Cisco AS5850 Universal Gateway Operations, Administration, Maintenance, and Provisioning Guide
Chap 3: Administration
Download this chapter
Chap 3: AdministrationChap 3: Administration
Download the complete book
Book-length pdfBook-length pdf (PDF - 2 MB)
give_us_feedback

Table Of Contents

Administration

Network Management Software

Remote Monitoring

Enabling Management Protocols: NTP, SNMP, and Syslog

Network Management Basics

Task 1. Enabling the Network Time Protocol

Task 2. Enabling Syslog

Task 3. Enabling SNMP

Task 4. Disabling the Logging of Access Interfaces

Task 5. Confirming the Final Running Configuration

Access Service Security

Local and Remote Server Authentication

Local Security Database

Remote Security Database

Configuring RADIUS

RADIUS Overview

RADIUS Operation

RADIUS Configuration Task List

Configuring Gateway to RADIUS Server Communication

Configuring Gateway to Use Vendor-Specific RADIUS Attributes

Configuring Gateway for Vendor-Proprietary RADIUS Server Communication

Configuring Gateway to Query RADIUS Server for Static Routes and IP Addresses

Configuring Gateway to Expand Network Cisco AS5850 Port Information

Specifying RADIUS Authentication

Specifying RADIUS Authorization

Specifying RADIUS Accounting

RADIUS Attributes

RADIUS Configuration Examples

RADIUS Cisco IOS Software Support

Configuring TACACS+

TACACS+ Authentication

Securing Access to Privileged EXEC and Configuration Mode

Communicating Between the Access and Security Servers

Configuring Authentication on a TACACS+ Server

Enabling AAA Globally

Defining Authentication Method Lists

Authentication Method List Examples

Applying Authentication Method Lists to Lines and Interfaces

TACACS+ Authorization

Configuring Authorization on the Security Server

Configuring Authorization (Network or EXEC)

Specifying an Authorization Method

Specifying Authorization Parameters on a TACACS+ Server

Authorization Examples

TACACS+ Security Examples


Administration

This chapter describes network administrative tasks using management software and protocols, and network-gateway security and control functionality with AAA and Remote Authentication Dial-In User Service (RADIUS) servers.

Note For details on implementing and operating a dial network management system (NMS), and on management functionality for a Dial Internet Access Service (DIAS), refer to the Basic Dial NMS Implementation Guide case study, available online at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/as5850/index.htm

Network Management Software

The Cisco Universal Gateway Manager (CiscoUGM) can configure and manage the Cisco AS5850 fault, performance, and security functions. CiscoUGM is a UNIX-based solution that can be run from a Cisco Element Management Framework (EMF) server. CiscoUGM provides the following administrative management tasks:

FaultProvides device-specific and port-specific alarm frequency and severity information. The fault-management GUI supports point-and-click alarm acknowledgment and clearing functions, and also enables trap forwarding.

ConfigurationProvides various configuration services for the managed devices and their components. As objects are configured or modified, the CiscoUGM database is automatically updated to reflect the current configuration of the network.

PerformanceCollects performance information from each managed device and its components. This information allows you to monitor the network by viewing and graphing performance data associated with an object.

SecuritySupports role-based access to its management functions. The user administrator defines user groups and assigns users to these groups. It also supports control of administrative state variables for CiscoUGM resources.

Remote Monitoring

Remote monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring standard (RFC 1757) by which console systems and network monitors exchange statistical and functional data through RMON-compliant console managers and network probes. RMON data includes fault diagnostics, planning, and performance information.

RMON delivers information in nine unique RMON monitoring-element groups. Although some groups depend on others for support, each is optional so it is not necessary for vendors to support all groups within a management information base (MIB). See Table 3-1 for RMON group functions.

Table 3-1 RMON Groups 

RMON Group
Description

Alarm

Performs periodic statistical sampling.

Events

Controls the generation and notification of events.

Filters

Enables packet matching by equation filtering to form data streams that can be captured or can generate events.

History

Records and stores periodic statistical samples, numbers of samples, and items sampled from a network.

Host

Contains statistics associated with each discovered network host.

HostTopN

Creates tables describing hosts that top a list ordered by a rate-based statistic.

Matrix

Stores new conversation statistics detected on source and destination devices.

Packet Capture

Enables packet capturing.

Statistics

Contains probe-calculated statistics for each interface monitored on device.


Enabling Management Protocols: NTP, SNMP, and Syslog

This section describes how to enable basic management protocols on a Cisco AS5850 as part of a dial-access service. It does not describe how to integrate Cisco IOS software with Microsoft Windows NT or UNIX servers. It describes management protocols only from the perspective of the Cisco IOS software.

