Verify the configuration.

Using AAA to Configure Local User Database Authentication

To configure a router to use the AAA process, you must begin by issuing the aaa new- model command. This command is a critical first step in establishing a local AAA user authentication account. By establishing the local authentication method, you can

reestablish your Telnet or console session and use the locally defined authentication list to access the router should a connection be lost while you’re configuring AAA. Failing to do this causes the administrator to be locked out of the router. If this is the case, you need physical access to the router (console session), and you are required to perform a password recovery sequence. In the most extreme cases, the entire configuration saved in NVRAM may be lost.

At a minimum, these commands should be entered, in this order: Router(config)# aaaaaaaaaa aa nnenneeeww-ww---mmmmoodoodddeeleelll

Router(config)# uuuusssseeeerrnrrnannaaammemmeee username ppappaaasssssssswwowwooorrrrdd dd password Router(config)# aaaaaaaaaaaa aauaauututhtthhheeeenntnntttiiciicccaataatttiiiioooonnnn lllloogoogggiiiinn nn ddeddeeeffaffauaauuulllltttt llollocoocccaaaallll

The following is a complete list of aaa authentication commands for Cisco IOS Release 12.2 and later:

Table 4-2 AAA Commands to Secure Administrative and Remote LAN Access

Access Type Mode Mode Network Access Server Ports AAA Command Element Remote administrative access Character (line or EXEC mode)

TTY, vty, auxiliary, and console

login, exec, and

enable commands Remote network access Packet (interface mode) async, group-async, BRI, and PRI

ppp and network

aaa aaaaaaaaa aaaauutuuthtthehheeennnnttttiiciicaccaaattittiiioonoonnn aaraararrapaappp aaa aaaaaaaaa aaaauutuuthtthehheeenntnntttiiiiccaccaaattittioiiooonnnn bbabbaaannnnnnnneeeerrrr aaa aaaaaaaaa aauaautuuttthhehheneennnttttiiiiccaccaaattittiiioonoonnn eeneenannabaabbbllllee ee ddeddeeeffaffauaauuulllltttt aaa aaaaaaaaa aauaautuuttthhehheneennnttttiiciicaccaaattittioiiooonnnn ffaffaaaiiliilll--m--mmmeeeessssssassagaagggeeee aaa aaaaaaaaa aauaautuuttthhehheneennnttttiiiiccaccaaattittiiioonoonnn llolloooccaccaaallll----oovoovevveeerrrrrrirriiiddddeeee aaa aaaaaaaaa aaaauutuuthtthehheeenntnntttiiiiccaccaaattittiiioooonnnn llolloooggiggiiinnnn aaa aaaaaaaaa aaaauutuuthtthehheeennnnttttiiciicaccaaattittiiioonoonnn nnannasaasissiii aaa aaaaaaaaa aaaauutuuttthhehheeenntnntttiiiiccaccataatittiiioooonn nn ppappaaasssssswsswwwoooorrrrdd-dd---pprpprrroomoommmpppptttt aaa aaaaaaaaa aaaauutuuthtthehheeennnnttttiiciicaccaaattittiiioonoonnn pppppppppppp aaa aaaaaaaaa aaaauutuuttthhehheeenntnntttiiiiccaccataatittiiioooonn nn uusuussseereernrrnnnaaaammmmee-ee---pprpprrroomoommmpppptttt

For a complete description of each aaa authentication command, refer to Table 4-3.

Table 4-3 AAA Authentication Commands

Command Description

aaa authentication arap

AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+ use the aaa authentication arap

global configuration command to enable an AAA

authentication method. The no form of this command is used to disable this authentication.

aaa authentication banner

Use this command to create a personalized login banner.

aaa authentication enable default

Use the aaa authentication enable default global configuration command to enable AAA authentication to determine if a user can access the privileged command level. The no form of this command may be used to disable this authorization method.

aaa authentication fail-message

This command creates a message that is displayed when a user login fails.

aaa authentication local-override

This command is used to configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. The no form of this command may be used to disable the override.

aaa authentication login

Use the aaa authentication login global configuration command to set AAA authentication at login. The no form of this command is used to disable AAA authentication.

aaa authentication nasi

To specify AAA authentication for NetWare Access Server Interface (NASI) clients who connect using the access server, use the aaa authentication nasi global configuration command. The no form of this command is used to disable authentication for NASI clients.

aaa authentication password-prompt

Use the aaa authentication password-prompt global configuration command to change the text displayed when users are prompted for a password. The no form of this command is used to return to the default password prompt text.

Configuring AAA Using the Local User Database 119

Although understanding all these commands can be quite useful, it is important that you learn the following three commands and how to implement them in an AAA environment: ■ The aaa authentication login command

■ The aaa authentication ppp command

■ The aaa authentication enable default command

After you have enabled AAA globally on the access server, you need to define the authentication method lists and apply them to lines and interfaces. These are security profiles that indicate the service, PPP, dot1x, or login and authentication method. You may specify up to five authentication methods (local, group TACACS+, group RADIUS, line, or enable authentication) to apply to a line or interface. Although our focus in this section is on the local user database, if you are working with multiple authentication methods, it is a best practice to have either local or enable authentication as the final method to recover from a severed link to the chosen method server.

Defining a Method List

To define an authentication method list using the aaa authentication command, you need to follow three steps:

Step 1 In global configuration mode, use the aaa authentication command to configure