Page 401

AAA Configuration 375

A shared password is used between the access router and the AAA server for security. The
command to establish this password on the router is as follows:

tacacs-server key password

The password must be configured on the AAA server also. The passwords are case-sensitive.

The first steps for the configuration of AAA used on a RADIUS server are similar to the
TACACS implementation: "tacacs" is replaced by "radius". The following example is the initial
command set for a RADIUS implementation:

aaa new-model
radius-server host 115.55.43.1
radius-server key specialname

In the command set, the IP address is 115.55.43.1 and the shared password is specialname.

AAA Authentication

Once AAA has been enabled on the router, the administrator must declare the methods by
which authentication can take place. The key issue is to ensure that the administrator has a way
to gain access to the router if the AAA server is down. Failure to provide a backdoor interface
can result in lost communications to the router and the necessity to break in through the console
port. Care should be taken to always configure a local access method during any
implementation of AAA.

The syntax for configuring AAA on the router can be daunting at first glance. Breaking it down
keeps it simpler. Each of the modes listed (login, enable, arap, and so on) is a method by which
a user might gain access to or through the router.

Do you remember the packet and character mode designation from the previous section? The
global configuration commands enable the administrator to declare the method that is used for
authentication, regardless of the access mode being used. These methods, which are shown
later, include enable, line, local, none, and so on and are checked in the order in which they
are specified in the command. The generic form for the authentication command is as follows:

aaa authentication [login

| enable | arap | ppp | nasi] method

This example does not include specifics for the method by which the access is evaluated. It is
clearer to show each of the commands and then discuss the method that can be added to the
command.

Each command in the following list can stand alone and each declares a command definition
for the authentication command. In addition, each command is used for a specific access
purpose. These purposes were discussed previously.

aaa authentication login--This command answers this question: How do I authenticate
the login dialog?

aaa authentication enable--This command answers this question: Can the user get to
the privileged command prompt?