The aaa authentication enable default command

After enabling AAA globally on the access server, you need to define the authentication method lists and apply them to lines and interfaces. These authentication method lists are security profiles that indicate the service, PPP, dotlx, or login and authentication method. Up to four authentication methods (local, group TACACS+, group RADIUS, line, or enable authentication) may be applied to a line or interface. A good security practice is to have either local or enable authentication as the final method used to recover from a severed link to the chosen method server.

2-94 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

Complete these steps to define an authentication method list using the aaa authentication command:

Step 1 Use the aaa authentication command in global configuration mode to configure an AAA authentication method list, as follows:

1. Specify the service (PPP, dotlx, and so on) or login authentication.

2. Identify a method list name or use the default method list name. The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.

A list name is any alphanumeric string that you choose. Multiple method lists can be configured on the router, but each one has to have a unique method list name.

A method list is a sequential list describing the authentication methods to be queried to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method has an error. Errors mean that the security server has not responded to an authentication query.

Step 2 Specify the authentication method (local, group TACACS+, group RADIUS, line, or enable authentication, and so on), and specify how the router should handle requests when one of the methods is not operating (for example, if the AAA server is down). You can specify up to four methods for AAA to try before stopping the authentication process.

Step 3 After defining these authentication method lists, apply them to each of the following:

■ Lines: TTY, vty, console, auxiliary, and async lines, or the console port for login and asynchronous lines (in most cases) for ARAP

■ Interfaces: Interfaces sync, async, and virtual configured for PPP, Serial Line Interface Protocol (SLIP), NASI, or ARAP

© 2006 Cisco Systems, Inc. Securing the Perimeter 2-95

router(config)#

aaa authentication login {default | list-name} methodl [method2...]

router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login console-in local

To set AAA authentication for login to the router administration port, use the aaa authentication login command in global configuration mode, as shown in this figure. The entries are defined here:

■ The aaa authentication login default enable command specifies a default login authentication method list using the enable password.

■ The aaa authentication login console-in local command specifies a login authentication method list named "console-in" using the local username-password database on the router.

■ The aaa authentication login tty-in line command specifies a login authentication method list named "tty-in" using the line password configured on the router.

Here is the syntax for the aaa authentication login command:

2-96 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

aaa authentication login {default | list-name} methodl [method2. . .]

Command Element

Description

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in

list-name

Character string used to name the list of authentication methods activated when a user logs in

method

Specifies at least one of these keywords:

■ enable: Uses the enable password for authentication

■ krb5: Uses Kerberos 5 for authentication

■ krb5-telnet: Uses the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router

■ line: Uses the line password for authentication

■ local: Uses the local username database for authentication

■ local-case: Uses case-sensitive local username authentication

■ none: Uses no authentication

■ group radius: Uses the list of all RADIUS servers for authentication

■ group tacacs+: Uses the list of all TACACS+ servers for authentication

■ group group-name: Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ commands

© 2006 Cisco Systems, Inc. Securing the Perimeter 2-97

router(config)#

aaa authentication ppp {default | list-name} methodl [method2...]

router(config)# aaa authen ppp default local router(config)# aaa authen ppp dial-in local none

To specify one or more AAA authentication methods for use on serial interfaces running PPP, use the aaa authentication ppp command in global configuration mode, as shown in the figure. The entries are defined here:

■ The aaa authentication ppp default local command specifies a default PPP authentication method list using the local username-password database on the router.

■ The aaa authentication ppp dial-in local none command specifies a PPP authentication method list named "dial-in" first, using the local username-password database on the router. No authentication is used if the local username is not defined.

2-98 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

router(config)#

aaa authentication enable default methodl [method2... ]

router(config)# aaa authentication enable default group tacacs+ enable none

Use the aaa authentication enable default command in global configuration mode, as shown in this figure, to enable AAA authentication to determine if a user can access the privileged command level.

The syntax for the aaa authentication enable default command is as follows: aaa authentication enable default methodl [method2. . .]

The example in the figure creates an authentication list that first tries to contact a TACACS+ server. If the TACACS+ server does not respond, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured), the user is allowed access to privileged mode with no authentication.

AAA Authentication Enable Default Methods

Keyword

Description

enable

Uses the enable password for authentication

line

Uses the line password for authentication

none

Uses no authentication

group radius

Uses the list of all RADIUS hosts for authentication

Note: The RADIUS method does not work on a per-username basis.

group tacacs+

Uses the list of all TACACS+ hosts for authentication

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+

commands

© 2006 Cisco Systems, Inc.

Securing the Perimeter

2-99

router(config)# line console 0

router(config-line)# login authentication console-in router(config)# int s3/0

router(config-if)# ppp authentication chap dial-in

Was this article helpful?

+2 0

Responses

  • niamh
    When to use aaa authentication login console group command?
    5 months ago

Post a comment