Use the aaa new-model global configuration command to
enable the AAA access control system.
Use the
no form of this command to disable AAA. By default,
aaa new-model is not enabled.
NOTE:
After AAA is enabled, TACACS and extended TACACS commands are no
longer available. If AAA functionality is initialized and a decision is made
later to use TACACS or extended TACACS, issue the no
version of this command and then enable the version of TACACS to be used.
Specify Authentication To set AAA authentication, use the
aaa authentication login global configuration command
. The syntax of
the aaa authentication login command is shown in Figure
.
Specify Authorization To set AAA authorization, use the
aaa authorization auth-proxy global configuration command
. The syntax of
the aaa authorization auth-proxy command is shown in Figure
.
Define a TACACS+ Server To specify the IP address of a TACACS+
server, use the tacacs-server host global configuration
command
. Multiple
tacacs-server host commands can be used to specify
additional servers. The servers are used in the order in which they are
specified. The syntax of the tacacs-server host command is
shown in Figure
.
To set the authentication encryption key used for all TACACS+ communications
between the Cisco IOS Firewall router and the AAA server, use the
tacacs-server key global configuration command. The syntax
of the tacacs-server key command is shown in Figure
.
Define a RADIUS Server To specify the IP address of a RADIUS
server, use the radius-server host global configuration
command
. Multiple
radius-server host commands can be used to specify
additional servers. The servers are used in the order in which they are
specified. The syntax of the radius-server host command is
shown in Figure
.
To set the authentication encryption key used for all RADIUS communications
between the Cisco IOS Firewall router and the AAA server, use the
radius-server key global configuration command.
NOTE:
The key entered for either the tacacs-server key
or the radius-server key command must match the key used on
the AAA server. All leading spaces are ignored, but spaces within and at the
end of the key are not. If spaces are used in the key, do not enclose the key
in quotation marks unless the quotation marks themselves are part of the
key.
In this lab, students will
secure and test access to the EXEC mode, VTY lines, and the console. Students
will configure local database authentication using AAA. Students will then
verify and test the AAA configuration.