![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
This chapter describes management protocols and Network Access Server (NAS) security and control functionality with AAA and RADIUS servers.
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring standard (RFC 1757) that allows console systems and network monitors to exchange statistical and functional monitoring data, through RMON-compliant console managers and network probes. RMON provides network administrators with flexibility to satisfy networking demands through console and network monitoring probes to obtain fault diagnostics, planning, and performance information.
RMON delivers information in nine unique monitoring element groups that provide specific types of data, which satisfies common network-monitoring requirements. Some RMON groups are dependent upon others for support, but each is optional so that it is not necessary for vendors to support all groups within the management information base (MIB). See Table 4-1 for RMON group functions.
This section describes how to enable basic management protocols on a Cisco AS5800 as part of a dial access service. It does not however, describe how to integrate the Cisco IOS software with NT or UNIX servers. Management protocols are described only from the perspective of the Cisco IOS software.
Figure 4-1 shows a logical perspective of how management protocols interact between the Cisco IOS software (client) and a network element management server. Dashed lines represent different protocols and functions.
Table 4-2 provides the RFCs and URLs for the management protocols described in this section.
For more information about system management, refer to Cisco IOS Release 12.0 Configuration Fundamentals Configuration Guide and Command Reference, available online at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/index.htm
The Network Time Protocol (NTP) provides a common time base for networked routers, servers, and other devices. A synchronized time enables you to correlate syslog and Cisco IOS debug output to specific events. For example, you can find call records for specific users within one millisecond.
Comparing logs from various networks is essential for:
Without precise time synchronization between all the various logging, management, and AAA functions, time comparisons are not possible.
An NTP enabled network usually gets its time from an authoritative time source, such as a Cisco router, radio clock, or an atomic clock attached to a timeserver. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each another. NTP runs over UDP, which in turn runs over IP.
Step 2 Specify the primary NTP server IP address and automatic calendar updates as shown below:
Step 3 Verify that the clock is synchronized to the NTP server. Inspect the status and time association. Clock sources are identified by their stratum levels. The following example shows a stratum level five clock.
The following command identifies how often the NAS is polling and updating to the stratum clock. An asterisk (*) next to the NTP servers IP address indicates successful synchronization with the stratum clock.
The Cisco IOS software can send syslog messages to one or more element manager servers. Syslog messages are then collected by a standard UNIX or NT type syslog daemon.
Figure 4-2 shows the Cisco IOS software sending syslog data to an element manager. Syslog data either stays in the Cisco IOS software buffer, or is pushed out and written to the element managers hard disk.
![]() |
Note Cisco System's UNIX syslog format is compatible with 4.3 BSD UNIX. |
Step 2 Verify that console logging is disabled. If it is enabled, the NAS will intermittently freeze up as soon as the console port is overloaded with log messages. See the field "1 flushes." Increments on this number represents bad logging behavior.
![]() |
Caution Not entering the no logging console command might cause CPU interrupts, dropped packets, denial of service events, and router lock up. |
Step 3 Specify the logging configuration:
Table 4-3 describes the commands in the previous configuration fragment.
If you are working with multiple network access servers, assign a different logging facility tag to each server. Syslog information can be collected and sorted into different files on the syslog server.
Assigning a different tag to each device enables you to intelligently sort and view syslog messages:
Step 4 Verify that local buffered logging is working:
The SNMP traps generated by Cisco routers provide:
The Cisco IOS software generates SNMP traps based on the features that the Cisco IOS software supports.
Figure 4-3 shows the interactions and timing of the SNMP protocol between the EM (SNMP manager) and the NAS (SNMP agent). Traps are unsolicited messages sent from the NAS to the EM. Four functions of SNMP include: trap, get request, get next, and set request.
![]() |
Note For a listing of all SNMP traps supported by Cisco, refer to Cisco IOS SNMP Traps
Supported and How to Configure Them, available online at http://www.cisco.com/warp/public/477/SNMP/snmp_traps.html |
Table 4-4 describes commands in the previous configuration fragment.