Network Management Basics

Figure 3-1 shows how management protocols interact between Cisco IOS software (client) and a network-element-management server. Dashed lines represent different protocols and functions. In the figure, the following occurs:

NTP synchronizes time between network devices.

The SNMP element manager (EM) receives SNMP traps from the Cisco IOS software. The EM uses SNMP to query variables and set configurations.

Cisco IOS software sends logging messages to a syslog daemon.

Figure 3-1 NTP, SNMP, and Syslog Interactions

Table 3-2 provides the RFCs and websites for the management protocols described in this section.

Table 3-2 Management Protocol RFCs

Management Protocol
RFC
URL

NTP

1305

http://www.ietf.org/rfc/rfc1305.txt

SNMP

1157

http://www.ietf.org/rfc/rfc1157.txt


Note For more information about system management, refer to the Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference, available online for Cisco IOS Release 12.0 at http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/index.htm

Task 1. Enabling the Network Time Protocol

The Network Time Protocol (NTP) provides a common time base for networked routers, servers, and other devices. A synchronized time enables you to correlate syslog and Cisco IOS debug output to specific events. For example, you can find call records for specific users within one millisecond.

Comparing logs from various networks is essential for troubleshooting, fault analysis, and tracking of security incidents. Without precise time synchronization between all the various logging, management, and AAA functions, time comparisons are not possible.

An NTP-enabled network usually gets its time from an authoritative time source, such as a Cisco router, radio clock, or atomic clock attached to a timeserver. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each another. NTP runs over UDP, which in turn runs over IP.

Note For more information about NTP, refer to the chapter on system management in Cisco IOS Release 12.0 Configuration Fundamentals Configuration Guide, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_c/

To enable NTP, perform the following steps.

Step 1 Locate an authoritative clock source. For example, you can use a Cisco router or an atomic clock that is attached to a time server.

Step 2 Specify the primary NTP server IP address and automatic calendar updates as shown below: 

AS5850# ntp update-calendar

AS5850# ntp server 172.22.66.18 prefer

Step 3 Verify that the clock is synchronized to the NTP server. Inspect the status and time association. Clock sources are identified by their stratum levels. The following example shows a stratum-level-five clock. 

AS5850# show ntp status


Clock is synchronized, stratum 5, reference is 172.22.66.18

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24

reference time is BB944312.4451C9E7 (23:11:30.266 PDT Wed Sep 22 1999)

clock offset is 0.5343 msec, root delay is 13.26 msec

root dispersion is 18.02 msec, peer dispersion is 0.09 msec

AS5850#

The following command identifies how often the network gateway is polling and updating to the stratum clock. An asterisk (*) next to the NTP servers IP address indicates successful synchronization with the stratum clock. 

AS5850# show ntp association


address         ref clock     st  when  poll reach  delay  offset    disp

*~172.22.66.18      172.60.8.1       16    46    64  377     1.0    0.53     0.1

 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

AS5850#

Task 2. Enabling Syslog

Cisco IOS software can send syslog messages to one or more element manager servers. Syslog messages are then collected by a standard UNIX-type or Windows NT-type syslog daemon.

Syslog enables you to do the following:

Centrally log and analyze configuration events and system error messages such as interface status, security alerts, environmental conditions, and CPU process overloads.

Capture client debug-output sessions in a real-time scenario.

Reserve Telnet sessions for making configuration changes and using show commands. This prevents Telnet sessions from getting interrupted by debug output.

Figure 3-2 shows the Cisco IOS software sending syslog data to an element manager. Syslog data either stays in the Cisco IOS software buffer or is pushed out and written to the hard disk on the element manager.

Figure 3-2 Syslog Messages Written to Hard Disk

Note The Cisco Systems UNIX syslog format is compatible with 4.3 BSD UNIX.

Step 1 Enable debug timestamps and include date, time, and milliseconds relative to the local time zone: 

AS5850# service timestamps debug datetime msec localtime show-timezone

AS5850# service timestamps log datetime msec localtime show-timezone

Step 2 Verify that console logging is disabled. If it is enabled, the network gateway intermittently freezes up as soon as the console port is overloaded with log messages. Increments on the number in the field "1 flushes" represent bad logging behavior. 

