Securing the Corporate Network

Chapter Description

This sample chapter from Cisco Secure Internet Security Solutions explains how dial-in users can be authenticated using the local database. As an example, the chapter includes a basic AAA configuration. Next, the chapter takes an in-depth look at the AAA authentication process using a TACACS+ server. Finally, the chapter explores how IPSec can be used to secure VPNs coming into the network through the Internet.

Using All AAA Services Simultaneously

It is possible, and sometimes desirable, to incorporate authentication, authorization, and accounting simultaneously on a router. This is actually easier than it sounds. The following is a configuration that combines all three parts of AAA using exactly the examples from the previous sections. All that is needed to run them at the same time is for the administrator to enter the appropriate configuration lines. Some commands, such as the aaa new-model, only needs to be entered once:

aaa new-model
!Set up for AAA

tacacs-server host 172.30.1.50
!The TACACS+ server is at 172.30.1.50

 tacacs-server key mysecretkey
!Use the encrypted keys

aaa authentication login default tacacs+
!Set the default authentication to TACACS+

aaa authentication ppp branch-office-users tacacs+ login
!Sets authentication for PPP to first use TACACS+ if the server
!is available and then look at the local database

aaa authentication login administrative none
!Used to ensure the administrator has access

aaa accounting exec start-stop tacacs+
!Start accounting whenever an exec command is issued

interface serial 2
!Go to the interface

ppp authentication chap pap if-needed branch-office-users callin
!Enable authentication on the S2 interface

aaa authorization network tacacs+
!Start authorization for network services

line con 0
login authentication administrative
!Make sure the administrator can get into the console
7. Virtual Private Networks (VPNs) | Next Section Previous Section