background image
376 Chapter 12: Using AAA to Scale Access Control in an Expanding Network
·
aaa authentication arap--This command answers this question: Does the AppleTalk
Remote Access Protocol (ARAP) user use RADIUS or TACACS+? (One must be
selected.)
·
aaa authentication ppp--This command answers this question: What method should be
used if a user is coming over a PPP connection?
·
aaa authentication nasi--This command answers this question: What method should be
used if a user is coming over NASI?
AAA Authentication Login
What method of authentication is going to be used during the login procedure? The answer to
this question is defined by this interface command:
aaa authentication login [default
| listname]
The declaration of default tells the router what to do if no listname has been declared on the
interface. If a listname has been declared, that listname controls the login. For example, the
global command
aaa authentication login myway argument argument argument
...
declares how the myway list is interpreted. On each interface that is declared to use
authentication myway, one or more of the following arguments is used for the authentication:
[enable
| line | local | none | tacacs+ | radius | guest]
Each of the previous arguments declares a method of authentication, and they can be listed one
after another on the command line. Example 12-1 shows this concept.
The first statement declares that list myway use TACACS+, and then RADIUS, and then local
username/password pairs for authentication. The fourth statement declares on lines 1­12 that
anyone attempting to log in to these interfaces is authenticated using the order specified in the
list myway. Note that if someone attaches to the console port, he or she is authenticated by
TACACS+ only because that is the default and because there is not a login authentication
statement on the console port.
The term listname (defined as myway in Example 12-1) refers to the list of methods that will
be used, not to a list of people that will be authenticated. In Example 12-1, the term can be
interpreted as "my people will use this list for authentication."
Example 12-1
Declaring a Method of AAA Authentication
Router(config)#aaa authentication login myway tacacs+ radius local
Router(config)#aaa authentication login default tacacs+
Router(config)#line 1 12
Router(config-line)#login authentication myway