AS5850# show logging


Syslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)

    Console logging: level debugging, 1523 messages logged

    Monitor logging: level debugging, 0 messages logged

    Buffer logging: level debugging, 911 messages logged

    Trap logging: level informational, 44 message lines logged


AS5850(config)# no logging console

AS5850(config)# ^Z

AS5850# show logging


Syslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)

    Console logging: disabled

    Monitor logging: level debugging, 0 messages logged

    Buffer logging: level debugging, 912 messages logged

    Trap logging: level informational, 45 message lines logged
Caution Failure to enter the no logging console command may cause CPU interrupts, dropped packets, denial of service events, and router lockup.

Step 3 Specify the logging configuration: 

AS5850# logging 172.22.66.18

AS5850# logging buffered 10000 debugging

AS5850# logging trap debugging

The commands in this example are as follows.

Command
Purpose

logging 172.22.66.18

Specifies the syslog server's IP address.

logging buffered 10000 debugging

Sets the internal log buffer to 10,000 bytes for debug output (newer messages overwrite older messages).

logging trap debugging

Allows logging up to the debug level (all 8 levels) for all messages sent to the syslog server.

If you are working with multiple network gateways, assign a different logging facility tag to each server. Syslog information can be collected and sorted into different files on the syslog server. For example, assign local1 to network-gateway 1, local2 to network-gateway 2, and local3 to network-gateway 3. Assigning a different tag to each device enables you to intelligently sort and view syslog messages. 

AS5850# logging facility local7

Step 4 Verify that local buffered logging is working: 

AS5850# show logging


Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

    Console logging: disabled

    Monitor logging: level debugging, 0 messages logged

    Buffer logging: level debugging, 2 messages logged

    Trap logging: level debugging, 53 message lines logged

        Logging to 172.22.66.18, 2 message lines logged


Log Buffer (10000 bytes):


Sep 26 16:32:02.848 PDT: %SYS-5-CONFIG_I: Configured from console by admin on console

Sep 26 16:33:16.069 PDT: %SYS-5-CONFIG_I: Configured from console by admin on console

AS5850#

Task 3. Enabling SNMP

The SNMP traps generated by Cisco gateways provide information on potentially harmful environmental conditions, processor status, port status, and security issues. Cisco IOS software generates SNMP traps based on the features that the Cisco IOS software supports.

Figure 3-3 shows the interactions and timing of the SNMP protocol between the EM (SNMP manager) and the network gateway (SNMP agent). Traps are unsolicited messages sent from the gateway to the EM. The four functions of SNMP include Get request, Get next, Set request, and Trap.

Figure 3-3 SNMP Event Interaction and Timing

Note A listing of all SNMP traps supported by Cisco is available online from the directory at ftp://ftp.cisco.com/pub/mibs/contrib/

Step 1 Configure the Cisco IOS software to support basic SNMP functions. Access lists 5 and 8 are used for SNMP community strings:

The read-only (RO) community string is called poptarts. It uses access list 8 as a filter.

The read-write (RW) community string is called pixysticks. It uses access list 5 as a filter. 

AS5850(config)# snmp-server contact admin user@the.doc

AS5850(config)# snmp-server location AS5850-corporate

AS5850(config)# snmp-server community poptarts RO 8

AS5850(config)# snmp-server community pixysticks RW 5

AS5850(config)# snmp-server host 172.22.66.18 maddog 

AS5850(config)# snmp-server trap-source Loopback0

AS5850(config)# snmp-server enable traps snmp


AS5850(config)# access-list 5 permit 172.22.67.1

AS5850(config)# access-list 5 permit 0.0.0.1 172.22.68.20

AS5850(config)# access-list 8 permit 172.22.67.1

AS5850(config)# access-list 8 permit 0.0.0.1 172.22.68.20

The commands in this example are as follows.

Command
Purpose 
snmp-server contact admin user@the.doc

Specifies a contact name to notify whenever an MIB problem occurs. 

snmp-server location AS5850S-corporate

Specifies a geographic location name for the router. 

snmp-server community poptarts RO 8

Assigns a read-only (RO) community string. Only queries and get requests can be performed.

The community string (poptarts) allows polling but no configuration changes. Without the correct community string on both machines, SNMP does not let you do the authorization to get or set the request. 

snmp-server community pixysticks RW 5

Assigns a read-write (RW) community string.

This community string (pixysticks) enables configuration changes to be performed. For example, you can shut down an interface, download a configuration file, or change a password. 

snmp-server host 172.22.66.18 maddog

Identifies the IP address of the SNMP host followed by a password. 

snmp-server trap-source Loopback0

Associates SNMP traps with a loopback interface so that an Ethernet shutdown does not disrupt SNMP management flow. 

snmp-server enable traps

Enables traps for unsolicited notifications for configuration changes, environmental variables, and device conditions. 

access-list 5 permit 172.22.67.1

access-list 8 permit 172.22.67.1

Permits access from a single element management server. 

access-list 5 permit 0.0.0.1 172.22.68.20

access-list 8 permit 0.0.0.1 172.22.68.20

Permits access from a block of addresses at your network operations center.


