index_143
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
143
For more information about AAA accounting, including RADIUS and TACACS+
attributes, see the Security Configuration Guide.
Method Lists
Method lists are used to specify one or more security protocols or mechanisms for
AAA. Method lists also specify the sequence in which the security mechanisms
should be used. These lists can be used to provide backup mechanisms for when the
primary security method is unavailable. For AAA the Cisco IOS software will use
the first method listed to perform the authentication, authorization, or accounting as
appropriate. If the Cisco IOS software is unable to complete the task due to failure to
communicate with the security server or mechanism then the Cisco IOS will try the
next method in the list. This continues until there is a successful communication with
a listed method or the list is exhausted. If the list is exhausted then the mechanism
will fail. In the case of authentication and authorization the user will be denied
access. In the case of accounting the auditing event will not occur, except for wait-
start accounting which will also deny the user access for the service. Note: a
negative response from a security server will also deny access in the case of
authentication and authorization and the next method in the list will not be attempted.
Method lists can be given a specific name or can use the keyword default. When a
method list is specified using the default keyword the list will be automatically
applied to all the appropriate interfaces and lines. Named access lists can then be
defined and then applied to the particular interface or line to override the default
behavior. This also means that a named method list will have no effect on a interface
or line unless it has been applied to it. Methods requiring only a password should
never be placed ahead of methods requiring a username and password, since the user
will never be prompted for a username. A special case, seems to exist for the local
database in that if a username does not exist the next method will be attempted.
(RADIUS, TACACS+, and Kerberos security servers will deny access if the
username does not exist and the server is available.)
The following example shows a named method list for AAA authentication, and
default lists for authorization and accounting for network traffic:
aaa authentication login remoteauthen radius local
aaa authorization network default radius local
aaa accounting network default start-stop radius
4.6.2. Router Access Control
The previous section introduced authentication, authorization, and accounting
mechanisms and how method lists are used to define the security protocol to use for a
service. This section will cover details of configuring AAA for controlling access to
the router. Section 4.6.3 briefly covers a dial-in user example. Cisco's ACS Version
2.3 was used for testing RADIUS and TACACS+ security servers. Section 4.6.4
describes security server protocols in more detail.