Authentication Commands

This chapter explains the function and syntax of the authentication commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

aaa authentication arap

To enable an AAA authentication method for AppleTalk Remote Access (ARA) using TACACS+, use the aaa authentication arap command in global configuration mode. Use the no form of this command to disable this authentication.

aaa authentication arap {default | list-name} method1 [method2...]

no aaa authentication arap {default | list-name} method1 [method2...]

Syntax Description

default

Uses the listed methods that follow this argument as the default list of methods when a user logs in.

list-name

Character string used to name the following list of authentication methods tried when a user logs in.

method1 [method2...]

At least one of the keywords described in Table 32.

default	Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name	Character string used to name the following list of authentication methods tried when a user logs in.
method1 [method2...]	At least one of the keywords described in Table 32.

Table 32 lists aaa authentication arap methods.

Table 32: aaa authentication arap Methods

Keyword Description

guest

Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.

auth-guest

Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Keyword	Description
guest	Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.
auth-guest	Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.
line	Uses the line password for authentication.
local	Uses the local username database for authentication.
local-case	Uses case-sensitive local username authentication.
group radius	Uses the list of all RADIUS servers for authentication.
group tacacs+	Uses the list of all TACACS+ servers for authentication.
group group-name	Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

aaa authentication banner

To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode. Use the no form of this command to remove the banner.

aaa authentication banner dstringd

no aaa authentication banner

Syntax Description

d

The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

d	The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string	Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

aaa authentication enable default

To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode. Use the no form of this command to disable this authorization method.

aaa authentication enable default method1 [method2...]

no aaa authentication enable default method1 [method2...]

Syntax Description

method1 [method2...]

At least one of the keywords described in Table 33.

method1 [method2...]	At least one of the keywords described in Table 33.

Table 33 lists aaa authentication emable default methods.

Table 33: aaa authentication enable Default Methods

Keyword Description

enable

Uses the enable password for authentication.

line

Uses the line password for authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Keyword	Description
enable	Uses the enable password for authentication.
line	Uses the line password for authentication.
none	Uses no authentication.
group radius	Uses the list of all RADIUS servers for authentication.
group tacacs+	Uses the list of all TACACS+ servers for authentication.
group group-name	Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

aaa authentication fail-message

To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. Use the no form of this command to remove the failed login message.

aaa authentication fail-message dstringd

no aaa authentication fail-message

d	The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string	Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

aaa authentication login

To set AAA authentication at login, use the aaa authentication login command in global configuration mode. Use the no form of this command to disable AAA authentication.

aaa authentication login {default | list-name} method1 [method2...]

no aaa authentication login {default | list-name} method1 [method2...]

Syntax Description

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

list-name

Character string used to name the list of authentication methods activated when a user logs in.

method1 [method2...]

At least one of the keywords described in Table 34.

default	Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name	Character string used to name the list of authentication methods activated when a user logs in.
method1 [method2...]	At least one of the keywords described in Table 34.

Table 34 lists aaa authentication login methods.

Table 34: aaa authentication login Methods

Keyword Description

enable

Uses the enable password for authentication.

krb5

Uses Kerberos 5 for authentication.

krb5-telnet

Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Keyword	Description
enable	Uses the enable password for authentication.
krb5	Uses Kerberos 5 for authentication.
krb5-telnet	Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.
line	Uses the line password for authentication.
local	Uses the local username database for authentication.
local-case	Uses case-sensitive local username authentication.
none	Uses no authentication.
group radius	Uses the list of all RADIUS servers for authentication.
group tacacs+	Uses the list of all TACACS+ servers for authentication.
group group-name	Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

aaa authentication nasi

To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi command in global configuration mode. Use the no form of this command to disable authentication for NASI clients.

aaa authentication nasi {default | list-name} method1 [method2...]

no aaa authentication nasi {default | list-name} method1 [method2...]

Syntax Description

default

Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.

list-name

Character string used to name the list of authentication methods activated when a user logs in.

method1 [method2...]

At least one of the methods described in Table 35.

default	Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.
list-name	Character string used to name the list of authentication methods activated when a user logs in.
method1 [method2...]	At least one of the methods described in Table 35.

Table 35 lists aaa authentication nasi methods.

Table 35: aaa authentication nasi Methods

Keyword Description

enable

Uses the enable password for authentication.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Keyword	Description
enable	Uses the enable password for authentication.
line	Uses the line password for authentication.
local	Uses the local username database for authentication.
local-case	Uses case-sensitive local username authentication.
none	Uses no authentication.
group radius	Uses the list of all RADIUS servers for authentication.
group tacacs+	Uses the list of all TACACS+ servers for authentication.
group group-name	Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

aaa authentication password-prompt

To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt command in global configuration mode. Use the no form of this command to return to the default password prompt text.

aaa authentication password-prompt text-string

no aaa authentication password-prompt text-string

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").

text-string	String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").

aaa authentication ppp

To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp command in global configuration mode. Use the no form of this command to disable authentication.

aaa authentication ppp {default | list-name} method1 [method2...]

no aaa authentication ppp {default | list-name} method1 [method2...]

