|
|
This chapter describes the function and displays the syntax for AAA and non-AAA authentication commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To enable an AAA authentication method for AppleTalk Remote Access (ARA) users using RADIUS or TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.
aaa authentication arap {default | list-name} method1 [method2...]| default | Uses the listed methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
| method | AAA authentication method for ARAP. |
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
aaa authentication enable default method1 [method2...]| method | At least one AAA authentication method. |
To configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.
aaa authentication local-overrideTo set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [method2...]| default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods activated when a user logs in. |
| method | At least one AAA authentication method. |
To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.
aaa authentication nasi {default | list-name} method1 [method2...]| default | Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in. |
| list-name | Character string used to name the following list of authentication methods activated when a user logs in. |
| methods | At least one AAA authentication method. |
To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.
aaa authentication password-prompt text-string| text-string | String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:"). |
To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.
aaa authentication ppp {default | list-name} method1 [method2...]| default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
| method | At least one AAA authentication method. |
To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.
aaa authentication username-prompt text-string| text-string | String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:"). |
To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable this functionality.
aaa new-modelTo apply your per-user authorization attributes to an interface during a PPP session, use the access-profile EXEC command. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed, and ACLs defined in your per-user configuration to be installed.
access-profile [merge | replace] [ignore-sanity-checks]| merge | (Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface.
However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all AV pairs defined in the AAA per-user configuration (the user's authorization profile). The interface's resulting authorization attributes are a combination of the previous and new configurations. |
| replace | (Optional) This option removes existing ACLs and all other existing authorization attributes for the interface.
A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration. This option is not normally recommended because it initially deletes all existing configuration, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information. |
| ignore-sanity-checks | (Optional) Enables you to use any AV pairs, whether or not they are valid. |
To enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default | list-name} [one-time]| default | Default list created with the aaa authentication arap command. |
| list-name | Indicated list created with the aaa authentication arap command. |
| one-time | (Optional) Accepts the username and password in the username field. |
To enable AAA authentication for logins, use the login authentication line configuration command. Use the no form of this command to either disable TACACS+ authentication for logins or to return to the default.
login authentication {default | list-name}| default | Uses the default list created with the aaa authentication login command. |
| list-name | Uses the indicated list created with the aaa authentication login command. |
To configure your router to use TACACS user authentication, use the login tacacs line configuration command. Use the no form of this command to disable TACACS user authentication for a line.
login tacacsTo enable AAA authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication line configuration command. Use the no form of the command to return to the default, as specified by the aaa authentication nasi command.
nasi authentication {default | list-name}| default | Uses the default list created with the aaa authentication nasi command. |
| list-name | Uses the list created with the aaa authentication nasi command. |
To enable CHAP or PAP or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication interface configuration command. Use the no form of this command to disable this authentication.
ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default]| chap | Enables CHAP on a serial interface. |
| pap | Enables PAP on a serial interface. |
| chap pap | Enables both CHAP and PAP, and performs CHAP authentication before PAP. |
| pap chap | Enables both CHAP and PAP, and performs PAP authentication before CHAP. |
| if-needed | (Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces. |
| list-name | (Optional) Used with AAA. Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
| default | The name of the method list is created with the aaa authentication ppp command. |
| callin | Specifies authentication on incoming (received) calls only. |
| one-time | (Optional) Accepts the username and password in the username field. |
To create a pool of dialup routers that all appear to be the same host when authenticating with CHAP, use the ppp chap hostname interface configuration command. To disable this function, use the no form of the command.
ppp chap hostname hostname| hostname | The name sent in the CHAP challenge. |
To enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer, use the ppp chap password interface configuration command. To disable this function, use the no form of this command.
ppp chap password secret| secret | The secret used to compute the response value for any CHAP challenge from an unknown peer. |
To refuse CHAP authentication from peers requesting it, use the ppp chap refuse interface configuration command. To disable this function, use the no form of this command.
ppp chap refuse [callin]| callin | (Optional) This keyword specifies that the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends. |
To specify that the router will not authenticate to a peer requesting CHAP authentication until after the peer has authenticated itself to the router, use the ppp chap wait interface configuration command. To disable this function, use the no form of this command.
ppp chap wait secret| secret | The secret used to compute the response value for any CHAP challenge from an unknown peer. |
To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username interface configuration command. Use the no form of this command to disable remote PAP support.
| username | Username sent in the PAP authentication request. |
| password | Password sent in the PAP authentication request. |
| password | Must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
To enable TACACS for PPP authentication, use the ppp use-tacacs interface configuration command. Use the no form of the command to disable TACACS for PPP authentication.
ppp use-tacacs [single-line]| single-line | (Optional) Accept the username and password in the username field. This option applies only when using CHAP authentication. |
|
|