|
The
aaa authentication command, in global configuration mode, is the basic command to enable the AAA authentication process.
Use keywords to configure specific authentication methods, such as the
following:
-
aaa authentication arap
-
aaa authentication enable default
-
aaa authentication local-override
-
aaa authentication login
-
aaa authentication nasi
-
aaa authentication password-prompt
-
aaa authentication ppp
-
aaa authentication username-prompt
The following are some frequent command combinations used for authentication.
aaa authentication login
Command
You can configure AAA authentication for users wishing to access the EXEC prompt.
The global configuration command, aaa
authentication login, is used
for AAA authentication in this case (Table
covers this command):
Router(config)#aaa authentication login {default | list-name} method1 [...[method4]]
On the console, login will succeed without any authentication checks if
a default is not set. To create a default list that is used if no list is assigned to a line, use the
aaa
authentication login
command with the default argument, followed by the methods you want to use in default
situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
To ensure that the user is granted access, even if all methods
return an error, specify none as the final method in the
command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. The keywords for the
aaa authentication login
methods are covered in Table .
For example, the following creates an AAA authentication list called
MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication:
Router(config)#aaa authentication login MIS-access tacacs+ enable none
aaa authentication enable default
Command
You can configure AAA authentication to determine whether a user can access the privileged command level. The
aaa authentication enable default
global configuration command is used for AAA authentication in this case:
Router(config)#aaa authentication enable default method1 [...[method4]]
If a default authentication routine is not set for a function, the default is none and no authentication is performed.
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway. The keywords for the
aaa authentication enable default
methods are covered in Table
. This command is used with TACACS+, but it cannot be used with TACACS or extended
TACACS.
For example, the following creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
Router(config)#aaa authentication enable default tacacs+ enable none
aaa authentication ppp
Command
You can configure AAA authentication to specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP) and
TACACS+:
Router(config)#aaa authentication ppp {default | list-name} method1 [...[method4]]
Again, the additional methods of authentication are used only if the
previous method returns an error, not if it fails. Remember to
specify none as the final method in the command line to have
authentication succeed, even if all methods return an error. Table
covers the keywords for the
aaa authentication
ppp
methods.
The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication:
Router(config)#aaa authentication MIS-access ppp
tacacs+ none
The
aaa authentication local-override
Command
You can configure the router with the aaa authentication local-override global configuration command, so the user is always prompted for the username. The system then checks to see whether the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other AAA commands (such as
aaa authentication
login).
 |
 |
Lab
Activity |
| |
The
Denver
office needs to control who logs in to their
router and dials in for remote access. In this
lab, you will setup AAA Authentication on this router and test each user account. |
|
|
|
Character Mode
(per-line) Authentication Example
The
aaa authentication login
command is used to create a list
which can be applied to configure character-mode authentication. In
the example ,
a list called Callers is created and applied to the console (con
0) and 48 tty lines (line
1 48). A separate list is
created to be used as the default.
The authentication login
command is a per-line command that is used with AAA to specify the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line).
Note that because line vty 0 4 does not specify any login authentication command, the default method is used. Table
explains the preceding commands.
|