Syntax Description

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

list-name

Character string used to name the list of authentication methods tried when a user logs in.

method1 [method2...]

At least one of the keywords described in Table 36.

default	Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name	Character string used to name the list of authentication methods tried when a user logs in.
method1 [method2...]	At least one of the keywords described in Table 36.

Table 36 lists aaa authentication ppp methods.

Table 36: aaa authentication ppp Methods

Keyword Description

if-needed

Does not authenticate if user has already been authenticated on a TTY line.

krb5

Uses Kerberos 5 for authentication (can only be used for PAP authentication).

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Keyword	Description
if-needed	Does not authenticate if user has already been authenticated on a TTY line.
krb5	Uses Kerberos 5 for authentication (can only be used for PAP authentication).
local	Uses the local username database for authentication.
local-case	Uses case-sensitive local username authentication.
none	Uses no authentication.
group radius	Uses the list of all RADIUS servers for authentication.
group tacacs+	Uses the list of all TACACS+ servers for authentication.
group group-name	Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

aaa authentication username-prompt

To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt command in global configuration mode. Use the no form of this command to return to the default username prompt text.

aaa authentication username-prompt text-string

no aaa authentication username-prompt text-string

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").

text-string	String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").

aaa dnis map authentication ppp group

To map a Dialed Number Information Service (DNIS) number to a particular authentication server group (this server group will be used for AAA authentication), use the aaa dnis map authentication ppp group command in global configuration mode. To remove the DNIS number from the defined server group, use the no form of this command.

aaa dnis map dnis-number authentication ppp group server-group-name

no aaa dnis map dnis-number authentication ppp group server-group-name

Syntax Description

dnis-number

Number of the DNIS.

server-group-name

Character string used to name a group of security servers associated in a server group.

dnis-number	Number of the DNIS.
server-group-name	Character string used to name a group of security servers associated in a server group.

aaa new-model

To enable the AAA access control model, issue the aaa new-model command in global configuration mode. Use the no form of this command to disable the AAA access control model.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

aaa processes

To allocate a specific number of background processes to be used to process AAA authentication and authorization requests for PPP, use the aaa processes command in global configuration mode. Use the no form of this command to restore the default value for this command.

aaa processes number

no aaa processes number

Syntax Description

number

Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.

number	Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.

access-profile

To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile command in privileged EXEC mode. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed, and ACLs defined in your per-user configuration to be installed.

access-profile [merge | replace] [ignore-sanity-checks]

Syntax Description

merge

(Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface.

However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all AV pairs defined in the AAA per-user configuration (the user's authorization profile).

The interface's resulting authorization attributes are a combination of the previous and new configurations.

replace

(Optional) This option removes existing ACLs and all other existing authorization attributes for the interface.

A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration.

This option is not normally recommended because it initially deletes all existing configuration, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information.

ignore-sanity-checks

(Optional) Enables you to use any AV pairs, whether or not they are valid.

merge	(Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface. However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all AV pairs defined in the AAA per-user configuration (the user's authorization profile). The interface's resulting authorization attributes are a combination of the previous and new configurations.
replace	(Optional) This option removes existing ACLs and all other existing authorization attributes for the interface. A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration. This option is not normally recommended because it initially deletes all existing configuration, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information.
ignore-sanity-checks	(Optional) Enables you to use any AV pairs, whether or not they are valid.

arap authentication

To enable AAA authentication for ARA on a line, use the arap authentication command in line configuration mode. Use the no form of the command to disable authentication for an ARA line.

arap authentication {default | list-name} [one-time]

no arap authentication {default | list-name}

Caution If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.

Syntax Description

default

Default list created with the aaa authentication arap command.

list-name

Indicated list created with the aaa authentication arap command.

one-time

(Optional) Accepts the username and password in the username field.

default	Default list created with the aaa authentication arap command.
list-name	Indicated list created with the aaa authentication arap command.
one-time	(Optional) Accepts the username and password in the username field.

clear ip trigger-authentication

To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication command in privileged EXEC mode.

clear ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

ip trigger-authentication (global)

To enable the automated part of double authentication at a device, use the ip trigger-authentication command in global configuration mode. Use the no form of this command to disable the automated part of double authentication.

ip trigger-authentication [timeout seconds] [port number]

no ip trigger-authentication

Syntax Description

timeout seconds

(Optional) Specifies how frequently the local device sends a UDP packet to the remote host to request the user's username and password (or PIN). The default is 90 seconds.

port number

(Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user's username and password (or PIN). The default is port 7500.

