Authentication, Authorization, and Accounting, also known as AAA, are essential for managing login security on routers and switches. Many people who implement AAA may not fully understand the commands they use in the router configuration. Instead, they often copy AAA configurations from another working device without much thought. However, it is important to understand the purpose of these commands and consider whether AAA is necessary and how to implement it effectively. In this article, we will explore some best practices for AAA configuration.

If you work in an environment that utilizes AAA, you most likely have a TACACS+ or ACS server in place for login management on your devices. AAA works alongside TACACS+ to handle login security. It determines who can log in (Authentication), what actions they are authorized to perform (Authorization), and keeps track of the commands used (Accounting).

I recently collaborated with Cisco to establish the best practices for configuring AAA on a router. Here is what we came up with:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Some router configurations may seem more intimidating than others, and AAA is definitely one of them. But don't worry, we'll break it down and you'll see that it's not as difficult as it seems.

So let's take a look at each line one by one...

aaa new-model

This line simply enables AAA on the router.

aaa authentication login default group tacacs+ local

Here, we're saying that for login authentication, we should use the default group, which is tacacs+. If tacacs+ fails, then we'll use the local user account configured on the router. (That's why it's important to have a local user configured on your router.)

aaa authentication enable default group tacacs+ enable

For enable mode authentication, we're using the default group tacacs+ (notice that we're not using the local keyword here). This is because a locally defined user will have specified the authorization level they require. For example, level 15 gets enable mode.

aaa authorization config-commands

This line tells us that we want to check with TACACS+ to authorize going into config mode.

aaa authorization exec default group tacacs+ local if-authenticated

Notice the "if-authenticated" keyword at the end of this line. This means that if we are authenticated, we will immediately be dropped into exec (enable) mode.

aaa authorization commands 1 default group tacacs+ if-authenticated

As a best practice, Cisco recommends configuring authorization for each level of user access to network devices. In this command, we are authorizing level 1 users, which is equivalent to non-enable mode. A fallback method should be configured, such as a local user. This also requires the use of tacacs+.

aaa authorization commands 15 default group tacacs+ local if-authenticated

Here, we are authorizing level 15 users against tacacs+. If tacacs+ is not available, then the local user account is used. If authenticated, the user will immediately be dropped into exec/enable mode.

aaa accounting exec default start-stop group tacacs+

Enabling AAA accounting for each level of commands ensures accountability for the use of privileged commands on the router. Privilege levels range from 1 to 15, with 15 being the highest level. Some organizations may want to implement additional levels of commands, where level 1 might be for a help desk and level 15 for network administrators.

aaa accounting commands 1 default start-stop group tacacs+

This is an optional command in terms of best practices, but it provides accountability or tracking of user activity even if they have only logged in (not in exec/enable mode).

aaa accounting commands 15 default start-stop group tacacs+

This command provides accounting for administrators or users with privilege level 15.

... And that's it! See? Once you go through each line, it's not so difficult. The biggest challenge is understanding the complex Cisco command structure.

I hope this breakdown has helped clarify things a bit.

Until next time — FREAK!