![]() |
Caution If you are not using SNMP, make sure to turn it off. Never use a configuration that uses "public" or "private" as community stringsthese strings are well known in the industry and are common defaults on hardware. These strings are open invitations to attacks, regardless if you use filters. |
Step 2 Monitor SNMP input and output statistics. For example, display a real-time view of who is polling the NAS for statistics and how often.
Limit the amount of output logged from the group-async interface and ISDN D channels. Carefully choose the data sources for system management purposes. AAA accounting and the modem-call record terse feature provides the best data set for analyzing ISDN remote node device activity.
Link status up-down events and SNMP trap signals:
The following configuration fragment disables logging on access interfaces:
The following is an example of the Cisco AS5800 running configuration with Cisco IOS Release 12.0(4) XL1 installed.
The Cisco AS5800 is designed to support a security paradigm providing authentication, authorization, and accounting (AAA) security measures using RADIUS and TACACS+.
This section describes how to configure security using a local database resident on your Cisco AS5800 or using a remote security database for Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). Refer to the "Local and Remote Server Authentication" section for local and remote authentication definitions.
This section describes the following topics:
This section describes the differences between local and remote security databases and the basic authentication process for each. Remote security databases described in this section include Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and Remote Authentication Dial-In User Service (RADIUS).
Generally the size of the network and type of corporate security policies and control determine whether you use a local or remote security database.
If you have one or two Cisco AS5800 providing access to your network, store username and password security information on your Cisco AS5800. This is referred to as local authentication.
As your network expands, you need a centralized security database that provides username and password information each access server in the network. This centralized security database resides in a security server.
A centralized security database helps establish consistent remote access policies throughout a corporation. An example of a remote security database server is the CiscoSecure product from Cisco Systems. CiscoSecure is a UNIX security daemon, with which the administrator creates a database that defines the network users and their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.
The Cisco AS5800 exchanges user authentication information with a TACACS+ or RADIUS database on the security server by transmitting encrypted TACACS+ or RADIUS packets across the network.
For specific information about the interaction between the security server and the Cisco AS5800, refer to the security configuration guide in the Cisco IOS configuration guides and command references documentation.
This section describes the Remote Authentication Dial-In User (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. RADIUS Configuration Task List describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set. RADIUS Configuration Examples offers two possible implementation scenarios.
This section includes the following topics:
For a complete description of the commands used in this section, refer to information on RADIUS commands in the security command reference for your Cisco IOS release. To locate documentation of other commands that appear in this section, use the command reference master index or search online.
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server. The server contains all user authentication and network service access information.
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.
Use RADIUS in the following network environments that require access security:
RADIUS is not suitable in the following network security situations:
When attempting to log in and authenticate to Cisco AS5800 using RADIUS, the following steps occur:
1. The user enters a username and password at the corresponding prompts.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
To configure RADIUS on your Cisco AS5800, you must perform the following tasks:
The following configuration tasks are optional:
This section describes how to set up RADIUS for authentication, authorization, and accounting on your network, and includes the following sections:
The RADIUS host is normally a multi-user system running RADIUS server software from Livingston, Merit, Microsoft, or another software provider. A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon, and a secret text string that it shares with the router. Use the radius-server commands to specify the RADIUS server host and a secret text string.
To specify a RADIUS server host and shared secret text string, perform the following tasks in global configuration mode:
To customize communication between the router and the RADIUS server, use the following optional radius-server global configuration commands:
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network Cisco AS5800 and the RADIUS server, by using the vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:
This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes the Cisco "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment).
The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
Other vendors have their own vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to the RADIUS specification RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)," described in How Does RADIUS Work?, available online at
http://www.cisco.com/warp/public/707/32.html
To configure the NAS to recognize and use VSAs, perform the following task in global configuration mode:
Enable the network Cisco AS5800 to recognize and use VSAs as defined by RADIUS IETF attribute 26.
For a complete list of RADIUS attributes or more information about vendor-specific Attribute 26, refer to the RADIUS Attributes appendix.
