 1:23
 no logging event link-status
 no snmp trap link-status
!
interface Serial 2:23
 no logging event link-status
 no snmp trap link-status
!
interface Serial 3:23
 no logging event link-status
 no snmp trap link-status
!
interface Group-Async 1
 no logging event link-status
 no snmp trap link-status
!
Confirming the Final Running Configuration

The following is an example of the Cisco AS5800 running configuration with Cisco IOS Release 12.0(4) XL1 installed.
5800-NAS# show running-config
Building configuration...
Current configuration:
!
version 12.x
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname 5800-NAS
!
logging buffered 10000 debugging
no logging console
aaa new-model
aaa authentication login default local
aaa authentication ppp default if-needed local
enable secret 5 $1$LKgL$tgi19XvWn7fld7JGt55p01
!
username dude password 7 045802150C2E
username admin password 7 044E1F050024
!
!
!
shelf-id 0 router-shelf
shelf-id 1 dial-shelf
!
!
!
resource-pool disable
!
modem-pool Default
 pool-range 1/2/0-1/10/143
!
!
spe 1/2/0 1/10/11
 firmware ios-bundled default
modem recovery action none
ip subnet-zero
no ip source-route
ip host guessme 172.22.100.9
ip domain-name the.net
ip name-server 172.22.11.10
ip name-server 172.22.12.11
!
async-bootp dns-server 172.30.10.1 172.30.10.2
isdn switch-type primary-ni
isdn voice-call-failure 0
!
!
controller T3 1/0/0
 framing m23
 cablelength 0
 t1 4 controller
!
controller T1 1/0/0:4
 framing esf
 pri-group timeslots 1-24
!
!
voice-port 1/0/0:4:D
!
!
process-max-time 200
!
interface Loopback0
 ip address 172.22.99.1 255.255.255.255
 no ip directed-broadcast
!         
interface Loopback1
 ip address 172.22.90.1 255.255.255.0
 no ip directed-broadcast
!
interface FastEthernet0/1/0
 ip address 172.22.66.23 255.255.255.0
 no ip directed-broadcast
!
interface Serial1/0/0:4:23
 no ip address
 no ip directed-broadcast
 no snmp trap link-status
 isdn switch-type primary-ni
 isdn incoming-voice modem
 no cdp enable
!
interface Group-Async0
 ip unnumbered FastEthernet0/1/0
 no ip directed-broadcast
 encapsulation ppp
 async mode interactive
 no snmp trap link-status
 peer default ip address pool addr-pool
 no cdp enable
 ppp authentication chap pap
 group-range 1/2/00 1/10/143
!
ip local pool addr-pool 172.22.90.2 172.22.90.254
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.66.1
no ip http server
!
logging trap debugging
logging 172.22.66.18
access-list 5 permit 172.22.67.1
access-list 5 permit 0.0.0.1 172.22.68.20
access-list 8 permit 172.22.67.1
access-list 8 permit 0.0.0.1 172.22.68.20
snmp-server engineID local 00000009020000D0D3424C1C
snmp-server community poptarts RO 8
snmp-server community pixysticks RW 5
snmp-server community maddog view v1default RO
snmp-server trap-source Loopback0
snmp-server location 5800-NAS-Austin
snmp-server contact admin dude@the.net
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps syslog
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps bgp
snmp-server enable traps voice poor-qov
snmp-server host 172.22.66.18 maddog 
!
banner login ^C 
This is a secured device. 
Unauthorized use is prohibited by law.
^C
!
line con 0
 transport input none
line aux 0
 transport input telnet
line vty 0 4
line 1/2/00 1/10/143
 autoselect during-login
 autoselect ppp
 modem InOut
 no modem log rs232
!
ntp update-calendar
ntp server 172.22.66.18 prefer
end
Access Service Security

The Cisco AS5800 is designed to support a security paradigm providing authentication, authorization, and accounting (AAA) security measures using RADIUS and TACACS+.

