Implementing Authentication, Authorization, and Accounting – AAA
Authentication and authorization methods

The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login command to enable AAA authentication no matter which of the supported login authentication methods are in use. With the aaa authentication login command, it is possible to create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command.

The list-name is a character string used to name the list being created. The method argument refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.

For example, to specify RADIUS as the default method for user authentication during login, enter the following command:

aaa authentication login default group radius

Cisco IOS supports these authentication methods: enable, krb5, krb5-telnet, line, local, local-case, none, group radius, group tacacs+.

Specific commands for configuring authentication are covered later in this lesson.

About Authorization Methods
AAA authorization enables the limitation of the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the profile of the user, which is located either in the local user database or on the security server, to configure the session of the user. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.

Cisco IOS AAA supports five different methods of authorization: TACACS+, If-Authenticated, None, Local and Radius.

Commands and sequence used to configure authorization are covered later in the lesson.