Caution If you are not using SNMP, be sure to turn it off. Never use a configuration that uses public or private as community strings. These strings are well known in the industry and are common defaults on hardware. They invite attacks, even if you use filters.

Step 2 Monitor SNMP input and output statistics. For example, display a real-time view of who is polling the network gateway for statistics and how often.

Note Be aware that excessive polling consumes CPU resources unnecessarily, causes packets to drop, and can crash the gateway. 

AS5850# show snmp


Chassis: 11811596

Contact: admin user@the.doc

Location: AS5850-corporate

0 SNMP packets input

    0 Bad SNMP version errors

    0 Unknown community name

    0 Illegal operation for community name supplied

    0 Encoding errors

    0 Number of requested variables

    0 Number of altered variables

    0 Get-request PDUs

    0 Get-next PDUs

    0 Set-request PDUs

0 SNMP packets output

    0 Too big errors (Maximum packet size 1500)

    0 No such name errors

    0 Bad values errors

    0 General errors

    0 Response PDUs

    0 Trap PDUs


SNMP logging: enabled

    Logging to 172.22.66.18.162, 0/10, 0 sent, 0 dropped.

AS5850#

Task 4. Disabling the Logging of Access Interfaces

Limit the amount of output logged from the group-async interface and ISDN D channels. Carefully choose the data sources for system management purposes. AAA accounting and the modem-call record terse feature provide the best data set for analyzing ISDN remote-node device activity.

Note Link status up-down events and SNMP trap signals occur regularly on access interfaces. Dialer interfaces going up and down is normal behavior and does not indicate a problem. Do not log them or send them to a management server.

The following configuration fragment disables logging on access interfaces: 

! for E1

interface Serial 0/0:23

 no logging event link-status

 no snmp trap link-status


! for T3

interface Serial 1/0:1:23

 no logging event link-status

 no snmp trap link-status

!

interface Group-Async 1

 no logging event link-status

 no snmp trap link-status

!

Task 5. Confirming the Final Running Configuration

The following is an example of the Cisco AS5850 running configuration with Cisco IOS Release 12.0(4) XL1 installed. 


AS5850# show running-config


Building configuration...


Current configuration:

!

version 12.0

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname AS5850

!

logging buffered 10000 debugging

no logging console

aaa new-model

aaa authentication login default local

aaa authentication ppp default if-needed local

enable secret 5 $1$LKgL$tgi19XvWn7fld7JGt55p01

!

username user password 7 045802150C2E

username admin password 7 044E1F050024

!

!

resource-pool disable

!

modem-pool Default

 pool-range 2/0-10/143

!

!

spe 2/0 10/11

 firmware ios-bundled default

modem recovery action none

ip subnet-zero

no ip source-route

ip host guessme 172.22.100.9

ip domain-name the.net

ip name-server 172.22.11.10

ip name-server 172.22.12.11

!

async-bootp dns-server 172.30.10.1 172.30.10.2

isdn switch-type primary-ni

isdn voice-call-failure 0

!

!

controller T3 0/0

 framing m23

 cablelength 0

 t1 4 controller

!

!

voice-port 0/0:4:D

!

!

process-max-time 200

!

interface Loopback0

 ip address 172.22.99.1 255.255.255.255

 no ip directed-broadcast

!

interface Loopback1

 ip address 172.22.90.1 255.255.255.0

 no ip directed-broadcast

!

interface FastEthernet1/0

 ip address 172.22.66.23 255.255.255.0

 no ip directed-broadcast

!

interface Serial0/0:4:23

 no ip address

 no ip directed-broadcast

 no snmp trap link-status

 isdn switch-type primary-ni

 isdn incoming-voice modem

 no cdp enable

!

interface Group-Async0

 ip unnumbered FastEthernet1/0

 no ip directed-broadcast

 encapsulation ppp

 async mode interactive

 no snmp trap link-status

 peer default ip address pool addr-pool

 no cdp enable

 ppp authentication chap pap

 group-range 2/00 10/143

!

ip local pool addr-pool 172.22.90.2 172.22.90.254

ip classless

ip route 0.0.0.0 0.0.0.0 172.22.66.1

no ip http server

!

