The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. The only exception is the default method list (which is named default). Authentication ConfigurationĪuthentication verifies users before they are allowed access to the network and network services (which are verified with authorization).įirst define a named list of authentication methods (in global configuration mode).Īpply that list to one or more interfaces (in interface configuration mode). The AAA server has to be IP reachable from the access server (conduct a ping test to verify connectivity). If the AAA server is not correctly configured, then AAA requests from the NAS can be ignored by the AAA server and the connection can fail. Refer to your AAA server documentation for the exact procedure used to configure the previous parameters. The protocol used by the access server (TACACS+ or Radius). The exact same key configured in the access server. This issue is important when the router has multiple interfaces (and hence multiple addresses). Note: If both devices are on the same Ethernet network then, by default, the access server uses the IP address defined on the Ethernet interface when it sends out the AAA packet. The IP address the access server uses to communicate with the AAA server. On the AAA server, configure the next parameters: If you use Radius, use the radius-server host command. If you use TACACS+, use the tacacs-server host command. If you do not want to use either of these two protocols, you can use the local database on the router. In global configuration, define the security protocol used with AAA (Radius, TACACS+). This allows you to recover from unexpected lockouts as you can roll back any change with a reload of the router. You can save the configuration again only after you have completed your AAA configuration (and are satisfied that it works correctly). Tip: Before you configure your AAA commands, save your configuration. Router(config)# username xxx password yyy It is recommended to define a username and password on the access server before you start the AAA configuration, so you are not locked out of the router. If a telnet session is opened to the router after this command is enabled (or if a connection times out and has to reconnect), then the user has to be authenticated with the local database of the router. Warning: The aaa new-model command immediately applies local authentication to all lines and interfaces (except console line line con 0). Note: Until this command is enabled, all other AAA commands are hidden. To enable AAA, you need to configure the aaa new-model command in global configuration. Network Diagram General AAA Configuration Enable AAA Failure to do so can result in misconfiguration and subsequent lockout.įor more information, see Authentication, Authorization and Accounting Configuration Guide. Note: Read the section on General AAA Configuration before you proceed with the Cisco IOS configuration. The goal of this document is not to cover all AAA features, but to explain the main commands and provide some examples and guidelines. This document explains how to configure Authentication, Authorization, and Accounting (AAA) on a Cisco router with Radius or TACACS+ protocols. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. The information in this document is based on Cisco IOS® software release 12 main line. Conventionsįor more information on document conventions, see the Cisco Technical Tips Conventions. There are no specific requirements for this document. This document describes how to configure Authentication, Authorization, and Accounting (AAA) on a Cisco router with Radius or TACACS+ protocols.
0 Comments
Leave a Reply. |