In this post, we will look at the AAA config for 9800 device administration. Even though most of these config common across many Cisco IOS devices, here we use a 9800 WLC as example here.
Here are some background details about the TACACS+ (Terminal Access Controller Access-Control System Plus) protocol. TACACS+ defined originally as a IETF draft in 1997 & then updated RFC8907 in 2020 & provide AAA (Authentication, Authorization & Accounting) functionality. Mainly it is using for device administration
TACACS+ packet header got a 12-byte header and it got “type” fields that defined 3 types of TACACS packets.
TAC_PLUS_AUTHEN (0x00) – Authentication
TAC_PLUS_AUTHOR (0x02) – Authorization
TAC_PLUS_ACCT (0x03) – Accounting
Clik here to view.
The sequence number starts with 1 by client and increments by 1. TACACS server will use an even number sequence number starting with 2. The “Session ID” uniquely identifies a session (Authentication, Authorization, or accounting) and uses a strong random number generation method to derive it.
The body of the TACACS packets may be obfuscated using a shared secret that is configured on the client & TACACS server. Once you capture TACACS traffic, you can easily see the cleartext view by configuring a shared secret on Wireshark under the TACACS protocol.
Let’s look at the basic AAA commands you require on 9800 (or any IOS device). First, you have to enable aaa services using the “aaa new-model” command. Once you add that command, you will see it will remove any local logins configured under VTY lines.
aaa new-model +aaa session-id common line vty 0 4 -login local line vty 5 15 -login local
Then you can define TACACS Server with IP address & shared secret.
tacacs server ISE-TAC address ipv4 192.168.100.12 key Vipassana123
Then you can create a TACACS Group and add a previously defined server to it.
C9800-2(config)#aaa group server ? ldap Ldap server-group definition radius Radius server-group definition tacacs+ Tacacs+ server-group definition aaa group server tacacs+ TAC-GRP server name ISE-TAC
Then you can define authentication list (TAC-AUTH) to use TAC-GRP you created and in case of AAA server is not reachable, you can fall-back to “local” authentication. If you want to use it for SSH then you can apply it under line VTY.
aaa authentication login TAC-AUTH group TAC-GRP local ! line vty 0 15 login authentication TAC-AUTH
You can define an authorization method list (TAC-AUTHOR) to use TAC-GRP and then “local” in case of AAA server not reachable. EXEC authorization is a special from of command authorization where it verifies user privileges immidiately after login authentication
aaa authorization exec TAC-AUTHOR group TAC-GRP local if-authenticated ! line vty 0 15 authorization exec TAC-AUTHOR
If you want TACACS+ to be use for each CLI command authorization, you can use your authorization method list to do that. Keep in mind, this require AAA server to evaluate each CLI command you enter on the device.
aaa authorization config-commands aaa authorization commands 1 TAC-AUTHOR local if-authenticated aaa authorization commands 15 TAC-AUTHOR local if-authenticated ! line vty 0 15 authorization commands 1 TAC-AUTHOR authorization commands 15 TAC-AUTHOR
You can define accounting method list to use defined TAC-GRP. In this case we use “default” method list as we do not want to different accounting based on connection type.
aaa accounting exec default start-stop group TAC-GRP aaa accounting commands 1 default start-stop group TAC-GRP aaa accounting commands 15 default start-stop group TAC-GRP
Fort GUI access to use AAA you can use it under HTTP Authentication
ip http authentication aaa login-authentication TAC-AUTH ip http authentication aaa exec-authorization TAC-AUTHOR
Here is the summary of CLI config described above. (for simpliciy)
aaa new-model ! tacacs server ISE-TAC address ipv4 192.168.100.12 key Vipassana123 ! aaa group server tacacs+ TAC-GRP server name ISE-TAC ! aaa authentication login TAC-AUTH group TAC-GRP local ! aaa authorization exec TAC-AUTHOR group TAC-GRP local if-authenticated ! aaa accounting exec default start-stop group TAC-GRP aaa accounting commands 1 default start-stop group TAC-GRP aaa accounting commands 15 default start-stop group TAC-GRP ! line vty 0 15 login authentication TAC-AUTH authorization exec TAC-AUTHOR ! ip http authentication aaa login-authentication TAC-AUTH ip http authentication aaa exec-authorization TAC-AUTHOR ! ***** If you need Command Authorization **** aaa authorization config-commands aaa authorization commands 1 TAC-AUTHOR local if-authenticated aaa authorization commands 15 TAC-AUTHOR local if-authenticated ! line vty 0 15 authorization commands 1 TAC-AUTHOR authorization commands 15 TAC-AUTHOR
If you want console session also to be authenticated & authorized against AAA server, then you can apply those under line console 0 as well. You require to add “aaa authorization console” command in global config as well.