logging trap debugging

logging 172.22.66.18

access-list 5 permit 172.22.67.1

access-list 5 permit 0.0.0.1 172.22.68.20

access-list 8 permit 172.22.67.1

access-list 8 permit 0.0.0.1 172.22.68.20

snmp-server engineID local 00000009020000D0D3424C1C

snmp-server community poptarts RO 8

snmp-server community pixysticks RW 5

snmp-server community maddog view v1default RO

snmp-server trap-source Loopback0

snmp-server location AS5850-Austin

snmp-server contact admin dude@the.net

snmp-server enable traps snmp

snmp-server enable traps isdn call-information

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps syslog

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps rtr

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps bgp

snmp-server enable traps voice poor-qov

snmp-server host 172.22.66.18 maddog

!

banner login ^C

This is a secured device.

Unauthorized use is prohibited by law.

^C

!

line con 0

 transport input none

line aux 0

 transport input telnet

line vty 0 4

line 2/00 10/143

 autoselect during-login

 autoselect ppp

 modem InOut

 no modem log rs232

!

ntp update-calendar

ntp server 172.22.66.18 prefer

end

Access Service Security

The Cisco AS5850 is designed to support a security paradigm providing authentication, authorization, and accounting (AAA) security measures using RADIUS and TACACS+.

Authentication—Requires dial-in users to identify themselves and prove their identity, thus preventing wrongful access to lines on your Cisco AS5850, or connections through the lines directly to network resources.

Authorization—Prevents users from gaining access to particular network services and devices.

Accounting—Provides records for billing and other needs to determine who is connected to the network and how long they have been connected. It does not describe how to configure accounting.

This section describes how to configure security using a local database resident on your Cisco AS5850 or using a remote security database for Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and RADIUS. Refer to the "Local and Remote Server Authentication" section for local and remote authentication definitions.

Note This section does not provide a comprehensive security overview, nor does it describe how to completely configure TACACS, Extended TACACS, access lists, or RADIUS. It presents the most commonly used security mechanisms to prevent unauthenticated and unauthorized access to network resources through a Cisco AS5850. For a comprehensive overview of Cisco security tools, see the Cisco IOS Security Configuration Guide, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/index.htm

Local and Remote Server Authentication

This section describes the differences between local and remote security databases and the basic authentication process for each. Remote security databases described in this section include Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and RADIUS.

Generally the size of the network and type of corporate security policies and control determine whether you use a local or remote security database.

Local Security Database

If you have one or more centralized gateways providing access to your network, storing username and password security information on one of these servers (Cisco AS5850) for access to other nodes on the network is referred to as local authentication.

Remote Security Database

As your network expands, you need a centralized security database that provides username and password information to each gateway in the network. This centralized security database resides in a security server.

A centralized security database helps establish consistent remote-access policies throughout a corporation. An example of a remote security database server is the CiscoSecure product from Cisco Systems. CiscoSecure is a UNIX security daemon, with which you create a database that defines network users and their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.

The Cisco AS5850 exchanges user-authentication information with a TACACS+ or RADIUS database on the security server by transmitting encrypted TACACS+ or RADIUS packets across the network.

Note For specific information about the interaction between the security server and the Cisco AS5850, see the Cisco IOS Security Configuration Guide, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/index.htm

Configuring RADIUS

This section describes the Remote Authentication Dial-In User Service (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. The "RADIUS Configuration Task List" section describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set. The "RADIUS Configuration Examples" section offers two possible implementation scenarios.

Note For a complete description of the commands used in this section, refer to "RADIUS Commands" in the Cisco IOS Security Command Guide referenced above. To locate documentation of other commands that appear in this section, use the command-reference master index or search online.

RADIUS Overview

RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server. The server contains all user-authentication and network-service access information.

RADIUS is a fully open protocol, distributed in source-code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.

RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users. Use RADIUS in the following network environments that require access security:

Networks with multiple-vendor gateways, each supporting RADIUS. For example, gateways from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendor gateways, dial-in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system.

Turnkey network security environments in which applications support the RADIUS protocol, such as in an access environment that uses a "smart card" access-control system. In one case, RADIUS has been used with Enigmas security cards to validate users and grant access to network resources.

Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This might be the first step when you make a transition to a TACACS+ server.

Networks in which a user must access only a single service. Using RADIUS, you can control user access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having authorization to run PPP using IP address 10.2.3.4 and the defined access list is started.

Networks that require resource accounting. You can use RADIUS accounting independent of RADIUS authentication or authorization. RADIUS accounting functions allow data to be sent at the start and end of services, indicating the amount of resources (such as time, packets, and bytes) used during the session.

