After AAA services are configured, you must test and monitor your configuration. The debug com-mand is a very useful comcom-mand to troubleshoot and test your AAA configuration. The following debug commands enable you to troubleshoot and test your AAA configuration:
■ debug aaa authentication
■ debug aaa authorization
■ debug aaa accounting
Example 7-5 provides sample output of the debug aaa authentication command. A single EXEC login that uses the default method list and the first method, TACACS+, is displayed. The TACACS+
server sends a GETUSER request to prompt for the username, then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 35149617 is the session ID, which is unique for each authentication. Use this ID number to distinguish differ-ent authdiffer-entications if several are occurring concurrdiffer-ently.
Example 7-5 debug aaa authentication Command Output
Router# ddeddeeebbbbuuguuggg aaaaaaaaaaaa aaaauuuutthtthhheeneennnttttiiiiccccaataatttiioiiooonnnn
2:13:51: AAA/AUTHEN: create_user user='' ruser='' port='tty19' rem_addr='192.168.100.14' authen_type=1 service=1 priv=1
2:13:51: AAA/AUTHEN/START (0): port='tty19' list='' action=LOGIN service=LOGIN 2:13:51: AAA/AUTHEN/START (0): using "default" list
2:13:51: AAA/AUTHEN/START (35149617): Method=TACACS+
2:13:51: TAC+ (35149617): received authen response status = GETUSER 2:13:51: AAA/AUTHEN (35149617): status = GETUSER
2:13:51: AAA/AUTHEN/CONT (35149617): continue_login 2:13:51: AAA/AUTHEN (35149617): status = GETUSER 2:13:51: AAA/AUTHEN (35149617): Method=TACACS+
2:13:51: TAC+: send AUTHEN/CONT packet
2:13:51: TAC+ (35149617): received authen response status = GETPASS 2:13:51: AAA/AUTHEN (35149617): status = GETPASS
2:13:51: AAA/AUTHEN/CONT (35149617): continue_login 2:13:51: AAA/AUTHEN (35149617): status = GETPASS
Troubleshooting AAA 131
Example 7-6 shows sample output from the debug aaa authorization command. In this display, an EXEC authorization for user Howard is performed. On the first line, the username is authorized. On the second and third lines, the attribute value (AV) pairs are authorized. The debug output displays a line for each AV pair that is authenticated. Next, the display indicates the authorization method used. The final line in the display indicates the status of the authorization process, which, in this case, has failed.
The aaa authorization command causes a request packet containing user profile information to be sent to the TACACS+ services daemon as part of the authorization process. The service responds in one of the following three ways:
■ Accepts the request as is
■ Makes changes to the request
■ Refuses the request, thereby refusing authorization
Example 7-7 demonstrates sample output from the debug aaa accounting command.
2:13:51: AAA/AUTHEN (35149617): Method=TACACS+
2:13:51: TAC+: send AUTHEN/CONT packet
2:13:51: TAC+ (35149617): received authen response status = PASS 2:13:51: AAA/AUTHEN (35149617): status = PASS
Example 7-6 debug aaa authorization Command Output
Router# ddddeeeebbbbuuuugg gg aaaaaaaaaaaa aaaauutuuttthhohhooorrrriiiizzzzaataatttiioiiooonnnn
12:41:21: AAA/AUTHOR (0): user='Howard'
12:41:21: AAA/AUTHOR (0): send AV service=shell 12:41:21: AAA/AUTHOR (0): send AV cmd*
12:41:21: AAA/AUTHOR (642335165): Method=TACACS+
12:41:21: AAA/AUTHOR/TAC+ (642335165): user=Chris
12:41:21: AAA/AUTHOR/TAC+ (642335165): send AV service=shell 12:41:21: AAA/AUTHOR/TAC+ (642335165): send AV cmd*
12:41:21: AAA/AUTHOR (642335165): Post authorization status = FAIL
Example 7-7 debug aaa accounting Command Output
Router# ddddeeeebbbbuuuugg gg aaaaaaaaaaaa aaaaccccccccoouoouuunnnnttttiiiinngnnggg
16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78
cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14 Example 7-5 debug aaa authentication Command Output (Continued)
The information displayed by the debug aaa accounting command is independent of the account-ing protocol used to transfer the accountaccount-ing information to a server. You also can use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions.
The show accounting command enables you to display the active accountable events on the system.
It provides systems administrators a quick look at what is happening and may also prove useful for collecting information in the event of a data loss of some kind on the accounting server.
Foundation Summary 133
Foundation Summary
The “Foundation Summary” section of each chapter lists the most important facts from the chapter.
Although this section does not list every fact from the chapter that will be on your SECUR exam, a well-prepared candidate should at a minimum know all the details in each “Foundation Summary”
before going to take the exam.
To configure security on a Cisco router or access server using AAA, follow these steps:
Step 1 Activate AAA services by using the aaa new-model command.
Step 2 Select the type of security protocols (for instance, RADIUS, TACACS+, or Kerberos).
Step 3 Define the method list’s authentication by using an aaa authentication command.
Step 4 Apply the method lists to a particular interface or line, if required.
Step 5 (Optional) Configure authorization using the aaa authorization command.
Step 6 (Optional) Configure accounting using the aaa accounting command.
■ debug aaa authentication—Displays debugging messages on authentication functions
■ debug aaa authorization—Displays debugging messages on authorization functions
■ debug aaa accounting—Displays debugging messages on accounting functions
Q&A
As mentioned in the section, “How to Use This Book,” in the Introduction to this book, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in the appendix.
For more practice with exam-like question formats, including questions using a router simulator and multiple choice questions, use the exam engine on the CD-ROM.
1. What command enables AAA on a router/NAS?
2. Which of the AAA services can be used for billing and auditing?
3. What are the seven types of AAA authorization supported on the Cisco IOS Software?
4. What AAA command would you use to configure authentication for login to an access server?
5. Name two authorization methods supported by AAA?
6. What command enables you to troubleshoot a AAA authorization problem?
7. How many authentication methods can you specify in AAA configuration?
8. What is the difference between a FAIL response and an ERROR response in a AAA configuration?
9. How would you display all the accounting records for actively accounted functions?
10. What command disables AAA functionality on your access server?