|
|
This chapter describes the function and displays the syntax for AAA and non-AAA authentication commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To enable an AAA authentication method for AppleTalk Remote Access (ARA) using RADIUS or TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.
aaa authentication arap {default | list-name} method1 [method2...]
default | Uses the listed methods that follow this argument as the default list of methods when a user logs in. |
list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
method1, method2... | At least one of the methods. |
To configure a personalized banner that will be displayed at user login, use the aaa authentication banner global configuration command. Use the no form of this command to remove the banner.
aaa authentication banner dstringd
d | The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner. |
string | Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996. |
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
aaa authentication enable default method1 [method2...]
method1, method2... | At least one of the methods. |
To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message global configuration command. Use the no form of this command to remove the failed login message.
aaa authentication fail-message dstringd
d | The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner. |
string | Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996. |
To configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.
aaa authentication local-overrideTo set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [method2...]
default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
list-name | Character string used to name the list of authentication methods activated when a user logs in. |
method1, method2... | At least one of the methods. |
To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.
aaa authentication nasi {default | list-name} method1 [method2...]
default | Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in. |
list-name
| Character string used to name the list of authentication methods activated when a user logs in. |
method1, method2... | At least one of the methods. |
To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.
aaa authentication password-prompt text-string
text-string | String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:"). |
To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.
aaa authentication ppp {default | list-name} method1 [method2...]
default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
list-name | Character string used to name the list of authentication methods tried when a user logs in. |
method1, method2... | At least one of the methods. |
To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.
aaa authentication username-prompt text-string
text-string | String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:"). |
To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable the AAA access control model.
aaa new-modelTo allocate a specific number of background processes to be used to process AAA authentication and authorization requests for PPP, use the aaa processes global configuration command. Use the no form of this command to restore the default value for this command.
aaa processes number
number | Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647. |
To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile EXEC command. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed, and ACLs defined in your per-user configuration to be installed.
access-profile [merge | replace] [ignore-sanity-checks]
merge | (Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface. However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all AV pairs defined in the AAA per-user configuration (the user's authorization profile). The interface's resulting authorization attributes are a combination of the previous and new configurations. |
replace | (Optional) This option removes existing ACLs and all other existing authorization attributes for the interface. A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration. This option is not normally recommended because it initially deletes all existing configuration, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information. |
ignore-sanity-checks | (Optional) Enables you to use any AV pairs, whether or not they are valid. |
To enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default | list-name} [one-time]
default | Default list created with the aaa authentication arap command. |
list-name | Indicated list created with the aaa authentication arap command. |
one-time | (Optional) Accepts the username and password in the username field. |
To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication privileged EXEC configuration command.
clear ip trigger-authenticationTo enable the automated part of double authentication at a device, use the ip trigger-authentication global configuration command. Use the no form of this command to disable the automated part of double authentication.
ip trigger-authentication [timeout seconds] [port number]
timeout seconds | (Optional) Specifies how frequently the local device sends a UDP packet to the remote host to request the user's username and password (or PIN). The default is 90 seconds. |
port number | (Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user's username and password (or PIN). The default is port 7500. |
To specify automated double authentication at an interface, use the ip trigger-authentication interface configuration command. Use the no form of this command to turn off automated double authentication at an interface.
ip trigger-authenticationTo enable AAA authentication for logins, use the login authentication line configuration command. Use the no form of this command to either disable TACACS+ authentication for logins or to return to the default.
login authentication {default | list-name}
default | Uses the default list created with the aaa authentication login command. |
list-name | Uses the indicated list created with the aaa authentication login command. |
To configure your router to use TACACS user authentication, use the login tacacs line configuration command. Use the no form of this command to disable TACACS user authentication for a line.
login tacacsTo enable AAA authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication line configuration command. Use the no form of the command to return to the default, as specified by the aaa authentication nasi command.
nasi authentication {default | list-name}
default | Uses the default list created with the aaa authentication nasi command. |
list-name | Uses the list created with the aaa authentication nasi command. |
To enable CHAP or PAP or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication interface configuration command. Use the no form of this command to disable this authentication.
ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default]
chap | Enables CHAP on a serial interface. |
chap pap | Enables both CHAP and PAP, and performs CHAP authentication before PAP. |
pap chap | Enables both CHAP and PAP, and performs PAP authentication before CHAP. |
pap | Enables PAP on a serial interface. |
if-needed | (Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces. |
list-name | (Optional) Used with AAA. Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
default | (Optional) The name of the method list is created with the aaa authentication ppp command. |
callin | (Optional) Specifies authentication on incoming (received) calls only. |
one-time | (Optional) Accepts the username and password in the username field. |
To create a pool of dialup routers that all appear to be the same host when authenticating with CHAP, use the ppp chap hostname interface configuration command. To disable this function, use the no form of the command.
ppp chap hostname hostname
hostname | The name sent in the CHAP challenge. |
To enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer, use the ppp chap password interface configuration command. Use the no form of this command to disable the PPP CHAP password.
ppp chap password secret
secret | The secret used to compute the response value for any CHAP challenge from an unknown peer. |
To refuse CHAP authentication from peers requesting it, use the ppp chap refuse interface configuration command. Use the no form of this command to allow CHAP authentication.
ppp chap refuse [callin]
callin | (Optional) This keyword specifies that the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends. |
To specify that the router will not authenticate to a peer requesting CHAP authentication until after the peer has authenticated itself to the router, use the ppp chap wait interface configuration command. Use the no form of this command to allow the router to respond immediately to an authentication challenge.
ppp chap wait secret
secret | The secret used to compute the response value for any CHAP challenge from an unknown peer. |
To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username interface configuration command. Use the no form of this command to disable remote PAP support.
ppp pap sent-username
username | Username sent in the PAP authentication request. |
password | Password sent in the PAP authentication request. |
password | Must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
To enable TACACS for PPP authentication, use the ppp use-tacacs interface configuration command. Use the no form of the command to disable TACACS for PPP authentication.
ppp use-tacacs [single-line]
single-line | (Optional) Accept the username and password in the username field. This option applies only when using CHAP authentication. |
To view the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication privileged EXEC command.
show ip trigger-authenticationTo monitor the number of requests processed by each AAA background process, use the show ppp queues privileged EXEC command.
show ppp queuesTo specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response line configuration command. Use the no form of this command to set the timeout value to 0 seconds.
timeout login response seconds
seconds | Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds. |
Posted: Mon Feb 8 13:37:12 PST 1999
Copyright 1989-1999©Cisco Systems Inc.