beef410's version from 2018-04-13 23:06


Question Answer
AAAAuthorization, Authentication, Accounting
AuthenticationDeciding if a user should have access to network resources
Local deploymentTypically uses a local username/password database
TACACS+Cisco's TCP based AAA
RADIUSOpen standard AAA
Initial Client-Server packetIs entirely encrypted by TACACS+, RADIUS will only encrypt the password
How AAA is handledTACACS+ runs each 'A' seperately, RADIUS combines authen/author. This means TACACS+ supports using a different type of authentication while still provided authorization and acounting
Authorization LevelCan be granually controlled by TACACS+, not by RADIUS
(config)#aaa authentication login <default/word> group <radius/tacacs+>Turn on authentications by default listing auth methods or use a pre-made list. Can chain the auth methods by group <method> group <method> for order of auth attempts. Switch limits authen methods to 4.

AAA Logic

Question Answer
AttemptsAAA will attempt each authen method in order if they timeout/error, if a fail comes back authentication stops and access is denied.


Question Answer
(config)# aaa new-modelTurns on AAA
(config)#tacacs server <word>Enables TACACS server commands and drops you into (config-server-tacacs)#
(config-server-tacacs)# key <word> <0/7>Password, 0=unencrypted 7=encrypted
(config-server-tacacs)#address <ipv4/6> <addr>Set IP of the TACACS+ server.
(config)service password-encryptionWill encrypt the TACACS server key if it was originally entered unencrypted.


Question Answer
(config)#radius server <word>Name for the RADIUS instance
(config-radius-server)#key <password>password
(config-radius-server)#address <ipv4/6>Address of the RADIUS server.
DefaultsWill open one accounting and one authorization port by default.


Question Answer
Server already existsCheck for older AAA config using same server IP
None placementWhen setting authentication methods 'none' should typically be at the end. If its listed first, authentication is disabled
Authentication methodsMake sure authentication methods are valid and setup.
(config)#aaa new-modelCheck this first, always.
No authorization options for dot1xIf the option is missing it typically means the iOS is using the old command set

Telnet refresh

Question Answer
(config-line)#password <word>step 1
(config-line)#privilege level 15step 2 users enter into exec mode
(config-line)#loginEnables use of username/password, by itself the command is illegal when AAA is enabled
(config-line)#login authentication default group <authmethods>Enables authentication using the listed methods

Authorization and Accounting

Question Answer
Why 'none'For the event when all authentication methods error/timeout you will be allowed into the switch. Typically only for lab use.
AuthorizationAuthentication decides who gets in, Authorization decides what they can do
(config)#aaa authorization <all the settings you could want>In the same manner as setting up authentication you can setup authorization levels.
AccountingBasically for tracking usage, think billing individual departments for usage

Dot1x-Based Authentication

Question Answer
Port SecurityBoth are port based security features, that's about it.
RADIUSRequires a RADIUS server with Extensible Authentication Protocol (EAP). Both host and server must have 802.1x EAP enabled.
AuthenticatorMiddle man, supplicant and auth server speak to it and it exchanges messages
Supplicant UnauthorizedCan only send EAPOL, STP, CDP frames.
Authentication ServerThe RADIUS server
SupplicantHost looking for authentication.
Pre-reqsaaa new-model and RADIUS server location and key must be defined.
(config)#aaa authentication dot1x
Autoenables 802.1x and allows port to attempt authorization
Force-AuthorizedDefault, disables dot1x. Port is in fully authorized state without authentication
Force-UnauthorizedPort is never authorized

Dot1x Configuration

Question Answer
(config)#aaa new-model1
(config)# radius server <nameofinstance>2
(config-radius-server)#address <ipv4/6> <addr>3
(config-radius-server)#key <word>4
(config)#aaa authentication dot1x default group radiusRadius is the only option for dot1x
(config)#dot1x system-auth-controlenables dot1x
(config-if)#switchport mode accessPort facing supplicant must be an explicit access port, authentication option won't show otherwise.
(config-if)#authentication port-control <auto/forceUN/forceAUTH>Enable dot1x and set its mode.