The AAA security services facilitate a variety of login
authentication methods. Use the aaa authentication login
command to enable AAA authentication no matter which of the supported login
authentication methods are in use. With the aaa authentication
login command, it is possible to create one or more lists of
authentication methods that are tried at login. These lists are applied using
the login authentication line configuration command.
The list-name is a character string used to name the list being created. The
method argument refers to the actual method the authentication algorithm tries.
The additional methods of authentication are used only if the previous method
returns an error, not if it fails.
For example, to specify RADIUS as the
default method for user authentication during login, enter the following
command:
aaa authentication login default group
radius
Cisco IOS supports these authentication
methods: enable, krb5, krb5-telnet, line, local, local-case, none, group
radius, group tacacs+.
Specific commands for configuring authentication
are covered later in this lesson.
About Authorization
Methods
AAA authorization enables the limitation of the services
available to a user. When AAA authorization is enabled, the network access
server uses information retrieved from the profile of the user, which is
located either in the local user database or on the security server, to
configure the session of the user. Once this is done, the user will be granted
access to a requested service only if the information in the user profile
allows it.
Cisco IOS AAA supports five different methods of
authorization: TACACS+, If-Authenticated, None, Local and Radius.
Commands and sequence used to configure authorization are covered later in
the lesson.