Although the IETF draft standard for RADIUS specifies a method for communicating vendor-specific information between the network Cisco AS5800 and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
To configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the Cisco device. You specify the RADIUS host and secret text string by using the radius-server commands. To identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS, use the radius-server host nonstandard command.
Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.
To specify a vendor-proprietary RADIUS server host and a shared secret text string, perform the following tasks in global configuration mode.
Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
Specify the shared secret text string used between the router and the vendor-proprietary RADIUS server. The router and the RADIUS server use this text string to encrypt passwords and exchange responses.
Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server, instead of on each individual Cisco AS5800 in the network. Each network Cisco AS5800 then queries the RADIUS server for static route and IP pool information.
To have the Cisco AS5800 query the RADIUS server for static routes and IP pool definitions when the device first starts up, use the following commands in global configuration mode:
![]() |
Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you enter a copy running-config startup-config command. |
In some situations, PPP or login authentication occurs on an interface different from the interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface "ttt" but the call itself occurs on one of the channels of the ISDN interface.
The radius-server attribute nas-port extended command configures RADIUS to expand the size of the NAS-Port attribute (RADIUS IETF Attribute 5) field to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.
To display expanded interface information in the NAS-Port attribute field, perform the following task in global configuration mode.
Expand the NAS-Port attribute size from 16 to 32 bits to display extended interface information.
![]() |
Note This command replaces the deprecated radius-server extended-portnames command. |
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101. This is due to the 16-bit field size limitation associated with RADIUS IETF NAS-port attribute. In this case, replace the NAS-port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). The Cisco vendor-ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
To replace the NAS-Port attribute with RADIUS IETF Attribute 26 and to display extended field information, use the following commands in global configuration mode.
Enable the network Cisco AS5800 to recognize and use vendor-specific attributes as defined by RADIUS IETF Attribute 26.
Expand the size of the VSA NAS-Port field from 16 to 32 bits to display extended interface information.
The standard NAS-Port attribute (RADIUS IETF Attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
After you have identified the RADIUS server and defined the RADIUS authentication key, you need to define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you need to enter the aaa authentication command, and specify RADIUS as the authentication method. For more information, refer to information on configuring authentication in the security configuration guide for your Cisco IOS release.
AAA authorization lets you set parameters that restrict users network access. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you need to issue the aaa authorization command, specifying RADIUS as the authorization method.
The AAA accounting feature enables you to track the services users access and the amount of network resources they consume. Because RADIUS accounting is facilitated through AAA, you need to issue the aaa accounting command, specifying RADIUS as the accounting method.
The network Cisco AS5800 monitors the RADIUS authorization and accounting functions defined by RADIUS attributes in each user-profile.
An Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network Cisco AS5800 and the RADIUS server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
RADIUS configuration examples in this section include the following:
The following example shows a router configuration to authenticate and authorize using RADIUS.
These RADIUS authentication and authorization configuration commands are defined as follows:
The following sample is a general configuration using RADIUS with the AAA command set.
The lines in this sample RADIUS authentication, authorization, and accounting configuration are defined as follows:
The following example is a general configuration using vendor-proprietary RADIUS with the AAA command set.
The lines in this example RADIUS AAA configurations are defined as follows:
The following Cisco IOS software support is available for RADIUS.
3. RADIUS & AAA debug commands
The following global configuration commands provide basic security and local database configuration.
Step 2 Enable AAA authentication method during login.
Step 3 Enable AAA authentication method during login using a methods list.
Step 4 Enable AAA authentication method for use on serial interfaces running PPP when TACACS+ is used.
Step 5 Enter authorization for username and password.
Use the AAA facility to authenticate users with either a local or remote security database. For more information about a local and remote security database, refer to the "Local and Remote Server Authentication" section.
