Page 404

378 Chapter 12: Using AAA to Scale Access Control in an Expanding Network

methods return an error or are unavailable. If the returned message is a "fail," the router does
not try to authenticate using the subsequent method in the list.

The following list describes each of the methods for enabling authentication. You should
memorize this for the exam.

enable--This method says to use the enable password for authentication on the interface.
The authentication is compared against the enable password on the router.

line--This method says to use the password that is on the line that is being attached to.
This is done using the line command login (ask for a password) and the command
password xxx, where xxx is the password for the line.

none--This method says to not use an authentication method.

tacacs+--This method says to use the TACACS server declared by the tacacs-server host
ip-address statement on the router.

radius--This method says to use the RADIUS server declared by the radius-server host
ip-address statement on the router.

AAA Authentication ARAP

The aaa authentication arap command is used in conjunction with the arap authentication
line configuration command. This describes the methods that are tried when AppleTalk Remote
Access (ARA) users attempt to gain access to the router. Example 12-2 shows the configuration.

The first statement declares that TACACS+ and then the local username/password pairs are
used if TACACS+ returns an error or is unavailable. On lines 1 through 12, the list points back
to the AAA declaration in the first statement.

The following list describes each of the methods for authentication using AAA for ARAP. You
should memorize this for the exam.

local--This method says to use the username yyyy password xxxx pairs that are on the
router for authentication.

Example 12-2

Declaring AAA Authentication with ARAP

Router(config)#aaa authentication arap applefolk tacacs+ local
Router(config)#line 1 12
Router(config-line)#arap authentication applefolk