Table of Contents
Advertisement
Configuring Authentication
Caution
yourself out of the access server ports after you enter the aaa new-model command. Enter line configuration
mode and enter the aaa authentication login default tacacs+ enable global configuration command. This
command specifies that if your TACACS+ (or RADIUS) server is not functioning properly, you can enter your
enable password to log in to the access server. In general, make sure you have a last-resort access method
before you are certain that your security server is set up and functioning properly. For more information about
the aaa authentication command, refer to the next section "Defining Authentication Method Lists."
Note
passwords are encrypted when they cross the network, whereas PAP passwords are cleartext when
they cross the network. The Cisco IOS software selects PAP as the default, so you must manually
select CHAP. The process for specifying CHAP is described in the "Applying Authentication
Method Lists" section, later in this chapter.
For example, enter the following commands to enable AAA in the Cisco IOS software:
Defining Authentication Method Lists
After you enable AAA globally on the access server, you need to define authentication method lists,
which you then apply to lines and interfaces. These authentication method lists are security profiles
that indicate the protocol (ARAP or PPP) or login and authentication method (TACACS+, RADIUS,
or local authentication).
To define an authentication method list, follow these steps, which are described in detail in the next
sections:
Step 1
Step 2
Step 3
Step 4
Step 5
After defining these authentication method lists, apply them to one of the following:
•
•
The section "Applying Authentication Method Lists" later in this chapter describes how to apply
these lists.
4-10
Cisco AS5300 Universal Access Server Software Configuration Guide
If you intend to authenticate users via a security server, make sure you do not inadvertently lock
Cisco recommends that you use CHAP authentication with PPP, rather than PAP. CHAP
5300# configure terminal
5300(config)# aaa new-model
Enter the aaa authentication command.
Specify protocol (ARAP or PPP) or login authentication.
Identify a list name or default. A list name is any alphanumeric string you choose. You
assign different authentication methods to different named lists.
Specify the authentication method. You can specify multiple methods, such as tacacs+,
followed by local in case a TACACS+ server is not available on the network.
Populate the local username database if you specified local as the authentication method
(or one of the authentication methods). To use a local username database, you must enter
the username global configuration command. Refer to the section "Populate the Local
Username Database if Necessary," later in this chapter.
Lines—vty lines or the console port for login and asynchronous lines (in most cases) for ARA
Interfaces—Interfaces (synchronous or asynchronous) configured for PPP
Advertisement
Table of Contents