Whether you maintain a local or remote security database, or use TACACS+ or RADIUS authentication and authorization, the process of configuring the Cisco AS5800 for these different databases and protocols is similar. The basic process of configuring the Cisco IOS software for authentication requires the following tasks:
1. Securing Access to Privileged EXEC and Configuration Mode
2. Communicating Between the Access and Security Servers
4. Defining Authentication Method Lists
5. Applying Authentication Method Lists
The first step is to secure access to privileged EXEC (enable) mode. Enable mode provides access to configuration mode, which enables any type of configuration change to the Cisco AS5800. To secure privileged EXEC mode access, use one of the following commands.
The enable secret password takes precedence over the enable password when it exists. The same password cannot be used for both commands. You can view the encrypted version of the enable secret password using the show running-config or show startup-config commands. (The encrypted version of the password is noted with * in the following example.)
![]() |
Note For more information about the enable password and enable secret commands and their complete syntax, refer to the security command reference for your Cisco IOS release in the Cisco IOS configuration guides and command references documentation. |
![]() |
Note The enable secret password overrides the enable password. |
The following global configuration commands provide an encrypted password using enable secret.
Step 2 Type the exit command to exit out of global configuration mode.
Step 3 Enter the show running-config command to view the encrypted version of the cleartext password that was entered in Step 1. The encrypted password is noted with **.
![]() |
Note Encryption type 5 is the only valid encryption type for enable secret. |
Step 4 Type Ctrl-Z to return to privileged EXEC mode.
Step 5 Save changes.
You can also specify additional protection for privileged EXEC mode, including the following:
For more information about these security tools, refer to the security configuration guide for your Cisco IOS release in the Cisco IOS configuration guides and command references documentation.
This section describes the Cisco IOS software commands that enable the Cisco AS5800 to communicate with a security server. This procedure is similar for communicating with TACACS+ and RADIUS servers, and the following sections describe the process.
If you are using a remote security server for authentication and authorization, you must configure the security server before performing the tasks described in this section. TACACS+ Security Examples shows typical TACACS+ and RADIUS server entries corresponding to the Cisco AS5800 security configurations.
The following global configuration commands enable communication between the TACACS+ security (database) server and the Cisco AS5800.
Step 2 Specify a shared secret text string used between the Cisco AS5800 and the TACACS+ server. The Cisco AS5800 and TACACS+ server use this text string to encrypt passwords and exchange responses.
Step 3 Type Ctrl-Z to return to privileged EXEC mode.
Step 4 Save your changes when ready.
For example, to enable the remote TACACS+ server to communicate with the Cisco AS5800, enter the commands as follows:
The host name of the TACACS+ server in the previous example is alcatraz. The key in the previous example (abra2cad) is the encryption key shared between the TACACS+ server and the Cisco AS5800. Substitute your own TACACS+ server host name and password for those shown.
For more information about these commands, refer to the security command reference for your Cisco IOS release, which is part of the Cisco IOS configuration guides and command references documentation.
On most TACACS+ security servers, there are three ways to authenticate a user for login:
The following is the configuration for global authentication:
To assign different passwords for CHAP, and a normal login, you must enter a string for each user. Each string must specify the security protocols, state whether the password is cleartext, and specify if the authentication is performed with a DES card. The following example shows a user aaaa, who has authentication configured for CHAP and login. The users CHAP password, "chap password," is shown in cleartext and the login password has been encrypted.
The default authentication is to deny authentication. You can change this at the top level of the configuration file to have the default use passwd(5) file, by issuing the following command:
On the Cisco AS5800, configure authentication on all lines including the VTY and Console lines by entering the following commands:
![]() |
Caution When you issue the aaa authentication login default tacacs+ enable command, you are specifying that if your TACACS+ server fails to respond (because it is set up incorrectly), you can log in to the Cisco AS5800 by using your enable password. If you do not have an enable password set on the Cisco AS5800, you will not be able to log in until you have a functioning TACACS+ daemon configured with user names and passwords. The enable password in this case is a last-resort authentication method. You can also specify none as the last-resort method, which means that no authentication is required if all other methods have failed. |
To use the AAA security facility in the Cisco IOS software, you must issue the aaa new-model command from global configuration mode.