An Internet service provider might use a freeware-based version of RADIUS access-control and accounting software to meet special security and billing needs.

RADIUS is not suitable in the following network security situations:

Multiprotocol access environments. RADIUS does not support the following protocols:

AppleTalk Remote Access Protocol (ARAP)

NetBIOS Frame Protocol Control Protocol (NBFCP)

NetWare Asynchronous Services Interface (NASI)

X.25 PAD connections

Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one Cisco router to a third-party router, if the company router requires RADIUS authentication.

Networks using a variety of services. RADIUS generally binds a user to one service model.

RADIUS Operation

When a user attempts to log in and authenticate to a Cisco AS5850 using RADIUS, the following events occur:

1. The user is prompted to enter a username and password.

2. The username and encrypted password are sent over the network to the RADIUS server.

3. The user receives one of the following responses from the RADIUS server:

ACCEPT—The user is authenticated.

REJECT—The user is prompted to reenter the username and password, or is denied access.

CHALLENGE—The user is challenged to provide additional data.

CHANGE PASSWORD—The user is asked to select a new password.

The ACCEPT or REJECT response is bundled with the following additional data needed for EXEC or network authorization:

Services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections, and PPP, Serial Line Internet Protocol (SLIP), or EXEC services

Connection parameters, including host or client IP address, access list, and user timeouts

RADIUS Configuration Task List

To configure RADIUS on your Cisco AS5850, use the following commands in global configuration mode (AS5850(config)# prompt).

Command
Purpose

aaa new-model

Enables AAA. AAA must be configured if you plan to use RADIUS.

aaa authentication

Define method lists for RADIUS authentication. For more information, see the "Specifying RADIUS Authentication" section.

line
and
interface

Enable the defined method lists to be used. For more information, see the "Specifying RADIUS Authentication" section.

aaa authorization

Optional. Authorizes specific user functions. For more information, see the "Specifying RADIUS Authorization" section.

aaa accounting

Enables accounting for RADIUS connections. Use is optional. For more information, see the "Specifying RADIUS Accounting" section.

Configuring Gateway to RADIUS Server Communication

The RADIUS host is normally a multiuser system running RADIUS server software from Livingston, Merit, Microsoft, or another software provider. A RADIUS server and a Cisco gateway use a shared secret text string to encrypt passwords and exchange responses.

To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text string that it shares with the gateway. Use the radius-server commands in global configuration mode (AS5850(config)# prompt) as follows.

Command
Purpose

radius-server host {hostname | ip-address} [auth-port port-number]
[acct-port port-number]

Specifies the IP address or host name of the remote RADIUS server host and assigns authentication and accounting destination port numbers.

radius-server keystring

Specifies the shared secret text string used between the router and the RADIUS server.

radius-server retransmit retries

Specifies the number of times the router transmits each RADIUS request to the server before giving up (default is three). Use is optional.

radius-server timeout seconds

Specifies the number of seconds a router waits for a reply to a RADIUS request before retransmitting the request. Use is optional.

radius-server deadtime minutes

Specifies the number of minutes a RADIUS server that is not responding to authentication requests is passed over by requests for RADIUS authentication. Use is optional.

Configuring Gateway to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network Cisco AS5850 and the RADIUS server by using a vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use.

The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option has vendor type 1, named "cisco-avpair." Other vendors have their own vendor IDs, options, and associated VSAs. The value is a string of the following format:

protocol : attribute {= | *} value


Protocol is a value of the Cisco protocol attribute for a particular type of authorization.

Attribute and value are an appropriate attribute/value (AV) pair defined in the Cisco TACACS+ specification.

= indicates a mandatory attribute and * indicates an optional attribute.

This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair causes the Cisco multiple named ip address pools feature to be activated during IP authorization (during PPP's IPCP address assignment): 

cisco-avpair= "ip:addr-pool=first"

The following example causes a NAS-prompt user to have immediate access to EXEC commands: 

cisco-avpair= "shell:priv-lvl=15"

To configure the gateway to recognize and use VSAs, use the following radius-server command in global configuration mode (AS5850(config)# prompt).

Command
Purpose

radius-server vsa send
[accounting | authentication]

Enables the network Cisco AS5850 to recognize and use VSAs as defined by RADIUS IETF attribute 26.


Note For more information about vendor IDs and VSAs, refer to RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)." For a complete list of RADIUS attributes or more information about vendor-specific Attribute 26, refer to the RADIUS Attributes appendix.

