ASK THE EXPERT - AUTHENTICATION, AUTHORIZATION & ACCOUNTING

Unanswered Question
Apr 24th, 2009
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to secure your infrastructure with AAA with Cisco expert Mike Griffin. Mike is a network consulting engineer in the central engineering - security architecture and design group of advanced services. He works with many of Cisco's largest customers in the design and implementation of their networks with a focus in network security. In this role, he concentrates on establishing leading practices for the implementation of various security products. Mike has been in the networking industry for 17 years (10 of that with Cisco) and he is also CCIE certified in routing and switching (# 8492).

Remember to use the rating system to let Mike know if you have received an adequate response.


Mike might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 8, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
sovatelnick Fri, 04/24/2009 - 23:40
User Badges:

Does ASR 1002 (IOS XE 2.3.0) support pptp dialin? I would like to terminate MS Windows pptp connections.

I've configured l2tp and it's work. PPTP is not work. Is it my mistake or IOS XE 2.3.0 bug? (if you know about the bug, do you know a date of release corrected IOS XE?)

Hi Experts.

This is Raja. Im a baby to this field and planning to start a business which is gonna support a application through online, I want to do a network set up for the communication.Its gonna be a 10 node small business.where i want to manage the LAN connection for internet and also the tunneling. can some one suggest me which series of switch , router and firewall will work out my set up. waiting for you experts.. thanks in advance..

mikegrif Sat, 04/25/2009 - 15:54
User Badges:

This forum is dedicated to AAA questions. I'd suggest one of the Network Infrastructure forums for your question.

ahmad-sajjad Sun, 04/26/2009 - 13:00
User Badges:

Hi


I need to create a users in TACACS+ and allow him only "SHOW RUNN" command. There are two users in default NDG and one user ID is for the administrator with priviliege 15 and other user id ll be used to view only the devices configuration. Any suggestion?


Regards

sahmedshahcsd Mon, 04/27/2009 - 01:33
User Badges:

Try enabling shell command authorization permit "Show Run" and grant privilege level "6" to restrict the user from executing other commands.


The best approach will be assigning two users to two different groups such as Admin Group and User Group in order to achieve group and user level authorizations.


Hope this helps

Ahmed

mikegrif Mon, 04/27/2009 - 07:03
User Badges:

Users are assigned to User Groups while network devices are assigned to Network Device Groups (NDGs). This is an important distinction which will be referenced later in this post.


This topic is more complicated than you might think. The "show running-config" and "write terminal" commands only show the parts of the running config that a user's privilege level would be authorized to change. The "show startup-config" and "show config" commands, on the other hand, will show the entire start up (saved) configuration. For this reason, you can't simply have a user at level 1 (or anything under level 15), allow access to the "show running-config" command and expect them to see the entire config.


What you will need to do is assign the desired user to a new group, have the user login as privilege level 15, apply a command authorization set to that group that ONLY allows the "show running-config" command (and denies all others), and perform command level 15 authorization on the devices. The downside is that this user MUST have level 15 access. This means that the user will have complete access alter to the config of any device that is not performing command level 15 authorization. You can use NDGs in ACS to restrict which devices this user (or user group) has access to though.


Remember that a user can be dropped directly into level 15 with "aaa authorization login" on the devices and a privilege-level defined in ACS.


http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml



edvznadm Mon, 04/27/2009 - 06:24
User Badges:

Hi Mike,


we want to authenticate local users with our Cisco Secure ACS SE and non-local users via proxy radius servers.

This works, when we have not more than 12 entries (+1 for default) in the proxy distribution table of the ACS. But for "eduroam" we need up to 40 entries and then we get "user unknown" errors in the log of our WLC.


Any ideas or a known limitation?


Wolfgang

Surya Dathan Mon, 04/27/2009 - 19:55
User Badges:

Hi Mike,


I am facing a very big issue and only you can help me to find a solution.


The scenario is I have some Cisco IPSEC VPN Concentrator's that need to be removed from the network. We already have another Juniper VPN which is working fine all the way.But a large number of users were using this IPSEC VPN previously.So the customer needs to allow access to this IPSEC VPN to some users and deny access to others.But these "some" permitted users are from different groups inside the Windows AD.So i tried creating a local group and adding all these permitted users in to it and applied Network Access Restrictions. I have applied shared NAR, per group NAR and CLI/DNIS based Acces Restrictions to deny access to my IPSEC VPN. but somehow it doesnt work. After applying all these my IPSSEC VPN Client still can communicate with the VPN 3000 concentrator.