When you issue the aaa new-model command, all lines on the Cisco AS5800 receive the implicit login authentication default method list, and all interfaces with PPP enabled have an implicit ppp authentication pap default method list applied.
![]() |
Caution If you authenticate users by a security server, do not inadvertently lock yourself out of the Cisco AS5800 ports after you issue the aaa new-model command. Enter line configuration mode and issue the aaa authentication login default tacacs+ enable global configuration command. This command specifies that if your TACACS+ (or RADIUS) server is not functioning properly, you can enter your enable password to log in to the Cisco AS5800. In general, verify that you have a last-resort access method before you are certain that your security server is set up and functioning properly. For more information about the aaa authentication command, refer to the "Defining Authentication Method Lists" section. |
![]() |
Note Cisco recommends that you use CHAP authentication with PPP, rather than PAP. CHAP passwords are encrypted when they cross the network, whereas PAP passwords are cleartext when they cross the network. The Cisco IOS software selects PAP as the default, so you must manually select CHAP. The process for specifying CHAP is described in Applying Authentication Method Lists. |
After you enable AAA globally on the Cisco AS5800, you need to define authentication method lists, which you then apply to lines and interfaces. These authentication method lists are security profiles that indicate the protocol (PPP) or login and authentication method (TACACS+, RADIUS, or local authentication).
To define an authentication method list:
1. Issue the aaa authentication command.
2. Specify protocol (PPP) or login authentication.
3. Identify a list name or default. A list name is any alphanumeric string you choose. You assign different authentication methods to different named lists.
4. Specify the authentication method. You can specify multiple methods, such as tacacs+, followed by local if a TACACS+ server is not available on the network.
5. Populate the local username database if you specified local as the authentication method (or one of the authentication methods). To use a local username database, you must issue the username global configuration command. Refer to the "Populate the Local Username Database if Necessary" section.
After defining these authentication method lists, apply them to your interfaces (synchronous or asynchronous) configured for PPP.
Refer to the "Applying Authentication Method Lists" section for information about applying these lists.
To define an authentication method list, enter the aaa authentication global configuration command, as shown in the following example:
After you enter aaa authentication, you must specify one of the following dial-in protocols as applicable for your network:
You can specify only one dial-in protocol per authentication method list; however, you can create multiple authentication method lists with each of these options. You must give each list a different name, as described in Identify a List Name.
If you specify the ppp option, the default authentication method for PPP is PAP. For greater security, specify CHAP. The full command is aaa authentication ppp chap.
For example, if you specify PPP authentication, the configuration looks like this:
A list name identifies each authentication list. You can choose either to use the keyword default, or choose any other name that describes the authentication list. For example, you name it ppp-radius if you intend to apply it to interfaces configured for PPP and RADIUS authentication. The list name can be any alphanumeric string. Use default as the list name for most lines and interfaces, and use different names on an exception basis.
You can create different authentication method lists and apply them to lines and interfaces selectively. You can even create a named authentication method list that you do not apply to a line or interface, but which you intend to apply at some later point, such as when you deploy a new log-in method for users.
After you define a list name, you must identify additional security attributes (such as local authentication versus TACACS+ or RADIUS).
In the following example, the default authentication method list for PPP dial-in clients uses the local security database:
In the following example, the PPP authentication method list name is insecure:
In the following example, the login authentication method list name is deveng:
After you identify a list name, you must specify an authentication method to identify how users will be authenticated. Authentication methods are defined with optional keywords in the aaa authentication command.
The following global configuration commands configure authentication methods for PPP.
Step 2 Create a local authentication list. Methods include if-needed, krb5, local, none, radius, tacacs+.
Step 3 Apply the authentication list to a line or set of lines.
Step 4 Type Ctrl-Z to return to privileged EXEC mode.
Step 5 Save your changes when ready.