timeout seconds	(Optional) Specifies how frequently the local device sends a UDP packet to the remote host to request the user's username and password (or PIN). The default is 90 seconds.
port number	(Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user's username and password (or PIN). The default is port 7500.

ip trigger-authentication (interface)

To specify automated double authentication at an interface, use the ip trigger-authentication command in interface configuration mode. Use the no form of this command to turn off automated double authentication at an interface.

ip trigger-authentication

no ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

login authentication

To enable AAA authentication for logins, use the login authentication command in line configuration mode. Use the no form of this command to either disable TACACS+ authentication for logins or to return to the default.

login authentication {default | list-name}

no login authentication {default | list-name}

Syntax Description

default

Uses the default list created with the aaa authentication login command.

list-name

Uses the indicated list created with the aaa authentication login command.

default	Uses the default list created with the aaa authentication login command.
list-name	Uses the indicated list created with the aaa authentication login command.

nasi authentication

To enable AAA authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication command in line configuration mode. Use the no form of the command to return to the default, as specified by the aaa authentication nasi command.

nasi authentication {default | list-name}

no nasi authentication {default | list-name}

Syntax Description

default

Uses the default list created with the aaa authentication nasi command.

list-name

Uses the list created with the aaa authentication nasi command.

default	Uses the default list created with the aaa authentication nasi command.
list-name	Uses the list created with the aaa authentication nasi command.

ppp authentication

To enable CHAP or PAP or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication command in interface configuration mode. Use the no form of this command to disable this authentication.

ppp authentication {protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time]

no ppp authentication

Syntax Description

protocol1 [protocol2...]

Specify at least one of the keywords described in Table 37.

if-needed

(Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces.

list-name

(Optional) Used with AAA. Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.

default

(Optional) The name of the method list is created with the aaa authentication ppp command.

callin

(Optional) Specifies authentication on incoming (received) calls only.

one-time

(Optional) Accepts the username and password in the username field.

protocol1 [protocol2...]	Specify at least one of the keywords described in Table 37.
if-needed	(Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces.
list-name	(Optional) Used with AAA. Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.
default	(Optional) The name of the method list is created with the aaa authentication ppp command.
callin	(Optional) Specifies authentication on incoming (received) calls only.
one-time	(Optional) Accepts the username and password in the username field.

Table 37 lists the protocols used to negotiate PPP authentication.

Table 37: ppp authentication Protocols

chap

Enables CHAP on a serial interface.

ms-chap

Enables Microsoft's version of CHAP (MS-CHAP) on a serial interface.

pap

Enables PAP on a serial interface.

chap	Enables CHAP on a serial interface.
ms-chap	Enables Microsoft's version of CHAP (MS-CHAP) on a serial interface.
pap	Enables PAP on a serial interface.

ppp chap hostname

To create a pool of dialup routers that all appear to be the same host when authenticating with CHAP, use the ppp chap hostname command in interface configuration mode. To disable this function, use the no form of the command.

ppp chap hostname hostname

no ppp chap hostname hostname

Syntax Description

hostname

The name sent in the CHAP challenge.

hostname	The name sent in the CHAP challenge.

ppp chap password

To enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer, use the ppp chap password command in interface configuration mode. Use the no form of this command to disable the PPP CHAP password.

ppp chap password secret

no ppp chap password secret

Syntax Description

secret

The secret used to compute the response value for any CHAP challenge from an unknown peer.

ppp chap refuse

To refuse CHAP authentication from peers requesting it, use the ppp chap refuse command in interface configuration mode. Use the no form of this command to allow CHAP authentication.

ppp chap refuse [callin]

no ppp chap refuse [callin]

Syntax Description

callin

(Optional) This keyword specifies that the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends.

ppp chap wait

To specify that the router will not authenticate to a peer requesting CHAP authentication until after the peer has authenticated itself to the router, use the ppp chap wait command in interface configuration mode. Use the no form of this command to allow the router to respond immediately to an authentication challenge.

ppp chap wait secret

no ppp chap wait secret

Syntax Description

secret

The secret used to compute the response value for any CHAP challenge from an unknown peer.

ppp pap sent-username

To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username command in interface configuration mode. Use the no form of this command to disable remote PAP support.

ppp pap sent-username username password password

no ppp pap sent-username

Syntax Description

username

Username sent in the PAP authentication request.

password

Password sent in the PAP authentication request.

password

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

show ip trigger-authentication

To view the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode.

show ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

show ppp queues

To monitor the number of requests processed by each AAA background process, use the show ppp queues command in privileged EXEC mode.

show ppp queues

Syntax Description

This command has no arguments or keywords.

timeout login response

To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response command in line configuration mode. Use the no form of this command to set the timeout value to 0 seconds.

timeout login response seconds

no timeout login response seconds

Syntax Description

seconds

Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds.

username	Username sent in the PAP authentication request.
password	Password sent in the PAP authentication request.
password	Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

Table of Contents

Authentication Commands