Globally Enable AAA
The first steps in configuring the router are
to enable TACACS+, specify the list of Cisco Secure ACS servers that will
provide AAA services for the router, and configure the encryption key that is
used to encrypt the data transfer between the router and the Cisco Secure ACS
server.
The aaa new-model command forces the router
to override every other authentication method previously configured for the
router lines.
If an
administrative Telnet or console session is lost while enabling AAA on a Cisco
router, and no enable password is specified, the administrator may be locked
out of the router.
 |
NOTE:
When using the Cisco IOS aaa new-model command,
always provide for an enable password login method. This guards against the
risk of being locked out of router should the administrative session fail while
enabling AAA, or if the TACACS+ server becomes unavailable.
|
At a minimum the following commands should be entered in the order
shown:
Router(config)#aaa new-model
Router(config)#aaa authentication login default group
tacacs+ enable
Specifying the
enable authentication method enables the administrator to
re-establish a Telnet or console session and use the enable password to access
the router. If this is not done, and the administrator is locked out of the
router, physical access to the router is required, with a minimum of having to
perform a password recovery sequence. At worst, the entire configuration saved
in NVRAM can be lost.
TACACS+ Configuration Commands
To begin
global configuration, enter the commands shown in Figure
, using
the correct IP address of the Cisco Secure ACS servers and your own encryption
key. In the example shown in Figure
, the
2bor!2b@? global key is the encryption key that is shared
between the router and the two Cisco Secure ACS servers. The encryption key
should be kept secret in order to protect the privacy of passwords that are
sent between the Cisco Secure ACS servers and the router during the
authentication process.
The tacacs-server key command
is used when two or more TACACS+ servers share the same key. Multiple Cisco
Secure ACS servers can be specified, each with its own key, by using a
tacacs-server host command for each server as follows:
router(config)# tacacs-server host 10.1.2.4 key
keyforTACACS1
router(config)#
tacacs-server host 10.1.2.5 key keyforTACACS2
AAA Configuration Commands
After enabling AAA globally on the
access server, define the authentication method lists, and apply them to lines
and interfaces. These authentication method lists are security profiles that
indicate the protocol or login and authentication method used.
To define
an authentication method list using the aaa authentication
command, complete the following steps:
Step 1 Specify the dial-in protocol, such as ARAP, PPP, or
NetWare Access Server Interface [NASI], or login authentication.
Step 2 Identify a list name or default. A list name can be
any alphanumeric string. Different authentication methods can be assigned to
different named lists. Only one dial-in protocol can be specified per
authentication method list. However, multiple authentication method lists with
each of these options can be created. Each list must have a different
name.
Specify the authentication method, such as TACACS+,
followed by local in case a TACACS+ server is not available on the network. Up
to four multiple methods can be specified.
After defining these
authentication method lists, apply them to one of the following:
- Lines – tty lines or the console port for login and asynchronous lines, in
most cases, for ARA
- Interfaces – Interfaces, either synchronous or asynchronous, that are
configured for PPP
Use the aaa authentication command in global
configuration mode to enable AAA authentication processes
.
The
syntax for the aaa authentication login command is shown in
Figure
.