The keyword list-name is any character string used to name the list you are creating. The keyword method refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
![]() |
TimeSaver If you are not sure whether you should use TACACS+ or RADIUS, consider the following: TACACS+ encrypts the entire payload of packets passed across the network, whereas RADIUS only encrypts the password when it crosses the network. TACACS+ can query the security server multiple times, whereas a RADIUS server gives one response only and is not as flexible regarding per-user authentication and authorization attempts. |
You can specify multiple authentication methods for each authentication list. The following authentication method example for PPP first queries a TACACS+ server, then a RADIUS server, then the local security database. Multiple authentication methods can be useful if you have multiple types of security servers on the network, and one or more types of security server do not respond.
If you specify more than one authentication method and the first method (TACACS+ in the previous example) is not available, the Cisco IOS software attempts to authenticate using the next method (such as RADIUS). If, in the previous example, the RADIUS server has no information about the user, or if no RADIUS server can be found, the user is authenticated using the local username database that was populated with the username command.
If authentication fails using the first method listed, the Cisco IOS software does not permit access. It does not attempt to authenticate using the subsequent security methods if the user entered the incorrect password.
If you specify local as the security method, you must specify username profiles for each user who might log in. An example of specifying local authentication is as follows:
This command specifies that anytime a user attempts to log in to a line on an Cisco AS5800, the Cisco IOS software checks the username database. To create a local username database, define username profiles using the username global configuration command.
The following example shows how to use the username command and password:
The show running-config command shows the encrypted version of the password, as follows:
This section includes authentication method list examples for:
The following example creates a local authentication list for users logging in to any line on the Cisco AS5800:
The following example specifies login authentication using RADIUS (the RADIUS daemon is polled for authentication profiles):
The following example specifies login authentication using TACACS+ (the TACACS+ daemon is polled for authentication profiles):
The following example creates a TACACS+ authentication list for users connecting to interfaces configured for dial-in using PPP. The name of the list is marketing. This example specifies that a remote TACACS+ daemon be used as the security database. If this security database is not available, the Cisco IOS software then polls the RADIUS daemon. Users are not authenticated if they are already authenticated on a TTY line.
In this example, default can be substituted for marketing if the administrator wants this list to be the default list.
As described in Defining Authentication Method Lists, the aaa authentication global configuration command creates authentication method lists or profiles. You apply these authentication method lists to lines or interfaces by issuing the login authentication or ppp authentication command, as described in Table 4-5.
Interface and Line Command | Action | Port to Which List Is Applied | Corresponding Global Configuration Command |
---|---|---|---|
1If you issued the ppp authentication command, you must specify either CHAP or PAP authentication. PAP is enabled by default, but Cisco recommends that you use CHAP because CHAP is more secure. For more information, refer to the security configuration guide for your Cisco IOS release, which is part of the Cisco IOS configuration guides and command references documentation. |
You can create more than one authentication list or profile for login and protocol authentication and apply them to different lines or interfaces. The following examples show the line or interface authentication commands that correspond to the aaa authentication global configuration command.
The following example shows the default log-in authentication list applied to the console port and the default virtual terminal (VTY) lines on the Cisco AS5800:
In the following example, the login authentication list named rtp2-office, which uses RADIUS authentication, is created. It is applied to all 54 lines on an configured with a channelized T1 PRI card, including the console (CTY) port, the 48 physical asynchronous (TTY) lines, the auxiliary (AUX) port, and 69 virtual terminal (VTY) lines:
The following sample output shows lines and their status on the Cisco AS5800.
The following example creates the PPP authentication list marketing, which uses TACACS+, and RADIUS authentication. The list marketing requires authentication only if the user has not been authenticated on another line. It is then applied to asynchronous lines 1-48 on a Cisco AS5800 and uses CHAP authentication, instead of the default of PAP.
You can configure the Cisco AS5800 to restrict user access to the network so that users can only perform certain functions after successful authentication. As with authentication, authorization can be used with either a local or remote security database. This guide describes only remote security server authorization.
A typical configuration often uses the EXEC facility and network authorization. EXEC authorization restricts access to the EXEC, and network authorization restricts access to network services, including PPP.
