Administrative and remote LAN network access to routers and network access servers can be secured using AAA. To configure AAA authentication, perform the following steps:
Step 1 Activate AAA by using the aaa new-model command.
Step 2 Create a list name or use default. A list name is alphanumeric and can have one to four authentication methods.
Step 3 Specify the authentication method lists for the aaa authentication command. You may specify up to four.
Step 4 Apply the method list to an interface (for example, sync, async, and virtual-configured PPP, SLIP, and NASI) or to lines (for example, vty, tty, console, aux, and async lines).
There are several aaa authentication commands available in Cisco IOS Software Release 12.2, including the following:
■ aaa authentication arap
■ aaa authentication login
■ aaa authentication ppp
■ aaa authentication enable
■ aaa authentication banner
■ aaa authentication username-prompt
■ aaa authentication fail-message
■ aaa authentication nasi
The following sections discuss these three aaa authentication commands:
■ aaa authentication login
■ aaa authentication ppp
■ aaa authentication enable
Configuring Login Authentication Using AAA
Multiple login authentication methods are available in the AAA security services. The aaa authen-tication login command is used to enable AAA authenauthen-tication. With this command, you create one or more lists of authentication methods that are tried at login. These lists are then applied to inter-faces you are interested in. Table 7-2 describes the steps for applying the aaa authentication login command.
Step 1 Enable AAA.
Router(config)#aaaaaaaaaaaa nnenneeeww-ww---mmmmooooddddeeleelll
Step 2 Create a local authentication list.
Router(config)# aaaaaaaaaaaa aaaauutuuttthhhheeneennnttttiiciicccaaaattittiiioooonn nn llllooooggggiiniinnn {ddddeeeeffaffaaauuuulllltttt | list-name} method1 [method2...]
Step 3 Apply the authentication list to a line or set of lines.
Router(config-line)# llolloooggggiiiinnnn aaaauutuuttthhehheeennnnttittiiiccaccaaattittiiioooonnnn {ddddeefeefffaaaauuuulllltt | list-name}tt
The list-name argument can be any name that you give to describe the list. The method argument is the name of the method the authentication algorithm tries. The additional methods of authen-tication are used only if the preceding method returns an error. The none argument lets the authentication succeed if all the authentication methods return an error.
Table 7-2 lists the supported login authentication.
Table 7-2 Supported login authentication
Keyword Description
default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the list of authentication methods activated when a user logs in.
method Specifies at least the following keywords.
enable Uses the enable password for authentication.
krb5-telnet Uses the Kerberos 5 telnet authentication protocol when using telnet to connect to the router.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
Configuring AAA Services 123
Example 7-1 shows use the local username database as the method of user authentication at the console interface.
Enabling Password Protection at the Privileged Level
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level. The following shows the syntax for aaa authentication enable:
Router(config)# aaa authentication enable default method1 [method2...]
Table 7-3 shows aaa authentication enable default methods.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
(This table has been reproduced by Cisco Press with the permission of Cisco Systems Inc. Copyright © 2003 Cisco Systems, Inc. All Rights Reserved.)
Example 7-1 Sample Configuration for Console Interface Access Using AAA Authentication Login
Router(config)#aaa new-model
Router(config)#username meron password abc123
Router(config)#aaa authentication login conaccess local Router(config)#line console 0
Router(config-line)#login authentication conaccess
Table 7-3 aaa authentication enable default Methods
Keyword Description
enable Uses the enable password authentication.
line Uses the line password for authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS hosts for authentication.
group tacacs+ Uses the list of all TACACS+ hosts for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
Table 7-2 Supported login authentication (Continued)
Keyword Description
Example 7-2 shows a configuration for privileged EXEC access authentication using AAA.
Configuring PPP Authentication Using AAA
Users who dial in to your network need to be authenticated. Dialup configuration (PPP ARA) is typically configured on serial interfaces on your router. AAA provides a range of authentication methods for use on the serial interfaces configured for PPP. The aaa authentication ppp command enables AAA authentication. The syntax for aaa authentication ppp is as follows:
a a a
aaaaaaaaa aaaauutuuttthhhheeneennnttittiiiccaccaaattttiiiioooonn nn pppppppppppp {ddeddeeeffaffaaauuuulllltttt | list-name} method1 [method2...]
Table 7-4 shows aaa authentication ppp methods.
The following steps outline the configuration procedure for AAA authentication methods for serial lines using PPP:
Step 1 Enable AAA globally.
Router(config)# aaaaaaaaaaaa nnnneeweewww----mmmmooooddeddeeellll
Step 2 Create a local authentication list.
Router(config)# aaaaaaaaaaaa aaaauutuuttthhhheeeennnnttittiiiccaccaaattittiiioooonn nn pppppppppp pp {ddddeeeeffaffaaauuluullltttt | list-name} method1 [method2…]
Example 7-2 Configuring Privileged EXEC Access Authentication Using AAA
Router(config)#aaa new-model
Router(config)#aaa authentication enable default enable
Table 7-4 aaa authentication ppp Methods Keyword
(This table has been reproduced by Cisco Press with the permission of Cisco Systems Inc. Copyright © 2003 Cisco Systems, Inc. All Rights Reserved.)
Description
if-needed Does not authenticate if user has already been authenticated on tty line.
krb5 Uses Kerberos 5 for authentication (can only be used for PAP authentication).
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
Configuring AAA Services 125
Step 3 Enter the configuration mode for the interface to which you want to apply the authentication list.
Router(config)#iiniinnntttteeeerrrrffaffaaaccecceee interface-type interface-number
Step 4 Apply the authentication list to a line or set of lines.
Router(config-if)# pppppppppppp aaaauuuutttthhhheeneennnttittiiiccccaaaattttiioiiooonn {protocol1[protocol2...]} [inn iiiff-ff---nnnneeeeeeeeddeddeeedd] dd {ddddeefeefffaauaauuulltllttt | list-name}[ccccaalaallllllliiiinnnn] [oooonnnneeee----ttittiiimmemmeee]
The configuration shown in Example 7-3 has AAA authentication configured for PPP connections to use the local username database as the default method for user authentication.