Apply the authentication method lists to each of the following:

a. Lines: TTY, vty, console, auxiliary, and async lines, or the console port for login and asynchronous lines (in most cases) for ARAP

b. Interfaces: Interfaces sync, async, and virtual configured for PPP, Serial Line Interface Protocol (SLIP), NASI, or ARAP

Setting AAA Authentication for Login

Theaaa authentication logincommand is issued in global configuration mode to set AAA authentication for login to a router’s administration port. The following is a list of these commands:

■ aaa authentication login default enable is used to specify a default login authentication method list using the enable password.

■ aaa authentication login console-in local specifies the login authentication method list named console-in using the local username-password database on the router. ■ aaa authentication login tty-inis used to specify a login authentication list named tty-

in using the line password configured on the router.

The following is an example of the syntax to be used for the aaa authenticationcommand:

aaa

aaaaaaa aa aauaautuuttthhehheneentnnttiticiicaccaatatittiiioonoonnn lllloogoogggiiiinn {dnn deddeefefffaaaauuluullltt tt | list-name} method1 [method2...]

Configuring AAA Authentication on Serial Interfaces Running PPP

You may specify one or more AAA authentication methods for use on serial interfaces running PPP. To do this, you use the aaa authentication ppp command from global configuration mode. Here are the choices:

■ aaa authentication ppp default local: This command is used to specify a default PPP authentication method list using the local username-password database on the router. Table 4-4 aaa authentication login Command Elements

Command Element Description

Default Specifies the default list of methods to be used when a user logs in based on the methods that follow this argument.

list-name Used to name the list of authentication methods activated when a user logs in.

Method One keyword must be specified. To use the local user database, use the local keyword.

enable: The enable password is used for authentication.

krb5: Kerberos 5 is used for authentication.

krb5-telnet: Kerberos 5 Telnet authentication protocol is used when using Telnet to connect to the router.

line: The line password is used for authentication.

local: The local username database is used for authentication.

local-case: Provides case-sensitive local username authentication.

none: No authentication is used.

group radius: The list of all RADIUS servers is used for authentication.

group tacacs+: The list of all TACACS+ servers is used for authentication.

group group-name: Uses either a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius oraaa group server tacacs+ command.

■ aaa authentication ppp dial-in local none: This command is used to specify a PPP authentication method list named dial-in. It should be used on the initial login attempt, using the local username-password database on the router. If the local username is not defined, no authentication is used.

Using the aaa authentication enable default Command

To enable AAA authentication to determine if a user can access the privileged command level, you use the aaa authentication enable defaultcommand. This command should be issued from global configuration mode.

The following is an example of the syntax to be used for this command:

aaa

aaaaaaa aa aauaauuutttthhehheneentnntttiiciicaccaaattittiiioonoonnn eeeennannaaabbbbllelle ee ddddeeeeffffaauaauluullltt method1 [method2...]tt

Authentication commands may be applied to both router lines and interfaces. As a best practice, you should always define a default list for AAA to provide a means of “last resort” authentication on all lines and interfaces protected by AAA. Example 4-1 shows the application of the authentication commands to router lines and interfaces.

Let’s examine these commands:

■ line console 0 is issued to enter line console configuration mode.

■ login authentication console-in specifies an authentication list named console-in for login authentication on console port 0.

■ int s3/0is issued to enter interface configuration mode on port 0 of serial interface slot number 3.

■ ppp authentication chap dial-in specifies an authentication method list named dial- in for use with PPP CHAP authentication on interface s3/0.

Implementing the aaa authorization Command

To set parameters that will restrict administrative EXEC access to the routers or user access to the network, you may use the aaa authorization command from global configuration mode. The following is the syntax:

aaa

aaaaaaa aa aauaautuuttthhohhooorrirriziizazzaaattttiioiionoon {nnn nnneeeettwttwwwooroorrrkk kk | eeeexxxxeeceeccc | cccocooommmmmmammanaandnndddssss level | rrerreeevvevveeerrsrrsesseee--a--acaaccccccceeeessssssss | ccoccooonnfnnfffiiiiggugguruurarraaattttiiiioonoon} {dnn dddeeeeffffaauaauuulltllttt | list-name} method1 [method2...]

Example 4-1 Applying Authentication Commands to Router Lines and Interfaces

router(config)# llilliiinnenneee ccccoonoonsnnsssooloollleeee 0000

router(config-line)# llloloooggigginiin nn aaaauutuuttthhehheeenntnntttiiiiccccaataatittiiioonoon nn ccccoooonnsnnsssooloolllee-ee---iiiinnnn router(config)# iiniinnntt tt ss3ss333////0000

Table 4-5 explains the syntax of the aaa authorization command.

Additionally, you can name authorization lists after specifying the service. You may list up to four failover methods.

Table 4-5 aaa authorization Command Elements Command

Element Description

Network Used to implement authorization for all network-related service requests, such as SLIP, PPP Network Control Protocol (NCP), and ARAP.

Exec Used to implement authorization to determine if the user is allowed to run an EXEC shell.

Commands Used to implement authorization for all commands for a specific privilege level.

Level Used to specify the command level that should be authorized. Values may range from 0 to 15.

reverse- access

Used to implement authorization for reverse access connections, such as reverse Telnet.

configuration Used to download the configuration from the AAA server.

