Configuring Cisco ASA RADIUS and TACACS+ AAA

Core Knowledge and Real World Scenarios

As companies grow so does the need to authenticate users to a centralized database such as Active Directory. Single sign on (SSO) is a very common policy implemented by companies around the globe to ensure that users do not have multiple usernames and passwords for difference services. Studies show that when a users have to memorize more than three different username and password pairs, they tend to write them down and post them on their monitor which of course is super secure.

As networks grow so does the need to have multiple usernames to administer them with. This of course poses a problem with local usernames on every device in the infrastructure. Imagine hiring a new network engineer and having to go in and add his username and password to over 200 network devices? This is just not feasible.

The simple solution for this problem is to have network devices authenticate administrative access to a RADIUS server or TACACS+ Server (Commonly Cisco ACS). Section 8 of the CCNA Security workbook published by Free CCNA Workbook will go into detail regarding the configuration of Cisco ACS 5 however this lab will just discuss the configuration of the Cisco ASA.

So there are several reasons as to why you would want to use a centralized user database. The first being compliance and regulations. There are several regulations and laws written that users who log into sensitive devices which transmit health, financial or even classified information must be logged for paper trail and auditing purposes.

Another big reason is to minimize administrative overhead. Instead of creating a user account on 200 devices throughout the infrastructure you create it in a single location and if or when the time comes that the engineer you hired has voluntarily left or has been terminated, you can simply disable his account thus revoking his administration and remote access privileges to the network.

RADIUS

First lets take a look at RADIUS which is an IETF Standard and is used around the globe for authentication, authorization and accounting. When using RADIUS for authentication, the username is sent over the wire in clear text however the password is encrypted. While some companies require more security, RADIUS is more than capable of suiting the needs of most companies.

In order to configure the Cisco ASA to authenticate administrative users to a RADIUS server you must first define the radius server group using the aaa-server group STUBLAB_RADIUS protocol radius whereas “STUBLAB_RADIUS” is the name of the group.

After which you must define server host(s) that belong to the newly defined radius server group, this is done through the use of the aaa-server STUBLAB_RADIUS (INSIDE) host 10.1.1.25 CISCO123 whereas (INSIDE) defines the interface in which the radius host is accessible and CISCO123 defines the pass phrase.

Once you define the radius host server you will be placed in aaa-server-host configuration mode where you have the ability to configure additional options related to the specific radius server such as retry-interval, timeout, authentication port and more. For example lets say you want to use the authentication port 1812, in aaa-server-host configuration mode you would use the authentication-port 1812 command.

You can verify your configuration by using the show run aaa-server as demonstrated below;

FW1# show run aaa-server
aaa-server STUBLAB_RADIUS protocol radius
aaa-server STUBLAB_RADIUS (INSIDE) host 10.1.1.25
 key *****
 authentication-port 1812
FW1#

Notice how the pass phrase is anonymized, you can recover the pass phrase by using the more system:running-configuration

When you view the running configuration stored in memory (The system filesystem) you use the pipe commands such as begin, exclude, include, grep.

TACACS+

Next lets take a look at TACACS+ (Pronounced Tack Axe Plus).

Like RADIUS, TACACS+ provides an authentication, authorization and accounting service. This lab will concentrate on the authentication port of TACACS+ whereas all traffic between the authenticating node and the TACACS+ server is encrypted.

However the configuration is very similar in that you define a AAA-Server group by name and protocol, in this case would be TACACS+. The command to do this is aaa-server group STUBLAB_TACACS protocol tacacs+

You also need to define the host servers in the aaa-server group as well as any other optional parameters. In this case the server is defined in the same manner as you would define the RADIUS server using the command aaa-server STUBLAB_TACACS (INSIDE) host 10.1.1.26 CISCO123

Commands You Should Know

As a network engineer implementing the technologies outlined in this lab you should be familiar with the following commands provided in the matrix table below;

Command	Description
aaa-server {GROUP_NAME} protocol {radius \| tacacs+}	This command is executed in global configuration mode to define a aaa server group by name and protocol, radius or tacacs
aaa-server {GROUP_NAME} (INSIDE) host x.x.x.x PASSPHRASE	This command is executed in global configuration mode to define a host server within the aaa-server group
authentication-port 1812	This command is executed in aaa-server-group configuration mode to define the authentication port for the specific server. Default is 1645, RADIUS Standard used with FreeRADIUS 3.x is 1812.

Lab Logical Topology

The following logical topology is used in most labs found through out Section 7 of the CCNA Security Workbook;

Free CCNA Workbook - Security Workbook Section 7 Topology

To view the physical cabling topology please visit the Topology page.

RADIUS and TACACS+ Server(s)

To demonstrate the verification process in the Lab Instruction portion of this lab, a RADIUS using TCP Port 1812 and TACACS server has been placed on the INSIDE network segment of FW1 with the host IP address of 10.1.1.25. This server is directly connected to SW1 GigabitEthernet0/2 and configuration to access this server is provided in the initial configuration script of SW1 that you must load before attempting this lab or IP communication with the RADIUS/TACACS+ server will fail.