•Authentication—requires dial-in users to identify themselves and prove their identity, thus preventing wrongful access to lines on your Cisco AS5800, or connecting through the lines directly to network resources.

•Authorization—prevents users from gaining access to particular services and devices on the network.

•Accounting—provides records for billing and other needs to determine who is connected to the network and how long they have been connected. It does not describe how to configure accounting.

This section describes how to configure security using a local database resident on your Cisco AS5800 or using a remote security database for Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). Refer to the "Local and Remote Server Authentication" section for local and remote authentication definitions.

Note This section does not provide a comprehensive security overview. It does not describe how to completely configure TACACS, Extended TACACS, access lists or RADIUS. It presents the most commonly used security mechanisms to prevent unauthenticated and unauthorized access to network resources through a Cisco AS5800. For a comprehensive overview of Cisco security tools, refer to the security configuration guide in the Cisco IOS configuration guides and command references documentation.

This section describes the following topics:

•Local and Remote Server Authentication

•Configuring RADIUS

•Configuring TACACS+

Local and Remote Server Authentication

This section describes the differences between local and remote security databases and the basic authentication process for each. Remote security databases described in this section include Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and Remote Authentication Dial-In User Service (RADIUS).

Generally the size of the network and type of corporate security policies and control determine whether you use a local or remote security database.

Local Security Database

If you have one or two Cisco AS5800 providing access to your network, store username and password security information on your Cisco AS5800. This is referred to as local authentication.

Remote Security Database

As your network expands, you need a centralized security database that provides username and password information each access server in the network. This centralized security database resides in a security server.

A centralized security database helps establish consistent remote access policies throughout a corporation. An example of a remote security database server is the CiscoSecure product from Cisco Systems. CiscoSecure is a UNIX security daemon, with which the administrator creates a database that defines the network users and their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.

The Cisco AS5800 exchanges user authentication information with a TACACS+ or RADIUS database on the security server by transmitting encrypted TACACS+ or RADIUS packets across the network.

For specific information about the interaction between the security server and the Cisco AS5800, refer to the security configuration guide in the Cisco IOS configuration guides and command references documentation.

Configuring RADIUS

This section describes the Remote Authentication Dial-In User (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. RADIUS Configuration Task List describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set. RADIUS Configuration Examples offers two possible implementation scenarios.

This section includes the following topics:

•RADIUS Overview

•RADIUS Operation

•RADIUS Configuration Task List

For a complete description of the commands used in this section, refer to information on RADIUS commands in the security command reference for your Cisco IOS release. To locate documentation of other commands that appear in this section, use the command reference master index or search online.

RADIUS Overview

RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server. The server contains all user authentication and network service access information.

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.

RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

Use RADIUS in the following network environments that require access security:

•Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendors access servers, dial-in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system.

•Turnkey network security environments in which applications support the RADIUS protocol, such as in an access environment that uses a "smart card" access control system. In one case, RADIUS has been used with Enigmas security cards to validate users and grant access to network resources.

•Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This might be the first step when you make a transition to a Terminal Access Controller Access Control System (TACACS+) server.

•Networks in which a user must only access a single service. Using RADIUS, you can control user access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having authorization to run PPP using IP address10.2.3.4 and the defined access list is started.

•Networks that require resource accounting. You can use RADIUS accounting independent of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, indicating the amount of resources (such as time, packets, and bytes used during the session.

•An Internet service provider (ISP) might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.

RADIUS is not suitable in the following network security situations:

•Multiprotocol access environments. RADIUS does not support the following protocols:

– AppleTalk Remote Access Protocol (ARAP)

–NetBIOS Frame Protocol Control Protocol (NBFCP)

–NetWare Asynchronous Services Interface (NASI)

–X.25 PAD connections

•Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one Cisco router to a third party router if, other company's router requires RADIUS authentication.

•Networks using a variety of services. RADIUS generally binds a user to one service model.

RADIUS Operation

When attempting to log in and authenticate to Cisco AS5800 using RADIUS, the following steps occur:

1. The user enters a username and password at the corresponding prompts.

2. The username and encrypted password are sent over the network to the RADIUS server.

3. The user receives one of the following responses from the RADIUS server:

–ACCEPT - The user is authenticated.

