380 Chapter 12: Using AAA to Scale Access Control in an Expanding Network
·
krb5--This method says that the Kerberos 5 method is available only for PPP operations,
and communications with a Kerberos security server must be established. Kerberos login
authentication works with PPP Password Authentication Protocol (PAP) only. The name
Kerberos comes from Greek mythology and is the name of the three-headed dog that
guarded the entrance of Hades.
·
if-needed--This is another PPP-only option. It stops authentication if the user has been
authenticated previously on the TTY line.
AAA Authentication NASI
The aaa authentication nasi command is used with the nasi authentication line configuration
command to specify a list of authentication methods that are tried when a NASI user attempts
to gain access to the router. Example 12-4 shows this configuration.
As with the other access methods, when a user is using NASI, this example would require
TACACS+ authentication and then would use the username/password pair if TACACS+ was
unavailable.
The following list describes each of the methods for authentication using AAA for NASI. You
should memorize this for the exam.
·
line--This method says to use the password that is on the line that is being attached to.
This is done using the line command login (ask for a password) and the command
password xxx, where xxx is the password for the line.
·
enable--This method says to use the enable password for authentication on the interface.
The authentication is compared against the enable password on the router.
·
local--This method says to use the username yyyy password xxxx pairs that are on the
router for authentication.
·
none--This method says to not use an authentication method.
·
tacacs+--This method says to use the TACACS server declared by the tacacs-server host
ip-address statement on the router.
When AAA is turned on, all lines and ports on the router use AAA; hence, the default group
should be configured for any access method that the router will see.
Example 12-4
Declaring AAA Authentication with NASI
Router(config)#aaa authentication nasi novellfolk tacacs+ local
Router(config)#line 1 12
Router(config-line)#nasi authentication novellfolk