Router management server TACACS + Privilege Levels combined

TACACS + and RADIUS server gives you the ability to manage access devices in a centralized network with optimal security features. Cisco privilege levels in a hierarchy of rights for each user equipment. This article is based on the idea of combining the two elements to provide a flexible management solution and improve the safety of the network.Both RADIUS and TACACS + are two protocols have similar functions nhau.Vay question is why the author chose TACACS +? To answer this question, we see the advantages of TACACS + for router management issues: 

RADIUS does not allow the user to control the order and not allowed to be used on the router. TACACS + proved flexible and useful in the management problems due to the router provides two ways to control the authorization (authentication), both in terms of users and groups: 

• Assign commands can be executed at privilege levels and through the TACACS + server to apply to the assignment of user rights to access.
• Identify the commands that can execute on the router to the user or group via the TACACS + server configuration.

A. Part 1: Use only Privilege Levels 

Privilege Levels 

Default router available previlege three levels: 

• Privilege level 0: low use. Includes 5 commands: disable, enable, exit, help and log out
• Privilege level 1: non-privilege. Equivalent to "router>"
• Privilege level 15: privilege - the equivalent of you into enable mode (Router #)

Levels of 2-14 is not configured by default, but it can be configured to switch the order between the levels together. For accessing the router at any level, we show privilege command. For these commands can be used in the corresponding level, then we type? when access is necessary to determine the level. 
Description of requirements 

• Install, configure authentication and authorization based on user privilege levels for trenTACACS + server
• AAA service on the router configuration
• Terminal client program used to check the results.

Equipment 

Cisco 2691 Router 
A PC with Windows XP as client 
A computer program to install Windows Server 2003 Cisco Secure ACS. Link: 

• http://rapidshare.com/files/117780965/Cisco_Secure_ACS_4.0.1.27__Full_.rar
• http://www.mediafire.com/?xwmgyygf2f4

The steps 

1.Cai set and configured TACACS + server: 

a.Viec installation is not difficult to note the following issues: 

• Use Internet Explorer or Netscape 7 or higher 6SP1
• Install Java. Link: www.java.com
• Check all the boxes.

After installation is complete. Click on the icon on your desktop admin ACS to access the server via web browser 

Figure 1: Interface of Cisco Secure ACS 4.0 program

TACACS + Server b.Cau image above: 

Step 1: Create group 
Here we will create two groups. The group is Administrator is a rights group guest privilege level 15 and have the right privilege level 0. 
Group Setup menu 

Figure 2: Create Group

Choose any one group and then select Rename Group. Enter the Administrator, then click Submit. 

Figure 3: Create a Group Administrator named

Do the same to create a group more names Guest. Next we assigned to two groups according to the right privilege level as mentioned above: First we Administrator permissions for the group. 
Select the Administrator Group and then select Edit Settings 

Figure 4: The configuration for each group

In the Group Setup window next turn we do as follows; 

• Select TACACS + in the section Jump to
• Check the Shell (exec)
• Privilege Level and check on input parameters 15
• Select Submit + Restart

Figure 5: Configuring the Admin group in the Privilege Level 15

Thus, any user of the group Adminstrator when connecting to the router via TACACS + server will have the right at 15. 
The configuration for the group Guest Privilege Level 0 similarly. 
Step 2: Create and add user to user group 
We will create a user group called the balcony of Aministrator and user named Guest Guest Group 
User menu, enter the balcony, select Add / Edit 

Figure 6: Add a user named balcony

In the next screen User Setup you need to enter the following parameters: 

• Password authentication: ACS Internet Database
• Password for user balcony
• Select the group for this user is Administrator.

Figure 7: Configuring the user balcony

To create and configure user and group Guest Guest we do the same. 
Step 3: Configure the AAA server and client: 
Network Configuration menu. We first AAA client configuration. 
Click Add Entry in the AAA Client 

Figure 8: Select the AAA client configuration

In the next window you should enter the following parameters: 

• AAA Client hostname: hostname of the router (center)
• AAA IP address: the address of the router 10.0.0.1
• Key: key negotiation between the router and server (we choose the arbitrary and need not match the value will be entered when configuring the router)
• Using Authentication: select TACACS + course

We then select the Submit + Apply 

Figure 9: Configuring the AAA client

Next we will configure the AAA Server: 
Select Add Entry in the AAA server: 

Figure 10: Select a AAA server configuration.