Does i did any wrong? Please advice me on how can i achieve the intended result. If i can use any other ways to achieve the result, please advice me that too...


Appreciate your great help and eagerly waiting for your reply


Subhash

mikegrif Tue, 04/28/2009 - 07:33
User Badges:

Putting the users into another group and using NARs should be the proper approach for this. Another approach would be, if the list of users is relatively small, to add the users directly to the VPN3K (with external AD authentication) and do away with the default authentication method there. That way, only users in the local DB (even though their authentication method is remote) would be able to log into the VPN3K.


edvznadm Mon, 04/27/2009 - 23:18
User Badges:

Mike,

here is my suffix list:

@ourdomain pointing to our ACS,

.at

.de

.cz

.sk

.hu

.si

.hr

.it

.ch

.fi

.uk

pointing to the 2 proxy radius servers.

When I add another TLD, eg. .ca or .fr, no authentication and "user unknown" errors at the WLC.

My first idea was to use the "Default"-entry for proxy authentication of non-local users and let the ACS authenticate our users but this doesn't work so we need to do it with the TLDs for each country...

Wolfgang

mikegrif Tue, 04/28/2009 - 07:27
User Badges:

What kind of errors are you getting on the ACS? An Unknown user error on the WLC could simply mean there was an authentication timeout. I'd like to see what the ACS is saying.


Also, have you opened a TAC case on this issue? I'd be interested to see what the ACS TAC folks have to say regarding this.


Mike

edvznadm Wed, 04/29/2009 - 08:03
User Badges:

The ACS says nothing for passed authentications and failed attempts. I only see radius accounting for successful authentications.

Our local Cisco distributor has opened a TAC case and I send him debug infos of the WLC for successful and unsuccessful authentication requests so he can forward this info to the folks.


Wolfgang

mikegrif Thu, 04/30/2009 - 07:45
User Badges:

I think the TAC case is your best bet here. If passed and failed authentication logging is enabled on the ACS, then you should see something in those logs regarding these sessions.

measton8245 Thu, 04/30/2009 - 07:32
User Badges:

Through Cisco Network Assistance, how do you create a user with level 14, so they only have read only access.

mikegrif Thu, 04/30/2009 - 07:43
User Badges:

I am not sure what you mean by "Network Assistance". However, commands are only assigned to privilege levels 0,1, and 15 by default. So if you have not changed any of the command privilege levels, then a user at level 14 has the exact same access as a user at level 1.

lpoon Thu, 04/30/2009 - 16:38
User Badges:

Hi Mike, i would like to setup AAA accounting. Is there a doc somewhere that show you the steps and procedures required to have this setup?.

balsheikh Mon, 05/04/2009 - 05:15
User Badges:


Hello Mike,


as per my moderate knowledge there is no built-in failover or statfull failover mechanism for on ACS for HA.


What is the best visible way to implement HA (High Availability) for ACS appliance and windows based as well ?!


Regards,

Belal

mikegrif Mon, 05/04/2009 - 05:37
User Badges:

Authentication sessions are very fast and short lived sessions. While there is state involved in the TACACS+ TCP session (RADIUS is UDP), the sessions are so short lived that it does not make sense to keep the state of the authentication session. So no, there is no stateful failover for ACS.

You build HA with service redundancy. You can either put your ACS servers behind a load balancer like you would with a web server or you can have the redundancy added to the device (router and switch) configuration. You can configure your devices to reference 2 (or more) servers. If the primary server is unresponsive, then the device will query the next server on the list.

balsheikh Mon, 05/04/2009 - 06:36
User Badges:

This is great, but here you are talking about load balancing for the client's request. my concern how could I have shared or synced database for two different ACS's, in case one failed the secondary can carry over.

mikegrif Mon, 05/04/2009 - 06:40
User Badges:

There is synchronization built into ACS. There is a master/slave relationship configured for the replication of the data. If you do backend authentication (forward the requests to AD or a Token server) then you will need to consider HA for those systems as well.

Mike

tag-jserver Mon, 05/04/2009 - 13:57
User Badges:

Can you recommend a Cisco router for one of our clients? They recently switched ISP to Speakeasy who installed a Hatteras HN 407 bridge. We have had Internet connectivity problems using our customer's SonicWall 3060 firewall, and we experienced similar problems when attempting to use a newer Sonicwall TZ180. We temporarily installed a Linksys W54GT router, which has been working perfectly; however, I would like to have a more robust router for their 25 user network - VPN, two WAN connections, etc. Can you recommend a small business router with 2 WAN connections?