Configuring Gateway for Vendor-Proprietary RADIUS Server Communication

Although the IETF draft standard for RADIUS specifies a method for communicating vendor-specific information between the network Cisco AS5850 and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

To configure RADIUS (whether IETF draft-compliant or vendor-proprietary), you must specify the host running the RADIUS server daemon and the secret text string that it shares with the Cisco device. You must also identify whether the RADIUS server is using a vendor-proprietary implementation of RADIUS; vendor-proprietary attributes are not supported unless you do so.

To specify a vendor-proprietary RADIUS server host and a shared secret text string, use the following radius-server commands in global configuration mode (AS5850(config)# prompt).

Command
Purpose

radius-server host {hostname | ip-address} non-standard

Specifies the IP address or host name of the remote RADIUS server host and identifies that it is using a vendor-proprietary implementation of RADIUS.

radius-server keystring

Specifies the shared secret text string used between the router and the vendor-proprietary RADIUS server. The router and the RADIUS server use this text string to encrypt passwords and exchange responses.

Configuring Gateway to Query RADIUS Server for Static Routes and IP Addresses

Some vendor-proprietary implementations of RADIUS let you define static routes and IP pool definitions on the RADIUS server, instead of on each individual network with a Cisco AS5850. Each network queries the RADIUS server for static route and IP pool information.

To have the Cisco AS5850 query the RADIUS server for static routes and IP pool definitions when the device first starts up, use the following radius-server command in global configuration mode.

Command
Purpose

AS5850(config)#radius-server configure-nas

Has the Cisco AS5850 query the RADIUS server for static routes and IP pool definitions when the device first starts up.

Note Because this command is performed when the Cisco AS5850 starts up, you must first have entered the copy running-config startup-config command for it to take effect.

Configuring Gateway to Expand Network Cisco AS5850 Port Information

In some situations, PPP or login authentication occurs on an interface different from the one on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface ttt, but the call itself occurs on one of the channels of the ISDN interface.

You can configure RADIUS to expand the size of the NAS-port attribute (RADIUS IETF Attribute 5) field to 32 bits. The upper 16 bits of the NAS-port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.

To display expanded interface information in the NAS-port attribute field, use the following radius-server command in global configuration mode (AS5850(config)# prompt).

Command
Purpose

radius-server attribute nas-port extended

Expands the NAS-port attribute size from 16 to 32 bits to display extended interface information. Replaces the radius-server extended-portnames command.

On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation does not provide a unique NAS-port attribute to distinguish between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 appear as NAS-port = 20101. This is due to the 16-bit field-size limitation associated with the RADIUS IETF NAS-port attribute. In this case, replace the NAS-port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). The Cisco vendor ID is 9, and the Cisco-NAS-port attribute is subtype 2.

To turn on VSAs and to display extended field information, use the following commands in global configuration mode (AS5850(config)# prompt).

Command
Purpose

AS5850(config)#radius-server vsa send [accounting | authentication]

Enables the network Cisco AS5850 to recognize and use VSAs as defined by RADIUS IETF Attribute 26.

AS5850(config)#aaa nas-port extended

Expands the size of the VSA NAS-port field from 16 to 32 bits to display extended interface information.

The standard NAS-port attribute (RADIUS IETF Attribute 5) continues to be sent. If you do not want it to be sent, suppress it by using the no radius-server attribute nas-port command.

Specifying RADIUS Authentication

After you identify the RADIUS server and define the RADIUS authentication key, you need to define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you need to enter the aaa authentication command and specify RADIUS as the authentication method.

Note For more information, refer to AAA section, "Configuring Authentication" chapter in the Cisco IOS Security Configuration Guide, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/index.htm

Specifying RADIUS Authorization

AAA authorization lets you set parameters that restrict user access to the network. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service; per-user account list and profile; user group support; and support of IP, IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you need to issue the aaa authorization command, specifying RADIUS as the authorization method.

Specifying RADIUS Accounting

The AAA accounting feature enables you to track services that users access and the amount of network resources that they consume. Because RADIUS accounting is facilitated through AAA, you need to issue the aaa accounting command, specifying RADIUS as the accounting method.

RADIUS Attributes

The network Cisco AS5850 monitors the RADIUS authorization and accounting functions defined by RADIUS attributes in each user profile.

The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network Cisco AS5850 and the RADIUS server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

RADIUS Configuration Examples

RADIUS configuration examples in this section include the following:

RADIUS Authentication and Authorization Example

RADIUS Authentication, Authorization, and Accounting Example

Vendor-Proprietary RADIUS Configuration Example

RADIUS Authentication and Authorization Example

The following configuration fragment example shows a gateway configuration to authenticate and authorize using RADIUS: 

aaa authentication login use-radius radius local

aaa authentication ppp user-radius if-needed radius

aaa authorization exec radius

aaa authorization network radius

The commands in this example are as follows.