To verify your configuration with the Stub Lab RADIUS Server and TACACS Server please user the following credentials;

	Username	Password
RADIUS	radius.stublab	Stublab123
TACACS+	tacacs.stublab	Stublab123

Lab Device Initial Configurations

In Section 7 you’ll only be configuring FW1. You will however use other lab devices to verify your configuration on FW1.

If you completed the previous lab you can continue where you left off otherwise you’ll need to load the following initial configurations into their respective device(s);

!############################################
!#  FW1 -  CCNA Security Workbook Lab 7-10  #
!############################################
!
enable

config terminal
!
hostname FW1
!
username jdoe password whoami privilege 15
username cisco password cisco privilege 15
enable password cisco
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 198.51.100.37 255.255.255.252 
 no shutdown
!
interface Ethernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.1.1.254 255.255.255.0
 no shutdown
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.1.250.254 255.255.255.0
 no shutdown
!
aaa-server STUBLAB_RADIUS protocol radius
aaa-server STUBLAB_RADIUS (INSIDE) host 10.1.1.25
 key CISCO123
 authentication-port 1812
!
aaa-server STUBLAB_TACACS (INSIDE) host 10.1.1.26
 key CISCO123
!
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
!
banner login ####################################
banner login #  UNAUTHORIZED ACCESS PROHIBITED  #
banner login ####################################
!
banner motd #####################################################
banner motd #  CONTACT JOHN PRIOR TO MAKING ANY CONFIG CHANGES  #
banner motd #####################################################
!
route OUTSIDE 0.0.0.0 0.0.0.0 198.51.100.38
!
dhcpd address 10.1.1.10-10.1.1.50 INSIDE
dhcpd dns 1.1.1.1 2.2.2.2 interface INSIDE
dhcpd enable INSIDE
!
router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 10.1.250.0 255.255.255.0 area 51
!
crypto key gen rsa modulus 2048 noconfirm
telnet 1.1.1.1 255.255.255.255 INSIDE
ssh 10.1.1.0 255.255.255.0 INSIDE
!
asdm image flash:asdm-732.bin
http 10.1.0.0 255.255.0.0 INSIDE
http server enable
!
end

Section 7 Pre-Configured Lab Device(s)

The following lab devices have been pre-configured to save you time as you’ll only be working with FW1 in Section 7.

In order to complete the labs in section 7 you MUST load the following pre-configuration(s);

!############################################
!#  R1 - CCNA Security Workbook Section 7   #
!############################################
!
enable
config terminal
!
hostname R1
!
no ip domain lookup
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local if-authenticated 
!
aaa session-id common
!
username cisco privilege 15 password 0 cisco
enable password cisco
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 description Link to SW1 FastEthernet0/2 (INSIDE)
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
 no shutdown
!
interface FastEthernet0/1
 description Link to SW2 FastEthernet0/2 (INSIDE)
 ip address 10.1.10.1 255.255.255.0
 duplex auto
 speed auto
 no shutdown
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
!
interface Serial0/1/0
 no ip address
 shutdown
!
router eigrp 10
 network 0.0.0.0
 no auto-summary
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254 250
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
banner login ^
############################################
#  R1  -  CCNA Security Workbook Section 7 #
#  NOTICE:  This Router is Preconfigured   #
############################################
^
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 transport input all
!
end

!############################################
!#  SW1 - CCNA Security Workbook Section 7  #
!############################################
!
enable
config term
!
hostname SW1
!
username cisco privilege 15 password cisco
enable password cisco
!
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local if-authenticated 
!
vtp mode transparent
ip routing
!
spanning-tree mode rapid-pvst
!
vlan internal allocation policy ascending
!
vlan 11
 name FW1_INSIDE-10.1.1.0-24
!
vlan 22
 name FW2_INSIDE-10.2.2.0-24
!
vlan 110
 name R1_ETH0-1_10.1.10.0-24
!
vlan 125
 name FW1_DMZ_10.1.250.0-24
!
vlan 192
 name SW1_SW2_SIMULATED_INTERNET_XCONN
!
interface Loopback4222
 ip address 4.2.2.2 255.255.255.255
!
interface range FastEthernet0/1 - 24
 shutdown
!
interface FastEthernet0/1
 switchport access vlan 11
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/2
 switchport access vlan 22
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/3
 switchport access vlan 125
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/13
 description Link to FW1 Ethernet0/0 (OUTSIDE)
 no switchport
 ip address 198.51.100.38 255.255.255.252
 no shutdown
!
interface FastEthernet0/14
 description Link to FW1 Ethernet0/1 (INSIDE)
 switchport access vlan 11
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/15
 description Link to FW1 Ethernet0/2 (DMZ)
 switchport access vlan 125
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/24
 description L2 Trunk Link to SW2 FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 description STUBLAB RADIUS AND TACACS SERVER (IP: 10.1.1.25/24)
 switchport access vlan 11
 switchport mode access
 no cdp enable
 spanning-tree portfast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan192
 description SW1-SW2 CROSS-CONNECT
 ip address 192.0.2.185 255.255.255.252
!
router eigrp 10
 network 0.0.0.0
 passive-interface default
 no passive-interface Vlan192
!
banner login ^
############################################
#  SW1 - CCNA Security Workbook Section 7  #
#  NOTICE:  This Switch is Preconfigured   #
############################################
^
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
line vty 5 15
!
end