–REJECT - The user is not authenticated and is prompted to reenter the username and password, or access is denied.

–CHALLENGE - A challenge is issued by the RADIUS server. The challenge collects additional data from the user.

–CHANGE PASSWORD - A request is issued by the RADIUS server, asking the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:

•Services that the user can access, including Telnet, rlogin, local-area transport (LAT) connections, and PPP, Serial Line Internet Protocol (SLIP), or EXEC services.

•Connection parameters, including the host or client IP address, access list, and user timeouts.

RADIUS Configuration Task List

To configure RADIUS on your Cisco AS5800, you must perform the following tasks:

•Use the aaa new-model global configuration command to enable AAA. AAA must be configured if you plan to use RADIUS. For more information about using the aaa new-model command, refer to the "AAA Commands" section.

•Use the aaa authentication global configuration command to define method lists for RADIUS authentication. For more information about using the aaa authentication command, refer to the "Specify RADIUS Authentication" section.

•Use line and interface commands to enable the defined method lists to be used. For more information, refer to the "Specify RADIUS Authentication" section.

The following configuration tasks are optional:

•Use the aaa authorization global command to authorize specific user functions. For more information about using the aaa authorization command, refer to the "Specify RADIUS Authorization" section.

•Use the aaa accounting command to enable accounting for RADIUS connections. For more information about using the aaa accounting command, refer to the "Specify RADIUS Accounting" section.

This section describes how to set up RADIUS for authentication, authorization, and accounting on your network, and includes the following sections:

•Configure Router to RADIUS Server Communication

•Configure Router to Use Vendor-Specific RADIUS Attributes

•Configure Router for Vendor-Proprietary RADIUS Server Communication

•Configure Router to Query RADIUS Server for Static Routes and IP Addresses

•Configure Router to Expand Network Cisco AS5800 Port Information

•Specify RADIUS Authentication

•Specify RADIUS Authorization

•Specify RADIUS Accounting

Configure Router to RADIUS Server Communication

The RADIUS host is normally a multi-user system running RADIUS server software from Livingston, Merit, Microsoft, or another software provider. A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.

To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon, and a secret text string that it shares with the router. Use the radius-server commands to specify the RADIUS server host and a secret text string.

To specify a RADIUS server host and shared secret text string, perform the following tasks in global configuration mode:

•Specify the IP address or host name of the remote RADIUS server host, and assign authentication and accounting destination port numbers.
radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port port-number]
•Specify the shared secret text string used between the router and the RADIUS server.
radius-server key string
To customize communication between the router and the RADIUS server, use the following optional radius-server global configuration commands:

•Specify the number of times the router transmits each RADIUS request to the server before giving up (default is three).
radius-server retransmit retries
•Specify the number of seconds a router waits for a reply to a RADIUS request before retransmitting the request.
radius-server timeout seconds
•Specify the number of minutes a RADIUS server, which is not responding to authentication requests, is passed over by requests for RADIUS authentication.
radius-server deadtime minutes
Configure Router to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network Cisco AS5800 and the RADIUS server, by using the vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:
protocol : attribute sep value *
•"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization.

•"Attribute" and "value" are an appropriate attribute/value (AV) pair defined in the Cisco TACACS+ specification

•"sep" is "=" for mandatory attributes and "*" for optional attributes.

This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair causes the Cisco "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment).
cisco-avpair= "ip:addr-pool=first"
The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to the RADIUS specification RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)," described in How Does RADIUS Work?, available online at
http://www.cisco.com/warp/public/707/32.html

To configure the NAS to recognize and use VSAs, perform the following task in global configuration mode:

Enable the network Cisco AS5800 to recognize and use VSAs as defined by RADIUS IETF attribute 26.
radius-server vsa send [accounting|authentication]
For a complete list of RADIUS attributes or more information about vendor-specific Attribute 26, refer to the RADIUS Attributes appendix.