Thank you,

James Server

mikegrif Tue, 05/05/2009 - 06:49
User Badges:

This forum is for questions related to AAA. You should try one of the other forums for this question. The WAN, Routing, and Switching forum might be a good place to start.

svohenry09 Mon, 05/04/2009 - 14:24
User Badges:

Hello,

Would you please help me how to set up a home network.There are few questions:


How to connect outside network which is AT&T DSL moderm to A Cisco firewall and than to Cisco Switch 3550 which has 48 ports???

I have connected them like the folowing instruction; however, it did not work.http://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_515qk.html#wp47817. Please help, any advices,It would be appreciated.


Henry Vo

mikegrif Tue, 05/05/2009 - 06:52
User Badges:

This forum is for questions related to AAA. You should try one of the other forums for this question. The Firewalling forum might be a good place to start. When you post to the other forum, I would suggest describing more in depth what you mean by it is not working. Configs would be helpful as well.

aabdullah25 Mon, 05/04/2009 - 23:54
User Badges:

Hi Mike,


We have Cisco ASE 1112 with ACS 3.3 version. Can this device support an upgrade to ACS 4.x version. If yes, can you please mention how this can be done.


thanks in advance

pavlosd Tue, 05/05/2009 - 01:26
User Badges:

We are currently using Cisco Access Registrar as a Service Provider Radius. I want to know, what if the default behaviour of the Radius for the Accounting-On and Accounting-Off packets. Does it automatically release any sessions from a specific NAS or Not?

mikegrif Tue, 05/05/2009 - 07:15
User Badges:

I don't understand your question. Can you please clarify what you mean by the Accountint-on and Accounting-Off packets? However, I can tell you that the access registrar does not force the NAS to drop any sessions. Accounting packets are merely sent from the NAS to inform the RADIUS server that a session (or command, or some other action) has started or ended.


pavlosd Tue, 05/05/2009 - 20:15
User Badges:

Hi Mike,


What I mean by accounting-On/Off is with the Acc-Status-Type. Optionally used by NAS Server to inform a Radius that is back in Service and will start sending Accounting Packets (Start|Stop).


We noticed that with Accounting Packets, the CAR Radius can release sessions. But we could not figure out what is the default behaviour. i.e. with Accounting-Stop, Radius will release an IP Address from Pool but is this appliacable to all accounting-stop messages or depends on the reason?

mikegrif Wed, 05/06/2009 - 07:08
User Badges:

Sorry, I do not have any experience with Cisco Access Registrar and therefore no knowledge of the default behavior of the application. You might want to try the question in the Security -> AAA forums or possibly the Network Management forums.

dragnia_s Tue, 05/05/2009 - 04:24
User Badges:

Hi Mike,


I wanted to assign diffrent privilege levels to diffrent NDG in a group but it does't work


I'm refering to the Define max Privilege on a per network device group basis in Enable options

Any ideea what am i missing


Tnx

mikegrif Tue, 05/05/2009 - 07:11
User Badges:

Make sure that you are doing "aaa authorization" on the devices. The privilege level is assigned/enforced with authorization rather than authentication.

Mike

dragnia_s Tue, 05/05/2009 - 07:37
User Badges:

I've configured aaa authorization exec xxx group tacacs+ local


Do i have to configure something else?


I basicly want to force the max priv level to say 4


Stelian



mikegrif Tue, 05/05/2009 - 07:48
User Badges:

Did you use aaa authorization exec xxx, or exec default? If you use default, there should be nothing else to do. If you used xxx, have you told the VTY and/or Console lines to use authorization profile xxx?

