AAA configuration

Use the aaa new-model global configuration command to enable the AAA access control system.  Use the no form of this command to disable AAA. By default, aaa new-model is not enabled.

NOTE:

After AAA is enabled, TACACS and extended TACACS commands are no longer available. If AAA functionality is initialized and a decision is made later to use TACACS or extended TACACS, issue the no version of this command and then enable the version of TACACS to be used.

Specify Authentication
To set AAA authentication, use the aaa authentication login global configuration command . The syntax of the aaa authentication login command is shown in Figure .

Specify Authorization
To set AAA authorization, use the aaa authorization auth-proxy global configuration command . The syntax of the aaa authorization auth-proxy command is shown in Figure .

Define a TACACS+ Server
To specify the IP address of a TACACS+ server, use the tacacs-server host global configuration command . Multiple tacacs-server host commands can be used to specify additional servers. The servers are used in the order in which they are specified. The syntax of the tacacs-server host command is shown in Figure .

To set the authentication encryption key used for all TACACS+ communications between the Cisco IOS Firewall router and the AAA server, use the tacacs-server key global configuration command. The syntax of the tacacs-server key command is shown in Figure .

Define a RADIUS Server
To specify the IP address of a RADIUS server, use the radius-server host global configuration command . Multiple radius-server host commands can be used to specify additional servers. The servers are used in the order in which they are specified. The syntax of the radius-server host command is shown in Figure .

To set the authentication encryption key used for all RADIUS communications between the Cisco IOS Firewall router and the AAA server, use the radius-server key global configuration command.

NOTE:

The key entered for either the tacacs-server key or the radius-server key command must match the key used on the AAA server. All leading spaces are ignored, but spaces within and at the end of the key are not. If spaces are used in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Lab Activity

Lab Exercise: Configure Local AAA on Cisco Router

In this lab, students will secure and test access to the EXEC mode, VTY lines, and the console. Students will configure local database authentication using AAA. Students will then verify and test the AAA configuration.

Interactive Media Activity

Demonstration Activity: Configuring AAA for Cisco Perimeter Routers

This activity describes how to configure a Cisoc perimeter router to perform AAA using a local database.