Command
Purpose

aaa authentication login user-radius radius local

Configures the gateway to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. In this example, user-radius is the name of the method list that specifies RADIUS and then local authentication.

aaa authentication ppp user-radius if-needed radius

Configures the Cisco IOS software to use RADIUS authentication for lines using Point-to-Point Protocol (PPP) with CHAP1 or PAP2 if the user is not already authorized. If the EXEC facility has authenticated the user, RADIUS authentication is not performed. In this example, user-radius is the name of the method list defining RADIUS as the if-needed authentication method.

aaa authorization exec radius

Sets the RADIUS information that is used for EXEC authorization, autocommands, and access lists.

aaa authorization network radius

Sets RADIUS for network authorization, address assignment, and access lists.

1 Challenge-Handshake Authentication Protocol

2 Password Authentication Protocol

RADIUS Authentication, Authorization, and Accounting Example

The following example is a general configuration using RADIUS with the AAA command set: 

radius-server host 123.45.1.2

radius-server key myRaDiUSpassWoRd

username root password ALongPassword

aaa authentication ppp dialins radius local

aaa authorization network radius local

aaa accounting network start-stop radius

aaa authentication login admins local

aaa authorization exec local

line 1 16

 autoselect ppp

 autoselect during-login

 login authentication admins

 modem ri-is-cd

interface group-async 1

 encaps ppp

 ppp authentication pap dialins

The commands in this example are as follows.

Command
Purpose

radius-server host

Defines the IP address of the RADIUS server host.

radius-server key

Defines the shared secret text string between the network Cisco AS5850 and the RADIUS server host.

aaa authentication ppp dialins radius local

Defines the authentication method list dialins, which specifies that RADIUS authentication, then (if the RADIUS server does not respond) local authentication are used on serial lines using PPP.

ppp authentication pap dialins

Applies the dialins method list to the lines specified.

aaa authorization network radius local

Assigns an address and other network parameters to the RADIUS user.

aaa accounting network start-stop radius

Tracks PPP usage.

aaa authentication login admins local

Defines another method list, admins, for login authentication.

login authentication admins

Applies the admins method list for login authentication.

Vendor-Proprietary RADIUS Configuration Example

The following sample is a general configuration using vendor-proprietary RADIUS with the AAA command set: 

radius-server host alcatraz non-standard

radius-server key myRaDiUSpassWoRd

radius-server configure-nas

username root password ALongPassword

aaa authentication ppp dialins radius local

aaa authorization network radius local

aaa accounting network start-stop radius

aaa authentication login admins local

aaa authorization exec local

line 1 16

autoselect ppp

autoselect during-login

login authentication admins

modem ri-is-cd

interface group-async 1

encaps ppp

ppp authentication pap dialins

The commands in this example are as follows.

 
Command
Purpose

Step 1 

radius-server host non-standard

Defines the name of the RADIUS server host and specifies that it use a vendor-proprietary version of RADIUS.

Step 2 

radius-server key

Defines the shared secret text string between the network Cisco AS5850 and the RADIUS server host.

Step 3 

radius-server configure-nas

Defines that the Cisco AS5850 is to query the RADIUS server for static routes and IP pool definitions when the device first starts up.

Step 4 

aaa authentication ppp dialins radius local

Defines the authentication method list dialins, which specifies that RADIUS authentication, then (if the RADIUS server does not respond) local authentication is used on serial lines using PPP.

Step 5 

ppp authentication pap dialins

Applies the dialins method list to the lines specified.

Step 6 

aaa authorization network radius local

Assigns an address and other network parameters to the RADIUS user.

Step 7 

aaa accounting network start-stop radius

Tracks PPP usage.

Step 8 

aaa authentication login admins local

Defines another method list, admins, for login authentication.

Step 9 

login authentication admins

Applies the admins method list for login authentication.

RADIUS Cisco IOS Software Support

The following Cisco IOS software support is available for RADIUS:

AAA commands

RADIUS commands

RADIUS and AAA debug commands

Configuring TACACS+

To configure basic security, use the following commands in global configuration mode (AS5850(config)# prompt).

 
Command
Purpose

Step 1 

aaa new-model

Enables the AAA access control modem that includes TACACS+.

Step 2 

aaa authentication login default local

Enables AAA authentication method during login.

Step 3 

aaa authentication login console none

Enables AAA authentication method during login using a methods list.

Step 4 

aaa authentication ppp default if-needed local