Figure B.1: Catalyst switch using IP permit lists.
Configuring AAA Support
Cisco Catalyst switches support the use of the AAA architecture that was discussed in Chapter 2. Catalyst switches allow for the configuration of any combination of these authentication methods to control access to the switch:
∙Local authentication—Uses the locally configured login and enable passwords to authenticate login attempts.
∙RADIUS authentication—Uses the AAA server to authenticate login attempts using the RADIUS protocol.
∙TACACS+ authentication—Uses the AAA server to authenticate login attempts using the TACACS+ protocol.
∙Kerberos authentication—Uses a trusted Kerberos server to authenticate login attempts.
Note All configurations in this section are related to switches that use the CatOS software. To configure for AAA support a Catalyst that uses Native IOS software, please refer to Chapter 2.
Use the following commands to enable authorization for the Catalyst switch (local login and enable authentication are enabled for both console and Telnet connections by default):
set authentication login tacacs disable console
set authentication login tacacs enable telnet primary
set authentication login tacacs enable http primary set authentication enable tacacs disable console
set authentication enable tacacs enable telnet primary set authentication enable tacacs disable http
set authentication login local enable console set authentication login local enable telnet set authentication login local enable http
set authentication enable local enable console set authentication enable local enable telnet set authentication enable local enable http
276
To view the results of enabling authorization on the switch, issue the show authentication command. The following output is an example of issuing the show authentication command:
Cat−6509> (enable) sh authentication |
|
||
Login : |
Console |
Telnet |
Http |
−−−−−−− |
−−−−−−− |
−−−−−− |
−−−− |
tacacs |
disabled |
enabled(primary) |
enabled(primary) |
radius |
disabled |
disabled |
disabled |
kerberos |
disabled |
disabled |
disabled |
local |
enabled(primary) |
enabled |
enabled |
Enable: |
Console |
Telnet |
Http |
−−−−−−− |
−−−−−−− |
−−−−−− |
−−−− |
tacacs |
disabled |
enabled(primary) |
disabled |
radius |
disabled |
disabled |
disabled |
kerberos |
disabled |
disabled |
disabled |
local |
enabled(primary) |
enabled |
enabled(primary) |
Authorization is also supported in the Catalyst model switches. It controls the functions that are permitted by an authenticated user on the switch. Authorization is supported on the Catalyst Ethernet switches for the following:
∙Commands—User must supply username and password that is verified by the AAA server to EXECute certain commands. Authorization for all commands can be enabled only for enable mode commands.
∙EXEC mode—User must supply a valid username and password that is verified by the AAA server to gain access to EXEC mode.
∙Enable mode—User must supply a valid username and password that is verified by the AAA server to gain access to enable mode.
Authentication is supported for three different connections attempts; however, authorization is supported for only two, Console and Telnet:
∙Console—Authorization is performed for all console sessions.
∙Telnet—Authorization is performed for all Telnet sessions.
Just as with routers, switches can be configured to support the use of methods to provide authorization services. The methods are sometimes referred to as options, and the option configured is known as the primary option. Any option configured after the primary option is known as a fallback option. Fallback options are used only in the event of an error condition or failure of the primary option. The Catalyst switches support the use the following options:
∙TACACS+—Uses a defined TACACS+ server to provide authorization services.
∙If−Authenticated—If authentication has already taken place for a session, authorization succeeds.
∙Deny—If the authentication server fails to respond to a request for authorization, the authentication request fails.
∙None—If the authentication server fails to respond, authentication succeeds.
