Cisco AS5300-96VOIP-A Software Configuration Manual page 122

Configuring Authentication
The following sample output shows lines and their status on the access server:
ARA Authentication Examples
In the following example, the ARA authentication list bldg-d-list is created, then applied to lines
1 through 48 (the physical asynchronous lines) on an access server:
PPP Authentication Examples
The following example creates the PPP authentication list called marketing, which uses TACACS+,
then RADIUS authentication. The marketing list requires authentication only if the user has not
already been authenticated on another line. It is then applied to asynchronous lines 1 through 48 on
an access server and uses CHAP authentication, instead of the default of PAP:
You can configure the access server to restrict user access to the network so that users can only
perform certain functions after successful authentication. As with authentication, authorization can
be used with either a local or remote security database. This guide describes only remote security
server authorization.
A typical configuration probably uses the EXEC facility and network authorization. EXEC
authorization restricts access to EXEC mode, and network authorization restricts access to network
services, including PPP and ARA.
Authorization must be configured on both the access server and the security daemon. The default
authorization is different on the access server and the security server:
•
•
Timesaver
12
9 3
for that user. That is, if you want a user to obtain authorization before gaining access to network resources,
6
you must first require that the user provide authentication. For example, if you want to specify the
aaa authorization network tacacs+ (or radius) command, you must first specify the
aaa authentication {ppp | arap} default if-needed tacacs+ (or radius) command.
4-16 Cisco AS5300 Universal Access Server Software Configuration Guide
5300# sho line
Tty Typ Tx/Rx
* 0 CTY
I 1 TTY 57600/57600
I 2 TTY 57600/57600
...
I 48 TTY 57600/57600
49 AUX 9600/9600
50 VTY
51 VTY
52 VTY
53 VTY
54 VTY
5300(config)# aaa authentication arap bldg-d-list auth-guest tacacs+
5300(config)# line 1 48
5300(config-line)# arap authentication bldg-d-list
5300(config)# aaa authentication ppp marketing if-needed tacacs+ radius
5300(config)# line 1 48
5300(config-line)# ppp authentication chap marketing
Configuring Authorization
By default, the access server permits access for every user until you configure the access server
to make authorization requests to the daemon.
By default, the daemon denies authorization of anything that is not explicitly permitted.
Therefore, you have to explicitly allow all per-user attributes on the security server.
If authentication has not been set up for a user, per-user authorization attributes are not enabled
A Modem Roty AccO AccI
- - - -
- inout - -
- inout - -
- inout - -
- - - -
- - - -
- - - -
- - - -
- - - -
- - - -
Uses Noise Overruns
- 0 0
- 0 0
- 0 0
- 0 0
- 0 0
- 0 0
- 0 0
- 0 0
- 0 0
- 0 0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0