What exactly is happening? Are the users still able to escalate to priv level 15?

dragnia_s Tue, 05/05/2009 - 10:45
User Badges:

I am using xxx and aplied it to the vty lines

Yes, the problem is that users are still able to escalate to priv lev 15

When I config the command auth set per NDG it works fine


As I see from the output of the debug i listed it is not the user'me' who tries to authenticate to priv level 15 but NULL. But i don't know if i interpreted it corectly


Stelian


7w2d: tty1 AAA/AUTHOR/CMD (1323510079): Port='tty1' list='xxx' service=CMD

7w2d: AAA/AUTHOR/CMD: tty1 (1323510079) user='me'

7w2d: tty1 AAA/AUTHOR/CMD (1323510079): send AV service=shell

7w2d: tty1 AAA/AUTHOR/CMD (1323510079): send AV cmd=enable

7w2d: tty1 AAA/AUTHOR/CMD (1323510079): send AV cmd-arg=

7w2d: tty1 AAA/AUTHOR/CMD (1323510079): found list "xxx"

7w2d: tty1 AAA/AUTHOR/CMD (1323510079): Method=tacacs+ (tacacs+)

7w2d: AAA/AUTHOR/TAC+: (1323510079): user=me

7w2d: AAA/AUTHOR/TAC+: (1323510079): send AV service=shell

7w2d: AAA/AUTHOR/TAC+: (1323510079): send AV cmd=enable

7w2d: AAA/AUTHOR/TAC+: (1323510079): send AV cmd-arg=

R1#

7w2d: AAA/AUTHOR (1323510079): Post authorization status = PASS_ADD

R1#

7w2d: AAA/MEMORY: free_user (0x1A9A4E8) user='NULL' ruser='NULL' port='tty1' rem_addr='1.2.3.4' authen_type=ASCII service=ENABLE priv=15


mikegrif Tue, 05/05/2009 - 11:01
User Badges:

Can you also supply the aaa and vty configs?

dragnia_s Tue, 05/05/2009 - 11:11
User Badges:

here it is





aaa new-model

aaa authentication login xxx group tacacs+ local

aaa authorization exec xxx group tacacs+ local

aaa authorization commands 0 xxx group tacacs+ local

aaa authorization commands 1 xxx group tacacs+ local

aaa authorization commands 15 xxx group tacacs+ local

aaa accounting exec xxx-acct start-stop group tacacs+

aaa accounting commands 0 xxx-acct start-stop group tacacs+

aaa accounting commands 1 xxx-acct start-stop group tacacs+

aaa accounting commands 15 xxx-acct start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common




line vty 0 4

authorization commands 0 xxx

authorization commands 1 xxx

authorization commands 15 xxx

authorization exec xxx

accounting commands 0 xxx-acct

accounting commands 1 xxx-acct

accounting commands 15 xxx-acct

accounting exec xxx-acct

logging synchronous

login authentication xxx

mikegrif Tue, 05/05/2009 - 11:29
User Badges:

ah ha. You need to do "aaa authentication enable default group tacacs+ local" as well. Issuing the enable command (to escelate your privileges) will trigger another authentication session. If you are not doing enable authentication, then the user then becomes "Null". If you do TACACS+ based enable authentication, then the user and password are sent to the AAA server again and that is when the exec authorization can restrict the priv-level to be used.

http://tools.cisco.com/Support/CLILookup/cltSearchAction.do?Application_ID=CLT&IndexId=IOS&IndexOptionId=123&SearchPhrase=%22aaa%20authentication%22&Paging=25&ActionType=getCommandList&Bookmark=True


Mike

dragnia_s Tue, 05/05/2009 - 11:45
User Badges:

thanks alot, it works


but the local keyword is not recognised, I thik the enable keyword is the correct one for fallback

mikegrif Tue, 05/05/2009 - 11:52
User Badges:

That is a good point. Enable is the correct fallback method rather than local.

nomair_83 Tue, 05/05/2009 - 04:57
User Badges:
  • Bronze, 100 points or more

Dear Mike,


Can I use ACS to schedule the engineers to access the devices on june at particular time?

All the devices are configured in ACS but Im facing problem in scheduling.


Regards





mikegrif Tue, 05/05/2009 - 07:09
User Badges:

There is no way that I know of to schedule access for a certain time period in the future with ACS. You can schedule time of day and day of week restrictions for a user group which will apply immediately and to all devices that the group is allowed access to.

nomair_83 Wed, 05/06/2009 - 00:00
User Badges:
  • Bronze, 100 points or more

Thanx mike, I was wasting my time to get this done:).


Second, In ACS 4.2, is windows authentication with windows server 2003 64 bit supported or not?

mikegrif Wed, 05/06/2009 - 07:16
User Badges:

I do not believe that ACS (or ACS Remote Agent if you are talking about ACS-SE) is supported on a 64 bit OS. It MAY work, but simply has not been tested and therefore is considered non-supported. Sorry.

Actions

This Discussion