Page 403

AAA Configuration 377

The order of the authentication arguments is important. In Example 12-1, if the user fails
authentication with TACACS+, he or she is denied access. If the router fails to access
TACACS+, the router tries to contact a RADIUS server. The key issue is that a secondary
method is used only if a previous method is unavailable to the router.

This key issue is important to remember because if tacacs+ is the only option to verify a login
and the TACACS+ service is unavailable or down, nobody can log in. If the authentication
methods were set as tacacs+ and local, administration username/password pairs could be
placed on the router so that even if TACACS+ were down, an administrator can still gain access
to the router.

It is important to maintain a proper order for the methods. You should make local a last resort
method so that access to the router is maintained by at least a local username/password pair.

The following list describes each of the methods for login authentication. You should memorize
this list for the exam.

line--This method says to use the password that is on the line that is being attached to.
This is done using the line command login (ask for a password) and the command
password xxx, where xxx is the password for the line.

enable--This method says to use the enable password for authentication on the interface.
The authentication is compared against the enable password on the router.

local--This method says to use the username yyyy password xxxx pairs that are on the
router for authentication.

none--This method says to not use an authentication method.

tacacs+--This method says to use the TACACS server declared by the tacacs-server host
ip-address statement on the router.

radius--This method says to use the RADIUS server declared by the radius-server host
ip-address statement on the router.

AAA Authentication Enable

What method is used if a user tries to access privileged mode on the router? If no AAA methods
are set, the user must have the enable password. This password is demanded by the IOS. If AAA
is being used and no default is set, the user also needs the enable password for access to the
privileged mode.

The construct for AAA is similar to the login authentication commands. The following example
shows the implementation of AAA authentication enable:

Router(config)#aaa authentication enable thefolks tacacs+ enable

This command declares that to gain access to privileged mode, TACACS+ is checked first and
then only if TACACS+ returns an error or is unavailable is the enable password used. With all
the lists that are set for AAA, the secondary methods are used only if the subsequently listed