Before you Start

This lab requires that you have access to a Cisco ASA. You can complete this lab using a virtual Cisco ASA within GNS3 or you can reserve free lab time on the Stub Lab to have access to a pair of Cisco ASA 5510 Series Firewalls which can be used to complete this lab.

Lab Objectives

In this lab you will complete the following objectives.

On FW1 define the STUBLAB_RADIUS server group using the RADIUS protocol
On FW1 define the RADIUS Server host 10.1.1.25 using the passkey of CISCO123 and the authentication port of 1812.
Configure FW1’s SSH AAA authentication list to default to STUBLAB_RADIUS and fail back to local authentication if the radius servers go down.
Verify the radius configuration using R1 to SSH to FW1’s inside interface 10.1.1.1 using the username of “radius.stublab” and password of “Stublab123”
On FW1 define the STUBLAB_TACACS server group using the TACACS+ protocol
On FW1 define the TACACS+ Server host 10.1.1.26 using the passkey of CISCO123
Modify FW1’s SSHA AAA Authentication list to authenticate login request to STUBLAB_TACACS and fail back to local if STUBLAB_TACACS fails.
Verify the TACACS configuration using R1 to SSH to FW1’s inside itnerface 10.1.1.1 using the username of “tacacs.stublab” and the password “Stublab123”

One More Thing…

It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.

If you are a student preparing for the Cisco CCNA Security Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.

Lab Instruction

Objective 1. – On FW1 define the STUBLAB_RADIUS server group using the RADIUS protocol

FW1# config term
FW1(config)# aaa-server STUBLAB_RADIUS protocol radius
FW1(config-aaa-server-group)#

Objective 2. – On FW1 define the RADIUS Server host 10.1.1.25 using the passkey of CISCO123 and the authentication port of 1812.

FW1(config-aaa-server-group)# aaa-server STUBLAB_RADIUS (INSIDE) host 10.1.1.25 CISCO123
FW1(config-aaa-server-host)# authentication-port 1812
FW1(config-aaa-server-host)# exit
FW1(config)#

Objective 3. – Configure FW1’s SSH AAA authentication list to default to STUBLAB_RADIUS and fail back to local authentication if the radius servers go down.

FW1(config)# aaa authentication ssh console STUBLAB_RADIUS LOCAL
FW1(config)# end
FW1#

Objective 4. – Verify the radius configuration using R1 to SSH to FW1’s inside interface 10.1.1.1 using the username of “radius.stublab” and password of “Stublab123”

R1#ssh -l radius.stublab 10.1.1.1
####################################
#  UNAUTHORIZED ACCESS PROHIBITED  #
####################################

Password: 
#####################################################
#  CONTACT JOHN PRIOR TO MAKING ANY CONFIG CHANGES  #
#####################################################
Type help or '?' for a list of available commands.
FW1> exit
[Connection to 10.1.1.1 closed by foreign host]
R1#

Objective 5. – On FW1 define the STUBLAB_TACACS server group using the TACACS+ protocol

FW1# config term
FW1(config)# aaa-server STUBLAB_TACACS protocol tacacs+
FW1(config-aaa-server-group)#

Objective 6. – On FW1 define the TACACS+ Server host 10.1.1.26 using the passkey of CISCO123

FW1(config-aaa-server-group)# aaa-server STUBLAB_TACACS (INSIDE) host 10.1.1.26 CISCO123
FW1(config-aaa-server-host)# exit
FW1(config)#

Objective 7. – Modify FW1’s SSHA AAA Authentication list to authenticate login request to STUBLAB_TACACS and fail back to local if STUBLAB_TACACS fails.

FW1(config)# no aaa authentication ssh console STUBLAB_RADIUS LOCAL
FW1(config)# aaa authentication ssh console STUBLAB_TACACS LOCAL
FW1(config)# end
FW1#

Objective 8. – Verify the TACACS configuration using R1 to SSH to FW1’s inside itnerface 10.1.1.1 using the username of “tacacs.stublab” and the password “Stublab123”

R1#ssh -l tacacs.stublab 10.1.1.1
####################################
#  UNAUTHORIZED ACCESS PROHIBITED  #
####################################

Password: 
#####################################################
#  CONTACT JOHN PRIOR TO MAKING ANY CONFIG CHANGES  #
#####################################################
Type help or '?' for a list of available commands.
FW1> exit
[Connection to 10.1.1.1 closed by foreign host]
R1#

Configuring RADIUS and TACACS+ on the Cisco ASA