Brand new Cisco router or switch has just console access enabled, so by default you can log go in to the console over rollover cable without any passwords.
Before we start with the authentication and authorization let’s fast recall the background. Cisco IOS CLI has two base following command modes:
- User EXEC mode – Router> (angle bracket sign)
- Privileged EXEC mode (enable mode) – Router# (pound sign)
We will configure AAA fetures on R1 and then telnet from R2 to R1 to test the impact on the authentication and authorization process to Console and VTY and AUX lines. First we have to enable the AAA access control system, new system, btw I haven’t seen old one yet :).
R1 con0 is now available
Press RETURN to get started.
R1#en
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#aaa new-model
R1(config)#
From the Console perspective no change, still no authentication and authorization, just click Enter twice unltil enable secret password is not defined, for VTY and AUX LOCAL authentication is enabled for privilege level 1 (based on the router’s local usernames database). Username and password needs to be defined on the router, enable secret password is needed for level 15, if not defined „% Error in authentication.” message will be displayed.
OK so let’s add below on R1 and look what is going on once we telnet from R2:
R1(config)#username netcontractor privilege 15 secret netcontractor
R1(config)#enable secret netcontractor
R1#debug aaa authentication
R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
User Access Verification
Username:
R1#
*Mar 1 02:35:50.723: AAA/BIND(0000002A): Bind i/f
*Mar 1 02:35:50.731: AAA/AUTHEN/LOGIN (0000002A): Pick method list 'Permanent Local'
Router takes 'Permanent Local’ – default method that has been enabled once we enter aaa new-model command.
Username: netcontractor
Password:
R1>en
Password:
Once we click enter we get prompt for enable password, below output from R1 after enter has clicked
R1#
*Mar 1 02:35:59.911: AAA: parse name=tty66 idb type=-1 tty=-1
*Mar 1 02:35:59.915: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
*Mar 1 02:35:59.919: AAA/MEMORY: create_user (0x647AD6E0) user='netcontractor' ruser='NULL' ds0=0 port='tty66' rem_addr='10.0.0.2' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 02:35:59.923: AAA/AUTHEN/START (2046019537): port='tty66' list='' action=LOGIN service=ENABLE
*Mar 1 02:35:59.927: AAA/AUTHEN/START (2046019537): non-console enable - default to enable password
*Mar 1 02:35:59.927: AAA/AUTHEN/START (2046019537): Method=ENABLE
*Mar 1 02:35:59.931: AAA/AUTHEN(2046019537): Status=GETPASS
Router starts authentication process for user netcontractor using default method as enable password (Method=ENABLE). Default is taken because aaa authentication enable command has not been defined. Next router sends a GETPASS request to prompt for the password.
Enable password: netcontractor, click enter.
Password:
R1#
R1#
Router takes entered password for enable method and confirm with PASS response to indicate a successfull login.
*Mar 1 02:36:10.855: AAA/AUTHEN/CONT (2046019537): continue_login (user='(undef)')
*Mar 1 02:36:10.859: AAA/AUTHEN(2046019537): Status=GETPASS
*Mar 1 02:36:10.859: AAA/AUTHEN/CONT (2046019537): Method=ENABLE
*Mar 1 02:36:10.955: AAA/AUTHEN(2046019537): Status=PASS
*Mar 1 02:36:10.955: AAA/MEMORY: free_user (0x647AD6E0) user='NULL' ruser='NULL' port='tty66' rem_addr='10.0.0.2' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Once we add below to the R1:
R1(config)#aaa authentication enable default none
then after username and password authentication no propmpt for Password is send from the R1
R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
User Access Verification
Username: netcontractor
Password:
R1>en
R1#
Router uses defined default list with NONE method – so once user enter enable command will be taken to the privilage level 15.
R1#
*Mar 1 03:05:10.447: AAA/BIND(0000002E): Bind i/f
*Mar 1 03:05:10.459: AAA/AUTHEN/LOGIN (0000002E): Pick method list 'Permanent Local'
R1#
*Mar 1 03:05:20.695: AAA: parse name=tty66 idb type=-1 tty=-1
*Mar 1 03:05:20.695: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
*Mar 1 03:05:20.699: AAA/MEMORY: create_user (0x647AD6E0) user='netcontractor' ruser='NULL' ds0=0 port='tty66' rem_addr='10.0.0.2' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 03:05:20.703: AAA/AUTHEN/START (1933181644): port='tty66' list='' action=LOGIN service=ENABLE
*Mar 1 03:05:20.707: AAA/AUTHEN/START (1933181644): using "default" list
*Mar 1 03:05:20.711: AAA/AUTHEN/START (1933181644): Method=NONE
*Mar 1 03:05:20.711: AAA/AUTHEN(1933181644): Status=PASS
R1#
*Mar 1 03:05:20.711: AAA/MEMORY: free_user (0x647AD6E0) user='netcontractor' ruser='NULL' port='tty66' rem_addr='10.0.0.2' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
In case we would authenticate and authorize access to the console (as I have mentioned console means connection over serial – rollover cable) we have to enable authentication for line 0 explicity not just enter aaa new-model (local authentication after aaa new-model command works for all lines beside console line 0 = CTY). Below commands are enough to place user on the level 15 once enter username and password.
R1(config)#aaa authentication login default local
R1(config)#aaa authorization console
What about VTY lines authorization? We would achieve authorization for user, so once we log on over VTY lines (telnet or ssh) to the router with username and password we will be placed in the privileged EXEC mode level 15 automatically. Solution is simple, we have to configure exec authorization with local method – just one line.
R1(config)#aaa authorization exec default local
R1#debug aaa authorization
AAA Authorization debugging is on
Once we log on and enter username and password router takes default authorization list and with local method, user use placed on to the respective privilage level based on the username netcontractor privilege command.
R1#
*Mar 1 03:22:49.691: AAA/AUTHOR (0x30): Pick method list 'default'
*Mar 1 03:22:49.707: AAA/AUTHOR/EXEC(00000030): processing AV cmd=
*Mar 1 03:22:49.707: AAA/AUTHOR/EXEC(00000030): processing AV priv-lvl=15
*Mar 1 03:22:49.707: AAA/AUTHOR/EXEC(00000030): Authorization successful
Above are basic but very important issues to understand AAA.