Use the following commands to enable authorization for the Catalyst switch:
1. Use this command to enable authorization for EXEC mode access:
set authorization exec enable <option><fallbackoption> <console | telnet>
277
2. Use this command to enable authorization for privileged mode access to the switch:
set authorization enable enable <option> <fallbackoption> <console | telnet>
3. Use this command to enable authorization of configuration commands:
set authorization commands enable <config | all> <option> <fallbackoption> <console | telnet>
The following output displays an example of enabling authorization on the Catalyst switch:
set authorization exec disable console
set authorization exec enable tacacs+ if−authenticated telnet set authorization enable disable console
set authorization enable disable telnet set authorization commands disable console
set authorization commands enable config tacacs+ if−authenticated telnet
To view the results of enabling authorization on the switch, issue the show authorization command. The following output displays an example of issuing the show authorization command:
Cat−6509> (enable) sh authorization
Telnet: |
|
|
−−−−−−− |
|
|
|
Primary |
Fallback |
|
−−−−−−− |
−−−−−−−− |
exec: |
tacacs+ |
if−authenticated |
enable: |
− |
− |
commands: |
|
|
config: |
tacacs+ |
if−authenticated |
all: |
− |
− |
Console: |
|
|
−−−−−−−− |
|
|
|
Primary |
Fallback |
|
−−−−−−− |
−−−−−−−− |
exec: |
− |
− |
enable: |
− |
− |
commands: |
|
|
config: |
− |
− |
all: |
− |
− |
Accounting allows you to track user activity to a specified host, suspicious connection attempts in the network, and unauthorized changes. The accounting information is sent to the accounting server where it is saved in the form of a record. Accounting information typically consists of the user's action and the duration for which the action lasted. You can use the accounting feature for security, billing, and resource allocation purposes.
Accounting on the Catalyst switches can be configured for the following types of events:
∙EXEC mode—Accounting information about EXEC mode sessions on the switch is recorded when this mode of accounting is configured.
∙Connect—All outbound connection requests made from the switch are accounted for when this mode of accounting is performed.
∙System—Accounting information on system events that are not user related is recorded. This information includes system reset, system boot, and user configuration of accounting.
278
∙Command—Accounting information for each command entered into the switch by a user is recorded when this mode of accounting is configured.
After the switch is configured for accounting of services on the switch, accounting records are created. There are two types of accounting records: start records and stop records. Start records include information that pertains to the beginning of an event and stop records include the complete information of the event. To configure the switch for accounting, perform the following steps:
1. Use this command to enable accounting for connection events:
set accounting connect enable <start−stop | stop−only> <tacacs+ | radius>
2. Use this command to enable accounting for EXEC mode events:
set accounting exec enable <start−stop | stop−only> <tacacs+ | radius>
3. Use this command to enable accounting for system events:
set accounting system enable <start−stop | stop−only> <tacacs+ | radius>
4. Use this command to enable accounting of all configuration commands:
set accounting commands enable <config | all> <stop−only> <tacacs+>
5. Use this command to enable suppression of unknown user events:
set accounting suppress null−username enable
It is best to use the following command to disable this command so that information about unknown user events is accounted for:
set accounting suppress null−username disable
An example of configuring a Catalyst switch for accounting service is shown here:
set accounting exec enable stop−only tacacs+ set accounting connect disable
set accounting system enable stop−only tacacs+
set accounting commands enable config stop−only tacacs+ set accounting suppress null−username disable
To view the results of enabling authorization on the switch, issue the show accounting command. The following output is an example of issuing the show accounting command:
GC05−6509A> (enable) |
sh accounting |
|
Event |
Method |
Mode |
−−−−− |
−−−−−− |
−−−− |
exec: |
tacacs+ |
stop−only |
connect: |
− |
− |
system: |
tacacs+ |
stop−only |
commands: |
|
|
config: |
tacacs+ |
stop−only |
all: |
− |
− |
TACACS+ Suppress for no username: disabled
Update Frequency: new−info
279
Accounting information:
−−−−−−−−−−−−−−−−−−−−−−−
Active Accounted actions on tty0, User (null) Priv 0 Active Accounted actions on tty−2106106732, −
User testuser Priv 15
Task ID 807, exec Accounting record, 0,00:00:44 Elapsed task_id=807 start_time=1011372975 timezone=CST service=shell
Overall Accounting |
Traffic: |
||
|
Starts |
Stops |
Active |
|
−−−−−− |
−−−−− |
−−−−−− |
Exec |
0 |
489 |
1 |
Connect |
0 |
0 |
0 |
Command |
0 |
0 |
0 |
System |
0 |
43 |
0 |
280