Configuring Authentication On A Tacacs+ Server; Enabling Aaa Globally On The Access Server - Cisco AS5300-96VOIP-A Software Configuration Manual

Configuring Authentication on a TACACS+ Server

On most TACACS+ security servers, there are three ways to authenticate a user for login:
•
•
•
Caution
specifying that if your TACACS+ server fails to respond (because it is set up incorrectly), you can log in to
the access server by using your enable password. If you do not have an enable password set on the access
server, you will not be able to log in to it until you have a functioning TACACS+ daemon configured with
usernames and passwords. The enable password in this case is a last-resort authentication method. You can
also specify none as the last-resort method, which means that no authentication is required if all other
methods failed.

Enabling AAA Globally on the Access Server

To use the AAA security facility in the Cisco IOS software, you must enter the aaa new-model
command from global configuration mode.
When you enter the aaa new-model command, all lines on the access server receive the implicit
login authentication default method list, and all interfaces with PPP enabled have an implicit
ppp authentication pap default method list applied.
Include a cleartext (DES) password for a user or for a group the user is a member of (each user
can belong to only one group). Note that ARAP, CHAP, and global user authentication must be
specified in cleartext.
The following is the configuration for global authentication:
user = spaulson {global = cleartext "spaulson global password"}
To assign different passwords for ARAP, CHAP, and a normal login, you must enter a string for
each user. Each string must specify the security protocols, state whether the password is cleartext,
and specify if the authentication is performed via a DES card. The following example shows a
user aaaa, who has authentication configured for ARAP, CHAP, and login. The user's ARAP and
CHAP passwords, "arap password" and "chap password," are shown in cleartext. The login
password has been encrypted.
user = aaaa {arap = cleartext "arap password"
chap = cleartext "chap password"
login = des XQj4892fjk}
Use password (5) files instead of entering the password into the configuration file directly.
The default authentication is to deny authentication. You can change this at the top level of the
configuration file to have the default user password (5) file, by issuing the following command:
default authentication = /etc/passwd
Authenticate using an s/key. If you have built and linked in an s/key library and compiled
TACACS+ to use the s/key, you can specify that a user be authenticated via the s/key, as shown
in the following example:
user= bbbb {login = skey}
On the access server, configure authentication on all lines including the vty and console lines by
entering the following commands, beginning in privileged EXEC mode:
5300# configure terminal
5300(config)# aaa new-model
5300(config)# aaa authentication login default tacacs+ enable
When you enter the aaa authentication login default tacacs+ enable command, you are
Configuring Authentication on a TACACS+ Server
Access Service Security 4-9