Configure Router for Vendor-Proprietary RADIUS Server Communication

Although the IETF draft standard for RADIUS specifies a method for communicating vendor-specific information between the network Cisco AS5800 and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

To configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the Cisco device. You specify the RADIUS host and secret text string by using the radius-server commands. To identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS, use the radius-server host nonstandard command.

Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.

To specify a vendor-proprietary RADIUS server host and a shared secret text string, perform the following tasks in global configuration mode.

Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
radius-server host {hostname |ip-address} non-standard
Specify the shared secret text string used between the router and the vendor-proprietary RADIUS server. The router and the RADIUS server use this text string to encrypt passwords and exchange responses.
radius-server key string
Configure Router to Query RADIUS Server for Static Routes and IP Addresses

Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server, instead of on each individual Cisco AS5800 in the network. Each network Cisco AS5800 then queries the RADIUS server for static route and IP pool information.

To have the Cisco AS5800 query the RADIUS server for static routes and IP pool definitions when the device first starts up, use the following commands in global configuration mode:
radius-server configure-nas
Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you enter a copy running-config startup-config command.

Configure Router to Expand Network Cisco AS5800 Port Information

In some situations, PPP or login authentication occurs on an interface different from the interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface "ttt" but the call itself occurs on one of the channels of the ISDN interface.

The radius-server attribute nas-port extended command configures RADIUS to expand the size of the NAS-Port attribute (RADIUS IETF Attribute 5) field to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.

To display expanded interface information in the NAS-Port attribute field, perform the following task in global configuration mode.

Expand the NAS-Port attribute size from 16 to 32 bits to display extended interface information.
radius-server attribute nas-port extended
Note This command replaces the deprecated radius-server extended-portnames command.

On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101. This is due to the 16-bit field size limitation associated with RADIUS IETF NAS-port attribute. In this case, replace the NAS-port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). The Cisco vendor-ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.

To replace the NAS-Port attribute with RADIUS IETF Attribute 26 and to display extended field information, use the following commands in global configuration mode.

Enable the network Cisco AS5800 to recognize and use vendor-specific attributes as defined by RADIUS IETF Attribute 26.
radius-server vsa send [accounting | authentication]
Expand the size of the VSA NAS-Port field from 16 to 32 bits to display extended interface information.
aaa nas-port extended
The standard NAS-Port attribute (RADIUS IETF Attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.

Specify RADIUS Authentication

After you have identified the RADIUS server and defined the RADIUS authentication key, you need to define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you need to enter the aaa authentication command, and specify RADIUS as the authentication method. For more information, refer to information on configuring authentication in the security configuration guide for your Cisco IOS release.

Specify RADIUS Authorization

AAA authorization lets you set parameters that restrict users network access. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you need to issue the aaa authorization command, specifying RADIUS as the authorization method.

Specify RADIUS Accounting

The AAA accounting feature enables you to track the services users access and the amount of network resources they consume. Because RADIUS accounting is facilitated through AAA, you need to issue the aaa accounting command, specifying RADIUS as the accounting method.

RADIUS Attributes

The network Cisco AS5800 monitors the RADIUS authorization and accounting functions defined by RADIUS attributes in each user-profile.

Vendor-Proprietary RADIUS Attributes

An Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network Cisco AS5800 and the RADIUS server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

RADIUS Configuration Examples

RADIUS configuration examples in this section include the following:

•RADIUS Authentication and Authorization Example

•RADIUS Authentication, Authorization, and Accounting Example

•Vendor-Proprietary RADIUS Configuration Example

RADIUS Authentication and Authorization Example

The following example shows a router configuration to authenticate and authorize using RADIUS.
aaa authentication login use-radius radius local
aaa authentication ppp user-radius if-needed radius
aaa authorization exec radius 
aaa authorization network radius
These RADIUS authentication and authorization configuration commands are defined as follows:

•The aaa authentication login use-radius radius local command configures the router to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. In this example, use-radius is the name of the method list, which specifies RADIUS and then local authentication.

