Table of Contents
Advertisement
aaa authentication login radius-login radius local command configures the router to use RADIUS
for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the
local database.
aaa authentication ppp radius-ppp radius command configures the router as: to use ppp authentication
using chap or pap if the user has not already logged in. If the exec facility has authenticated the user,
PPP authentication is not performed.
aaa authorization network radius-network radius command queries radius for NETWORK service
authorization.
login authentication radius-login command enables the radius-login method list for line 3.
2. TACACS+ Authentication Example
The following example configures TACACS+ as the security protocol to be used for PPP authentication:
aaa authentication ppp test tacacs+ local
interface serial1\0
ppp authentication chap pap test
tacacs server 1.2.3.4
tacacs key testkey
The command lines in this sample TACACS+ authentication configuration are defined as follows:
aaa authentication ppp test tacacs+ command defines a method list, "test," to be used on serial
interfaces running PPP. The keyword tacacs+ means that authentication will be done through
TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the keyword local
indicates that authentication will be attempted using the local database on the network access server.
interface command selects the port.
ppp authentication command applies the test method list to this port.
tacacs-server command identifies the TACACS+ server as having an IP address of 1.2.3.4
config-tacacs-server key command defines the shared encryption key to be "testkey."
The following example configures AAA authentication for PPP:
aaa authentication ppp default if-needed tacacs+ local
In this example, the keyword default means that PPP authentication is applied by default to all
interfaces. The if-needed keyword means that if the user has already authenticated by going through
the ASCII login procedure, then PPP is not necessary and can be skipped. If authentication is needed,
the keyword tacacs+ means that authentication will be done through TACACS+ server. If TACACS+
returns an ERROR of some sort during authentication, the keyword local indicates that authentication
will be attempted using the local database on the router.
The following example creates the same authentication algorithm for PAP but calls the method list
"test-list" instead of "default":
aaa authentication pap test-list if-needed tacacs+ local
interface serial1/0
ppp authentication pap test-list
In this example, since the list does not apply to any interfaces, the administrator must select interfaces
to which this authentication scheme should apply by using the config-interface command. The
administrator must then apply this method list to those interfaces by using the ppp authentication
command.
8.2 Configure RADIUS
This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system,
defines its operation, and identifies appropriate and inappropriate network environments for using
RADIUS technology. The "RADIUS Configuration Task List" section describes how to configure
RADIUS with the authentication, authorization, and accounting (AAA) command set. The "RADIUS
Model Name
- 347 -
Hide quick links:
Advertisement
Table of Contents