Enter the following values: 

• AAA server name: set arbitrary
• AAA server IP: IP address of PCs running TACACS +
• Key: key communication times (identical to the key at this time is 123456)
• AAA server type: Select TACACS +

Select the Submit + Apply 

Figure 11: Configuration parameters for the AAA server

2. Configure on the router: 

The following are major configuration commands: Note that these commands for Cisco IOS 12.5 or later 
Overall configuration is relatively simple. Below is a link to download the entire configuration of the router Center: 

center (config) # aaa new-model 
center (config) # aaa authentication login default group tacacs + 
center (config) # aaa authorization exec default group tacacs + 
center (config) # tacacs-server host 10.0.0.254 / / TACACS + server's IP 
center (config) # tacacs-server key 123 456 / / key in the above 

• http://www.box.net/shared/5cwvyi804k
• http://www.mediafire.com/?tqfyhj4x9ux

3. Inspection activities: 

Using a client running Windows XP and use the command line telnet into the router configuration to test Center in two balcony account (admin) and Guest (guest) 
On the client we CMD type telnet 192.168.1.10. Notice requiring username and password will appear. I clicked on the balcony and the corresponding password, as configured: 

Figure 12: Access to the router with level 15 account

I see something like, with level 15 when login to the router mode privilege. 
Next we try to login to the Guest account: 

Guest user image above shows the level 0 configuration as we have only 5 commands can be used as stated at the beginning 
B. Part 2: Combining Command Authorization and Privilege Levels: 
As mentioned above. Advantages of RADIUS TACACS + is compared with the Command Authorization feature.Literally it is determined that the user command may or may not be used when visiting. 
So at this point that a user when the login command to the device can perform is the command in Privilege Levels of them minus the commands that we configured in the Command Authorization. 
Description of requirements: 
Based on the two groups is made available on the Administrator is further configured as follows: 

• Administrator with Level 15, but can not delete startup-config
• Guest at this level we set up but only 15 are allowed to use the command show

Steps for implementation 

As noted above, first we set the rights of the Guest at 15. Set up to Level 15 now it is only meaningful Maximum Level. It all depends on the Command Authorization that you will set later. 

Figure 14: Setting up Guest Level 15 of the group

Step 1: Creating the Command Authorization form - a group of commands that can or can not execute for the user.
We first menu Shared Profile Components. Shell Command Authorization Sets Click 

Figure 15: Select the configuration Command Authorization

Click the Add button to add a new template. The configuration of the section with the following meanings: 

Figure 16: Command Authorization Framework configuration

. Name: The name of the form you will place the configuration. 
. Unmatched Commands: Specifying how the server will execute the commands that you enter below. (2 option is the Permit and Deny) 
. Args: argument. For example, ip route, ip interface brief .. args are the command show 
. Permit Unmatched args: args Allowing that you do not enter. If you do not check themselves into the computer interpreted as Deny. 
. Add Command: Add a new command. To add a command you enter and then click Add Command. Next, you will enter additional args for the command structure: Permit / Deny arg. To enter an additional Arg, you press enter to next line. For ease of understanding, then we go into the configuration as follows: 
Create templates for groups Admin: Admin Team is used in all commands except Level 15 erase startup-config command. I do the following: 
. Enter the Admin Name 
. Unmatched commands: select the permit - ie to allow all commands. 
. Enter the erase command and then select Add 
. Click to erase, type in the right frame deny startup-config 
. Check args if not to permit unmatched computer will ban all the other args erase command 
. Done I click Submit 

Figure 17: sample command authorization for the Admin group

Guest designer for the group: 

Guest group is currently at Level 15, ie a full Admin rights, so we follow the idea that some commands permit, deny all the rest. Specifically Guest implementation allows only two commands: show ip route and show ip interface brief 
. Enter the Guest Name 
. Unmatched commands: Choose Deny 
. Add command Show. Frame deny the right to enter the run; permit ip route; permit ip interface brief 
. To deny run out into a surplus by not checking the Permit has unmatched Arg underground this task. 
. Click on Submit. 

Figure 18: Create templates for group Guest

Step 2: Configure Command Athorization for each group 

Step 1 is only configured for each group of samples, this step will apply to those that form on the appropriate heading. 
Admin configuration for group: 
+ In Group Setup menu. Select the group name is configured as Administrator. Click on Edit Settings 
+ Scroll down. At Shell we choose Assign Command Sets Authorazation Shell Command Authorization Set for any network devices. Click below and select Admin. 
Click Submit + Restart + 

Figure 19: Configuring the Admin group.

Guest configuration for group: 
I do the same: 

Figure 20: Configuring the Guest group

Step 3: Configuring the router 

• • center (config) # aaa new-model
  • center (config) # aaa authentication login default groutacacsp +
  • center (config) # aaa authorization exec default group tacacs +
  • center (config) # aaa authorization commands 15 default group tacacs +
  • center (config) # tacacs-server host 10.0.0.254
  • center (config) # tacacs-server key 123456

  
  Step 4: Check operation 
  
  On the PC, I open the command line and telnet into the router address 192.168.1.10: 
  Admin account for our results: 
  As we see below, the results of the command erase startup-config is authorization failed 
  

Figure 21: Admin Login with an account group

Guest account: 

Figure 22: Login by Guest account

The image above shows the Guest account can only use two commands as configured.