•The aaa authentication ppp user-radius if-needed radius command configures the Cisco IOS software to use RADIUS authentication for lines using Point-to-Point Protocol (PPP) with CHAP or PAP if the user has not already been authorized. If the EXEC facility has authenticated the user, RADIUS authentication is not performed. In this example, user-radius is the name of the method list defining RADIUS as the if-needed authentication method.

•The aaa authorization exec radius command sets the RADIUS information that is used for EXEC authorization, autocommands, and access lists.

•The aaa authorization network radius command sets RADIUS for network authorization, address assignment, and access lists.

RADIUS Authentication, Authorization, and Accounting Example

The following sample is a general configuration using RADIUS with the AAA command set.
radius-server host 123.45.1.2
radius-server key myRaDiUSpassWoRd
username root password ALongPassword
aaa authentication ppp dialins radius local
aaa authorization network radius local
aaa accounting network start-stop radius
aaa authentication login admins local
aaa authorization exec local
line 1 16
 autoselect ppp
 autoselect during-login
 login authentication admins
 modem ri-is-cd
interface group-async 1
 encaps ppp
 ppp authentication pap dialins
The lines in this sample RADIUS authentication, authorization, and accounting configuration are defined as follows:

•radius-server host defines the IP address of the RADIUS server host.

•radius-server key defines the shared secret text string between the network Cisco AS5800 and the RADIUS server host.

•aaa authentication ppp dialins radius local defines the authentication method list "dialins," which specifies that RADIUS authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP.

•ppp authentication pap dialins applies the "dialins" method list to the lines specified.

•aaa authorization network radius local is used to assign an address and other network parameters to the RADIUS user.

•aaa accounting network start-stop radius tracks PPP usage.

•aaa authentication login admins local defines another method list, "admins," for login authentication.

•login authentication admins applies the "admins" method list for login authentication.

Vendor-Proprietary RADIUS Configuration Example

The following example is a general configuration using vendor-proprietary RADIUS with the AAA command set.
radius-server host alcatraz non-standard
radius-server key myRaDiUSpassWoRd
radius-server configure-nas
username root password ALongPassword
aaa authentication ppp dialins radius local
aaa authorization network radius local
aaa accounting network start-stop radius
aaa authentication login admins local
aaa authorization exec local
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem ri-is-cd
interface group-async 1
encaps ppp
ppp authentication pap dialins
The lines in this example RADIUS AAA configurations are defined as follows:

•radius-server host non-standard defines the name of the RADIUS server host, and identifies that this RADIUS host uses a vendor-proprietary version of RADIUS.

•radius-server key defines the shared secret text string between the network Cisco AS5800 and the RADIUS server host.

•radius-server configure-nas defines that the Cisco AS5800 will query the RADIUS server for static routes and IP pool definitions when the device first starts up.

•aaa authentication ppp dialins radius local defines the authentication method list "dialins," which specifies that RADIUS authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP.

•ppp authentication pap dialins applies the "dialins" method list to the lines specified.

•aaa authorization network radius local is used to assign an address and other network parameters to the RADIUS user.

•aaa accounting network start-stop radius tracks PPP usage.

•aaa authentication login admins local defines another method list, "admins," for login authentication.

•login authentication admins applies the "admins" method list for login authentication.

RADIUS Cisco IOS Software Support

The following Cisco IOS software support is available for RADIUS.

1. AAA commands

2. RADIUS commands

3. RADIUS & AAA debug commands

AAA Commands
aaa new-model
aaa authentication login CONSOLE none
aaa authentication login RADIUS_LIST radius
aaa authentication login TAC_PLUS tacacs+ enable
aaa authentication login V.120 none
aaa authentication enable default enable tacacs+
aaa authentication ppp RADIUS_LIST if-needed radius
aaa authorization exec RADIUS_LIST radius if-authenticated
aaa authorization exec V.120 none
aaa authorization network default radius if-authenticated
aaa authorization network V.120 radius if-authenticated
aaa authorization network RADIUS_LIST if-authenticated radius
aaa accountin