Everything’s gone well so far, but for the darker days, let’s look at some commands that help you with troubleshooting AAA configurations. You can use these three debugging commands to trace AAA packets and monitor their activities:
debug aaa authentication
debug aaa authorization
debug aaa accounting
The following output results from executing the debug aaa authentication command.
You can use this information to troubleshoot console logins:
Todd#debug aaa authentication Todd#exit
01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser='' port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN priv=1
01:41:51: AAA: parse name=tty0 idb type=-1 tty=-1
01:41:51: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
01:41:51: AAA/AUTHEN: create_user (0x81420624) user='' ruser='' port='tty0' rem_
addr='async/' authen_type=ASCII service=LOGIN priv=1
01:41:51: AAA/AUTHEN/START (864264997): port='tty0' list='' action=LOGIN service=LOGIN
01:41:51: AAA/AUTHEN/START (864264997): using "default" list 01:41:51: AAA/AUTHEN/START (864264997): Method=LOCAL
01:41:51: AAA/AUTHEN (864264997): status = GETUSER User Access Verification
username:todd
Password: (not shown) Todd>
01:42:12: AAA/AUTHEN/CONT (864264997): continue_login (user='(undef)') 01:42:12: AAA/AUTHEN (864264997): status = GETUSER
01:42:12: AAA/AUTHEN/CONT (864264997): Method=LOCAL 01:42:12: AAA/AUTHEN (864264997): status = GETPASS
01:42:14: AAA/AUTHEN/CONT (864264997): continue_login (user='todd') 01:42:14: AAA/AUTHEN (864264997): status = GETPASS
01:42:14: AAA/AUTHEN/CONT (864264997): Method=LOCAL 01:42:14: AAA/AUTHEN (864264997): status = PASS
48 Chapter 2 Introduction to AAA Security
The preceding output shows the user-mode access on the NAS (priv=1), that the username is todd, and that the method is local authentication. The following output is the enable access, which is shown as priv=15, meaning level-15 access.
Todd>enable
Password: (not shown)
01:42:46: AAA/AUTHEN: dup_user (0x8147DFC4) user='todd' ruser='' port='tty0' rem _addr='async/' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable' 01:42:46: AAA/AUTHEN/START (3721425915): port='tty0' list='' action=LOGIN service
=ENABLE
01:42:46: AAA/AUTHEN/START (3721425915): console enable - default to enable pass word (if any)
01:42:46: AAA/AUTHEN/START (3721425915): Method=ENABLE 01:42:46: AAA/AUTHEN (3721425915): status = GETPASS Todd#
01:42:50: AAA/AUTHEN/CONT (3721425915): continue_login (user='(undef)') 01:42:50: AAA/AUTHEN (3721425915): status = GETPASS
01:42:50: AAA/AUTHEN/CONT (3721425915): Method=ENABLE 01:42:50: AAA/AUTHEN (3721425915): status = PASS
01:42:50: AAA/AUTHEN: free_user (0x8147DFC4) user='' ruser='' port='tty0' rem_
addr='async/' authen_type=ASCII service=ENABLE priv=15
Use the no debug aaa authentication form of the command to disable this debug mode, as follows:
Todd#no debug aaa authentication AAA Authentication debugging is off Todd#
The next output shows a successful AAA authorization:
Todd# debug aaa authorization 1:21:23: AAA/AUTHOR (0): user='Todd'
1:21:23: AAA/AUTHOR (0): send AV service=shell 1:21:23: AAA/AUTHOR (0): send AV cmd*
1:21:23: AAA/AUTHOR (342885561): Method=Local 1:21:23: AAA/AUTHOR/TAC+ (342885561): user=Todd
1:21:23: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 1:21:23: AAA/AUTHOR/TAC+ (342885561): send AV cmd*
1:21:23: AAA/AUTHOR (342885561): Post authorization status = PASS
Summary 49
You can see here that the username is Todd. The second and third lines show that the attribute value (AV) pairs are authorized. The next line shows the method used for authorizing, and the final line gives you the status of the authorization.
The following output shows output from the debug aaa accounting command, which displays information on accountable events as they occur. Chapter 3 covers this topic more thoroughly:
Todd# debug aaa accounting
1:09:41: AAA/ACCT: EXEC acct start, line 10 1:09:52: AAA/ACCT: Connect start, line 10, glare 1:09:07: AAA/ACCT: Connection acct stop:
task_id=60 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
Remember that the protocol used to transfer the accounting information to a server is inde-pendent of the information displayed. In addition to the debug aaa accounting command, you can use the debug tacacs and debug radius commands to examine the specific protocol information. Again, Chapter 3 provides more detail on these commands.
If you are configured for AAA accounting, you can use the show accounting command to see all the active sessions and to print accounting records. It’s also useful to know that if you activate the debug aaa accounting command, the show accounting command displays addi-tional data on the internal state of the AAA security system.
Summary
As security needs become more complex in your networking environments, Cisco continues to extend its features to meet demands. Cisco’s AAA (authentication, authorization, and account-ing) services provide control over user access, manage what those users are permitted to do once they’re authorized to get into your network, and record the tasks they perform during their ses-sions. AAA provides great techniques for network authentication, granting permissions (autho-rization), and keeping records of activity (accounting).
In addition, RADIUS and TACACS+ security servers allow you to implement a centralized security plan.
The configuration of AAA on the Cisco NAS (Network Access Server) using a local database is important for smaller networks. In Chapter 3, you’ll learn how to move the local database to a Cisco NAS.
50 Chapter 2 Introduction to AAA Security
Exam Essentials
Remember which authentication method is the most secure. Token cards/soft tokens are the most secure method of authentication.
Know what the AAA command wait-start radius provides. The wait-start radius command means that a requested service can’t start until the acknowledgment has been received from the RADIUS server.
Be able to read the output of a debug aaa authentication command. In the debug aaa authentication output, you need to find the username and the method, and see if it was successful.
Be able to read the output of a debug ppp authentication command. In the debug ppp authentication output, you need to understand what interface the challenge is coming from.
Remember the command to enable AAA globally on the NAS. The aaa new-model command is used to start AAA on the NAS.