aaa authorization console ! line con 0 login authentication TAC-AUTH authorization exec TAC-AUTHOR
In case you want to use a local username for console authentication, you can do something similar to below. You should have a local user defined with required privileges (priv 15 users directly go to exec prompt where as other priv user has to enter enable password).
username mrn-local privilege 15 secret xxxx ! aaa authentication login CON-AUTH local aaa authorization console aaa authorization exec CON-AUTHOR local ! line con 0 login authentication CON-AUTH authorization exec CON-AUTHOR
I have used Cisco ISE as a TACACS server and you can refer to this detailed guide (worth keeping a copy of that document) on how you should design ISE for TACACS and configure the policy on ISE. Below diagram (taken from the above document) show the Authentication, Authorization & Accounting packet flow that you should expect.
Clik here to view.
I have configured “cpi” as an admin user with privilege 15 and “mrn-staff” as a general user locally defined on ISE which will get privilege level 5 shell access. Let’s test our configuration while capturing packets in 9800 to see what’s happening with AAA. Below shows TACACS Authorization Policy with configured TACACS profile.
Clik here to view.
Here is the 9800 Packet Capture setting (9800 GUI -> Troubleshooting > Packet Capture) that you can use to filter TACACS communication when accessing 9800 WLC via SSH. Given ACL has defined on the 9800 to filter out that traffic when taking PCAP.
Clik here to view.
With that setting, I have captured TACACS traffic while “cpi” & “mrn-staff” users trying to access 9800 via SSH. Here is the PCAP file (tacacs-9800.pcap) for your reference. You can enter the shared secret key (Vipassana123) that I have used in order to see details of TACACS frame body.
Clik here to view.
Without decryption, you will see an “encrypted request” for frame number 253.
Clik here to view.
Once decrypted you will see the details below. You will see “mrn-staff” user on 192.168.129.102 trying to access TTY line 2. Prviledge Level 1 indicate user’s current priviledge level.
Clik here to view.
Authentication Start (seq#1), Auth Reply (Seq#2 or #4) and Authentication Continue (seq#3) frame body include following info (refer RFC8907 for details)
Clik here to view.
Clik here to view.
Here is the those frame details in wireshark capture. You can filter all related packets using Session ID (right-click and “Apply As Filter” or drag & drop that to display-filter area). As you can see Auth Seq 1 & 3 sent by the client. Sequence & 2 & 4 by ISE server. In sequence 2, ask for a password for Authentication (in seq 3 client sending it) & in sequence 4 confirm authentication has passed.
Then you will see two Authorization (Request/Reply) frames. In the request message, you can see “privilege level 1” which was the user’s current privilege. In the Reply message user has been given “priv-lvl=5” shell access. Status “PASS_ADD” in the reply message indicates the request has been authorized.
Clik here to view.
Accounting messages are followed by authorization. You will see those accounting messages reqularly (Note: I have keep WLC GUI open using “rasika” as username and you can see certain accounting messages related to that session as well)
Clik here to view.
Here is the 2nd Authentication for “cpi” user where you can see “authorization” reply (frame#681) got with privilege level 15 shell access.
Clik here to view.
You can see “cpi” user issue “configure terminal” & successful as well (refer frame #789 & #791)
Clik here to view.
Here are few things I have come across when it comes to 9800 AAA. There can be many more Image may be NSFW.
Clik here to view.
, if you know particular things to be aware of, pls provide that info as a comment.
1. Managing 9800 with DNAC
In order DNAC to properly manage 9800 with appropriate NETCONF, we had to add following two lines (CSCvy00489) in aaa config. It is describe in this deployment guide as well. If you are using AAA group as default method, you may need to modify your configs of 9800.
aaa authentication login default local aaa authorization exec default local
2. 9800 AAA fallback (refer 9800 best practice guide)
If you have multiple AAA servers, then it is important to configure the dead-criteria and the deadtime timers on 9800 (CSCtl06706). With these commands the Catalyst 9800 marks a non-responsive server as “dead” and moves to the backup server. To configure these timers, use the following CLI commands:
radius-server dead-criteria time 5 tries 3 radius-server deadtime 5
If you want to test AAA fallback in controlled manner, you can apply an ACL to block traffic to particular AAA server (& permit all other traffic). In 9800 WLC you can apply an ACL like below on management SVI interface. In our configuration, you can see if “local” authentication/authorization being in used when ISE server is not reachable.
ip access-list extended BLOCK-ISE 10 deny ip host 192.168.100.12 any 20 permit ip any any ! interface Vlan100 ip address 192.168.100.20 255.255.255.0 ip access-group BLOCK-ISE in
Here is a really good post about TACACS on IOS devices by Daniel Dib