Default Used to list the authentication methods, list-name and method, as the default list of methods for authorization.

list-name Provides a character string used to name the list of authorization methods.

method Specifies the method to be used for authentication using one of the following keywords:

groupgroup-name: Specifies a subset of RADIUS or TACACS+ servers to be used for authentication. These are defined with the aaa group server RADIUS or aaa group server tacacs+ commands.

if-authenticated: The user is permitted to access the requested function if he or she has been validly authenticated.

krb5-instance: Used in conjunction with the Kerberos instance map

command to specify the instance to be used.

local: Specifies the use of the local user database for authorization.

Here are some examples of the aaa authorization command:

router(config)# aaaaaaaaaa aa aaaauuuutthtthohhooorrirriizizzzaaaattittioiiooonn nn ccccoooommmmmmammaaanndnndddssss 15 default local router(config)# aaaaaaaaaa aa aaaauuuutthtthohhooorrirriizizzzaaaattittioiiooonn nn ccccoooommmmmmammaaanndnndddssss 1 mickey local router(config)# aaaaaaaaaa aa aaaauuuutthtthohhooorrirriizizzzaaaattittioiiooonn nn ccccoooommmmmmammaaanndnndddssss 15 goofy local router(config)# aaaaaaaaaa aa aaaauuuutthtthohhooorrirriiizzzzaataatttiioiionoon nn nnnneeteetttwwowworoorkrrkkk pluto local none router(config)# aaaaaaaaaa aa aaaauutuuthtthohhoororirriiizzazzaaattttiioiiooonn nn eeeexxxxeeeecc cc donald if-authenticated

These commands are as follows:

■ aaa authorization commands 15 default local: The local user database is used to authorize the use of all level 15 commands for the default method list.

■ aaa authorization commands 1 mickey local: The local username database is used to authorize all level 1 commands for the mickey method list.

■ aaa authorization commands 15 goofy local: The local user database is used to authorize the use of all level 15 commands for the goofy method list.

■ aaa authorization network pluto local none: The local user database is used to authorize the use of all network services, such as SLIP, PPP, and ARAP, for the method list named Pluto. If no local username is defined, this command does not perform authorization, and the user can use all network services.

■ aaa authorization exec donald if-authenticated: If the user has already been authenticated, this command allows the user to run the EXEC process.

Working with the aaa accounting Command

In addition to authorization and authentication, AAA provides accounting capabilities for either billing or security purposes, or both. To enable AAA accounting of a requested service when you are working with RADIUS or TACACS+, you issue the aaa accounting

command from global configuration mode:

aaa

aaaaaaa aa aacaacccccoccouoouuunntnntttiiniinnngggg {aauaauuutthtthhh----pprpprrrooxooxyxxy yy | ssssyyyysstssttteemeemmm | nnnneeteetttwwowwooorrrrkk kk | eeeexxexxeeecc cc |

ccoccooonnnnnnnneeeecctcctittioiiooonn nn | ccccoooommmmmmammanaannnddddss level} {dss dddeefeefffaauaauuulllltt tt | list-name} [vvvvrrfrrfff vrf-name] {ssssttattaaarrrrtt-tt---sstsstttoopoop pp | ssssttottooopp-pp---oooonnnnllllyy yy | nnnnoooonnnnee} [bee bbbrrrrooooaaaaddcddcccaasaassstttt] ggrggrrroouoouuupppp

group-name

Table 4-6 explains the options that can be used with the aaa accounting command. Table 4-6 aaa accounting Command Elements

Command

Element Description

auth-proxy Provides information about all authenticated proxy user events.

system Performs accounting for all system-level events that are not associated with users.

network Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCP, and ARAP.

The following are a couple of examples of how this command may be implemented:

router(config)# aaaaaaaaaa aa aacaacccccccoouoounuuntnntttiiiinngnnggg ccccoomoommmmmammaaannnnddsdds ss 15 ddddeefeefffaauaauuulltllttt stop-only ggrggrorrooouuuupppp tacacs+ router(config)# aaaaaaaaaa aa aacaacccccccoouoouuunntnntttiiiinnnngggg aaaauutuuttthhhh--p--ppprrorroooxxyxxy yy ddddeeeeffaffauaauluullltttt start-stop ggrggrorrooouuuupppp tacacs+

The first example defines a default command accounting method list. Accounting services in this case are provided by a TACACS+ security server, and it has been set for privilege level 15 commands. A stop-only restriction is also implemented in this example.

The second example defines a default authentication proxy accounting method list in which accounting services are provided by a TACACS+ security server for authentication proxy events with a start-stop restriction. If you are unfamiliar with authentication proxy or the

auth-proxy command, it is used to authenticate inbound or outbound users, or both. Command

Element Description

exec Provides accounting for EXEC shell sessions.

connection Provides information about all outbound connections made from the NAS.

commands level

Runs accounting for all commands at the specified privilege level. Privilege level entries are integers and may range from 0 to 15.

default Sets the default list of methods for accounting services based on the listed accounting methods specified by list-name.

list-name The list of at least one of the accounting methods.

vrfvrf-name This optional command element, used only with system accounting, may be used to specify a VPN routing and forwarding (VRF) configuration.

start-stop Sends a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. The start accounting record is sent in the background. Regardless of whether the start accounting notice was received by the accounting server, the requested user process begins.

stop-only Sends a stop accounting notice at the end of the requested user