|
|
Method lists are significant features of AAA, and it is important to understand their syntax and use. The following AAA method lists are discussed in this appendix:
AAA authentication method lists control administrative access and authentication. Consider the following general rules when applying authentication method lists:
 |
Caution It is possible for you to lock yourself out of the system, so BEWARE! |
Table A-1 lists and describes commonly defined AAA authentication services.
You can also use either named or default method lists. Use named method lists if you want to use different method lists for the same services but on different interfaces. Named lists are typically used to discriminate between remote user login to the system and administrative login. Default method lists simply use the word default as a name keyword.
|
Caution If you do not apply a named list to an interface or interfaces, it will not be used. Also, the name option does not appear in the syntax related to applying named lists under the interfaces. |
Table A-2 lists and defines AAA authentication methods.
|
Caution For security reasons, take care in using the none option. |
In general, if a "fail" response is received, authentication attempts will not continue down the list. However, there are exceptions to this: one is when an error is received (for example, a server is down); the other is during a local username lookup. In addition, the authentication list will continue if there is not a match to an entry in the local username list. If there is a match in the local list, but authenticatio fails (the password is wrong), the authentication will not continue.
|
Caution Take great care in defining lists. Consider possible server-failure scenarios, and minimize repeated authentications. |
The syntax for AAA authentication is as follows:
aaa authentication service listname method1 method2 . . . methodn
where service represents available services that are predefined; listname can be either a user-defined character string or the keyword default; and the methods are lists of predefined options in combination with reference to named AAA groups where the group option is used.
AAA authorization method lists control authorization for various services. Consider the following general rules when applying authorization method lists:
Table A-3 lists and describes commonly defined AAA authorization services. Other services include commands and reverse Telnet. See Enabling AAA and RADIUS.
| Service | Description |
|---|---|
Starts an EXEC shell, used with scripted logins and TCP Clear |
|
You can also use either named or default method lists, as discussed in Types of Authentication Lists and Methods. Remember to apply the list to an interface.
Table A-4 lists and defines AAA authorization methods.
| Method | Definition |
|---|---|
Let users who are successfully authenticated do whatever they want |
|
|
Caution For security reasons, take care in using the none option. |
In general, if a "fail" response is received, authorization attempts will not continue down the list. However, an exception is when a server is down.
|
Caution Take great care in defining lists, and consider possible server failure scenarios. |
The syntax for AAA authorization is as follows:
aaa authorization service listname method1 method2 . . . methodn
where service represents available services that are predefined; listname can be either a user-defined character string or the keyword default; and the methods are lists of predefined options in combination with reference to named AAA groups where the group option is used.
When AAA accounting is activated, the UG reports user activity to a TACACS+ or RADIUS server (depending on what is implemented) in the form of accounting records. The data, stored as attribute-value (AV) pairs can then be analyzed for network management, client billing, or auditing.
AAA accounting method lists control administrative access and authentication. Consider the following general rules when applying authentication method lists:
Table A-5 lists and describes commonly defined AAA accounting services.
| Service | Description |
|---|---|
Enables login access, either through scripted login of telnet |
|
You can also use either named or default method lists. Use named method lists if you want to use different method lists for the same services but on different interfaces. Named lists are typically used to discriminate between remote user login to the system and administrative login. Default method lists simply use the word default as a name keyword.
|
Caution If you do not apply a named list to an interface or interfaces, it will not be used. Also, you can only use the default method list for system accounting. |
Table A-6 lists and defines AAA accounting methods.
You will also need to determine when to send accounting records, through time command options that are entered in the accounting method list. Table A-7 lists and defines the time options for AAA accounting.
| Option | Definition |
|---|---|
Same as for start-stop, but wait for the ACK of the start record before allowing the user session to proceed |
Accounting records will be sent to subsequent defined methods only if no ACK is received. This indicates that an error is received, for example, a server is down.
The syntax for AAA accounting is as follows:
aaa accounting service listname method1 method2 . . . methodn
where service represents available services that are predefined; listname can be either a user-defined character string or the keyword default; and the methods are lists of predefined options in combination with reference to named AAA groups where the group option is used.
Posted: Wed Jan 22 01:50:29 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.