Page 400

374 Chapter 12: Using AAA to Scale Access Control in an Expanding Network

It should be noted that the key thing to keep in mind is packet vs character mode, not the
physical port itself. The AUX port, for instance, can be used in both modes. After enabling
AAA, each attachment to the router, whether it is character or packet mode, must be declared
for authentication. Failure to declare a method for a connection results in a failed
authentication.

AAA Configuration

AAA configuration is implemented in three steps:

Step 1

Enable AAA Configuration on the router. During the declaration
of AAA, the router must be told if it will be "speaking" with a
Terminal Access Control Access Control System (TACACS) or
RADIUS server.

Step 2

Define who will be authenticated, what they are authorized to do,
and what will be tracked in the database.

Step 3

Enable or define the method on the interface.

The following sections detail how to turn on AAA (Step 1), how to define the methods for
authentication, authorization and accounting (Step 2), and how to declare AAA on an interface
(Step 3).

It should be noted that once AAA is turned on for a router, any interface and connection method
must be defined or access is not permitted. Therefore, it is important to leave a "backdoor" or
local access method available during initial deployment to guard against loss of router access
due to coding mistakes. This is discussed in the sections on authentication for each of the access
methods: login, enable, PPP, ARAP, and NASI.

Enabling AAA

To enable AAA on the router, use this command:

aaa new-model

The no form of this command disables AAA on the router. Once AAA is enabled, the router
must point to the source of the AAA server. For a TACACS, the command is as follows:

tacacs-server host ip-address [single-connection]

The ip-address parameter designates the location of the CiscoSecure server or another
TACACS server. The optional single-connection parameter tells the router to maintain a single
connection for the duration of the session between the router and the AAA device. The
alternative is to open and close a TCP connection for each session. The opening and closing of
a connection is the default. Cisco recommends the single-connection feature for improved
performance.