Authorization must be configured on both the Cisco AS5800 and the security daemon. The default authorization is different on the Cisco AS5800 and the security server:
![]() |
TimeSaver If authentication has not been set up for a user, per-user authorization attributes are not enabled for that user. That is, if you want a user to obtain authorization before gaining access to network resources, you must first require that the user provide authentication. For example, if you want to specify the aaa authorization network tacacs+ (or radius) command, you must first specify the aaa authentication {ppp} default if-needed tacacs+ (or radius) command. |
You typically have the three following methods for configuring default authorization on the security server:
a. If the AV pair from the Cisco AS5800 is mandatory, look for an exact match in the daemons mandatory list. If found, add the AV pair to the output.
b. If an exact match does not exist, look in the daemons optional list for the first attribute match. If found, add the Cisco AS5800 AV pair to the output.
c. If no attribute match exists, deny the command if the default is to deny. If the default is permit, add the Cisco AS5800 AV pair to the output.
d. If the AV pair from the Cisco AS5800 is optional, look for an exact attribute, value match in the mandatory list. If found, add the daemons AV pair to output.
e. If not found, look for the first attribute match in the mandatory list. If found, add daemons AV pair to output.
f. If no mandatory match exists, look for an exact attribute, value pair match among the daemons optional AV pairs. If found, add the daemons matching AV pair to the output.
g. If no exact match exists, locate the first attribute match among the daemons optional AV pairs. If found, add the daemons matching AV pair to the output.
h. If no match is found, delete the AV pair if default is deny. If the default is permit, add the Cisco AS5800 AV pair to the output.
i. If there is no attribute match already in the output list after all AV pairs have been processed for each mandatory daemon AV pair, add the AV pair. Add only one AV pair for each mandatory attribute.
The following global configuration commands configure network and EXEC authorization.
Step 2 Prevents users from logging in to the privileged EXEC facility.
Step 3 Type Ctrl-Z to return to privileged EXEC mode.
Step 4 Save your changes when ready.
![]() |
Note You can also require authorization before a user can issue specific commands by using the aaa authorization command. For more information, refer to the security configuration guide for your Cisco IOS release, which is part of the Cisco IOS configuration guides and command references. |
Authorization methods are defined as optional keywords in the aaa authorization command. The following global configuration command configure both network and EXEC AAA authorization. Table 4-5 defines authorization methods.
Step 2 Type Ctrl-Z to return to privileged EXEC mode.
Step 3 Save your changes when ready.
When you configure authorization, you must ensure that the parameters established on the Cisco AS5800 correspond with those set on the TACACS+ server.
The following example uses a TACACS+ server to authorize the use of network services, including PPP. If the TACACS+ server is not available or has no information about a user, no authorization is performed, and the user can use all network services.
The following example permits the user to run the EXEC process if the user is authenticated. If the user is not authenticated, the Cisco IOS software defers to a RADIUS server for authorization information.
The following example configures network authorization. If the TACACS+ server does not respond or has no information about the username being authorized, the RADIUS server is polled for authorization information for the user. If the RADIUS server does not respond, the user still can access all network resources without authorization requirements.
The following examples show complete security configuration components of a configuration file on a Cisco AS5800. Each example shows authentication and authorization.
The following sample configuration uses AAA to configure default authentication using a local security database on the Cisco AS5800. All lines and interfaces have the default authentication lists applied. Users aaaa, bbbb, and cccc have been assigned privilege level 7. This prevents them from issuing ppp and slip commands because these commands have been assigned to privilege level 8.
The following configuration displays the sign-on dialog from a remote PC:
The following example shows how to create and apply the following authentication lists:
![]() |
Note The authentication method lists used in this example use names other than default. However, you generally specify default as the list name for most lines and interfaces, and apply different named lists on an exception basis. These names are used only for illustrative purposes. |
The following example shows how to create the following authentication lists:
Posted: Sun Jan 19 00:52:50 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.