12.2 Configuring AAA
12.2.2 AAA authentication commands

The aaa authentication command, in global configuration mode, is the basic command to enable the AAA authentication process. Use keywords to configure specific authentication methods, such as the following:

  • aaa authentication arap

  • aaa authentication enable default

  • aaa authentication local-override

  • aaa authentication login

  • aaa authentication nasi

  • aaa authentication password-prompt

  • aaa authentication ppp

  • aaa authentication username-prompt

The following are some frequent command combinations used for authentication.

aaa authentication login Command
You can configure AAA authentication for users wishing to access the EXEC prompt. The global configuration command,
aaa authentication login, is used for AAA authentication in this case (Table covers this command):

Router(config)#aaa authentication login {default | list-name} method1 [...[method4]]

On the console, login will succeed without any authentication checks if a default is not set. To create a default list that is used if no list is assigned to a line, use the aaa authentication login command with the default argument, followed by the methods you want to use in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the user is granted access, even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. The keywords for the
aaa authentication login methods are covered in Table .

For example, the following creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication:

Router(config)#aaa authentication login MIS-access tacacs+ enable none

aaa authentication enable default Command
You can configure AAA authentication to determine whether a user can access the privileged command level. The
aaa authentication enable default global configuration command is used for AAA authentication in this case:

Router(config)#aaa authentication enable default method1 [...[method4]]

If a default authentication routine is not set for a function, the default is none and no authentication is performed.

On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway. The keywords for the aaa authentication enable default methods are covered in Table . This command is used with TACACS+, but it cannot be used with TACACS or extended TACACS.

For example, the following creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

Router(config)#aaa authentication enable default tacacs+ enable none

aaa authentication ppp Command
You can configure AAA authentication to specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP) and TACACS+:

Router(config)#aaa authentication ppp {default | list-name} method1 [...[method4]]

Again, the additional methods of authentication are used only if the previous method returns an error, not if it fails. Remember to specify none as the final method in the command line to have authentication succeed, even if all methods return an error. Table covers the keywords for the aaa authentication ppp methods.

The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication:

Router(config)#aaa authentication MIS-access ppp tacacs+ none

The aaa authentication local-override Command
You can configure the router with the
aaa authentication local-override global configuration command, so the user is always prompted for the username. The system then checks to see whether the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other AAA commands (such as aaa authentication login).

Lab Activity    
  The Denver office needs to control who logs in to their router and dials in for remote access. In this lab, you will setup AAA Authentication on this router and test each user account.

Character Mode (per-line) Authentication Example
The
aaa authentication login command is used to create a list which can be applied to configure character-mode authentication. In the example , a list called Callers is created and applied to the console (con 0) and 48 tty lines (line 1 48). A separate list is created to be used as the default.

The authentication login command is a per-line command that is used with AAA to specify the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line).

Note that because line vty 0 4 does not specify any login authentication command, the default method is used. Table explains the preceding commands.