D-Link DI-1750 Reference Manual page 338

It is important to note that the Router initiates an attempt to authenticate with a method listed behind
only when the previous method doesn't work out any response. If authentication fails at any part of
this process—meaning that the security server or local username database responds by denying the
user access—the authentication process terminates and there will be no more authentication attempt.
2. Examples Of Methods List
Figuer 8-2shows a typical AAA network configuration that includes four security servers: R1 and R2 are
RADIUS servers and T1 and T2 are TACACS+ servers.
Suppose the system administrator has determined that all ports authenticate the PPP based
connection with the same authentication method in the security scheme: Firstly, connect R1 to learn the
ralating authentication information, if R1 doesn't respond, then connect R2, if R2 doesn't respond, then
T1, then T2. If all designated server don't respond, the authentication will be focused on the local user
name database of the access server itself. In order to realize this, the system admin needs to input
the following command: aaa (default) authentication ppp radius local.
In this example, "default" is the name of the method list. The protocols included in this method list are
listed after the name, in the order they are to be queried. The default list is automatically applied to all
interfaces.
When a remote user is attempting to access the network by dial-up, the network server will demand the
relative authentication info on R1, if the user is authenticated to be legal, it will send a PASS reply to
network access server, to enable the user to access the server; If R1 answers FAIL message, the
user will be turned down, the session terminated. If there's no response from R1, the network server
will view it as a ERROR and try to find the authentication info on R2. This model will last in the rest of
the time until the user is accepted or rejected, or the termination of this session.
It is important to remember that a FAIL response completely differs from an ERROR response. FAIL
indicates that the user has not met the criteria of a sucessful authentication that contained in the
authentication database, and the authentication ends up with a FAIL response. ERROR means that
the security server has not responded to an authentication query. Only if AAA detected ERROR will it
choose the next authentication method defined in the authentication methods list.
Suppose that the system administrator wants to apply a methods list only on a particular interface or set
of interfaces. In this case, the system admin needs to create a non-default named methods list and
apply this list to an appropriate port. Ths example below indicates how a system admin implements a
certain authentication method only on an asynchrony port:
[DEFAULT@RouterA /config/]#aaa
(00)accounting
(01)authentication
......
Please Input the code of command to be excute(0-5): 1
......
(03)ppp
(04)username-prompt
Please Input the code of command to be excute(0-4): 3
Model Name
Figuer 8-2 a typical AAA network configuration
Accounting configurations parameters
Authentication configurations parameters
Set authentication list for ppp
Text to use when prompting for a username
- 336 -