|
|
This chapter describes the commands used to manage security on the network.
To enable an Authentication Authorization and Accounting (AAA) authentication method for AppleTalk Remote Access (ARA) users using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.
aaa authentication arap {default | list-name} method1 [...[method4]]| default | Uses the listed methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
| method | One of the keywords described in Table 1. |
If the default list is not set, only the local user database is checked. This version has the same effect as the following command:
aaa authentication arap default local
Global configuration
This command first appeared in Cisco IOS Release 10.3.
The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. These lists can contain up to four authentication methods that are used when a user tries to log in with ARA. Note that ARAP guest logins are disabled by default when you enable AAA/TACACS+. To allow guest logins, you must use either the guest or auth-guest method listed in Table 1. You can only use one of these methods; they are mutually exclusive.
Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access.) The method argument identifies the list of methods the authentication algorithm tries in the given sequence. You can enter up to four methods. See Table 1 for descriptions of method keywords.
To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Use the show running-config command to view lists of authentication methods.
| Keyword | Description |
|---|---|
| guest | Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed. |
| auth-guest | Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed. |
| line | Uses the line password for authentication. |
| local | Uses the local username database for authentication. |
| tacacs+ | Uses TACACS+ authentication. |
| radius | Uses RADIUS authentication. |
The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access tacacs+ none
The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:
aaa authentication arap default tacacs+ none
aaa authentication local-override
aaa new-model
aaa new-model
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
aaa authentication enable default method1 [...[method4]]| method | At least one and up to four of the keywords described in Table 2. |
If the default list is not set, only the enable password is checked. This version has the same effect as the following command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
Global configuration
This command first appeared in Cisco IOS Release 10.3.
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. You can specify up to four authentication methods. Method keywords are described in Table 2. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.
| Keyword | Description |
|---|---|
| enable | Uses the enable password for authentication. |
| line | Uses the line password for authentication. |
| none | Uses no authentication. |
| tacacs+ | Uses TACACS+ authentication. |
| radius | Uses RADIUS authentication. |
The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication enable default tacacs+ enable none
A dagger (+) indicates that the command is documented outside this chapter.
aaa authentication local-override
aaa authorization
aaa new-model
enable password +
To configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.
aaa authentication local-overrideThis command has no arguments or keywords.
Override is disabled.
Global configuration
This command first appeared in Cisco IOS Release 10.3.
This command is useful when you want to configure an override to the normal authentication process for certain personnel such as system administrators.
When this override is set, the user is always prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other aaa commands (such as aaa authentication login). Note that when using this command Username: is fixed as the first prompt.
The following example enables AAA authentication override:
aaa authentication local-override
aaa authentication arap
aaa authentication enable default
aaa authentication login
aaa authentication ppp
aaa new-model
To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [...[method4]]| default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods activated when a user logs in. |
| method | At least one and up to four of the keywords described in Table 3. |
If the default list is not set, only the local user database is checked. This version has the same effect as the following command:
aaa authentication login default local
Global configuration
This command first appeared in Cisco IOS Release 10.3.
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 3.
To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.
| Keyword | Description |
|---|---|
| enable | Uses the enable password for authentication. |
| krb5 | Uses Kerberos 5 for authentication. |
| line | Uses the line password for authentication. |
| local | Uses the local username database for authentication. |
| none | Uses no authentication. |
| radius | Uses RADIUS authentication. |
| tacacs+ | Uses TACACS+ authentication. |
| krb5-telnet | Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. |
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable none
The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:
aaa authentication login default KRB5-TELNET krb5
A dagger (+) indicates that this command is documented outside this chapter.
aaa authentication local-override
aaa new-model
login authentication +
To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.
aaa authentication nasi {default | list-name} method1 [...[method4]]| default | Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in. |
| list-name
| Character string used to name the following list of authentication methods activated when a user logs in. |
| methods | At least one and up to four of the methods described in Table 4. |
If the default list is not set, only the local user database is selected. This setting has the same effect as the following command:
aaa authentication nasi default local
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command.
Create a list by entering the aaa authentication nasi command, where list-name is any character string that names this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described in Table 4.
To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations.
The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to displays currently configured lists of authentication methods.
| Keyword | Description |
|---|---|
| enable | Uses the enable password for authentication. |
| line | Uses the line password for authentication. |
| local | Uses the local username database for authentication. |
| none | Uses no authentication. |
| tacacs+ | Uses TACACS+ authentication. |
The following example creates an AAA authentication list called list1. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication nasi list1 tacacs+ enable none
The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication nasi default tacacs+ enable none
A dagger (+) indicates that the command is documented outside this chapter.
ipx nasi-server enable +
nasi authentication
show ipx nasi connections +
show ipx spx-protocol +
To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.
aaa authentication password-prompt {text-string}| text-string | String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:"). |
This command is disabled by default.
Global configuration
This command first appeared in Cisco IOS Release 11.0.
Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:
Password:
The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ or RADIUS server.
The following example changes the text for the password prompt:
aaa authentication password-prompt "Enter your password now:"
A dagger (+) indicates that the command is documented outside this chapter.
aaa authentication username prompt
aaa new-model
enable password +
To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point (PPP) and TACACS+, use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.
aaa authentication ppp {default | list-name} method1 [...[method4]]| default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
| method | At least one and up to four of the keywords described in Table 5. |
If the default list is not set, only the local user database is checked. This command has the same effect as the following command:
aaa authentication ppp default local
Global configuration
This command first appeared in Cisco IOS Release 10.3.
The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 5.
The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display lists of authentication methods.
| Keyword | Description |
|---|---|
| if-needed | Does not authenticate if user has already been authenticated on a TTY line. |
| krb5 | Uses Kerberos 5 for authentication (can only be used for PAP authentication). |
| local | Uses the local username database for authentication. |
| none | Uses no authentication. |
| radius | Uses RADIUS authentication. |
| tacacs+ | Uses TACACS+ authentication. |
The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.
aaa authentication MIS-access ppp tacacs+ none
A dagger (+) indicates that this command is documented outside this chapter.
aaa authentication local-override
aaa new-model
ppp authentication
To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.
aaa authentication username-prompt {text-string}| text-string | String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:"). |
This command is disabled by default.
Global configuration
This command first appeared in Cisco IOS Release 11.0.
Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:
Username:
Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.
The following example changes the text for the username prompt:
aaa authentication username-prompt "Enter your name here:"
A dagger (+) indicates that the command is documented outside this chapter.
aaa authentication password-prompt
aaa new-model
enable password +
Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.
aaa authorization {network | exec | command level} method| network | Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol. |
| exec | Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information. |
| command | Runs authorization for all commands at the specified privilege level. |
| level | Specific command level that should be authorized. Valid entries are 0 through 15. |
| method | One of the keywords in Table 6. |
Authorization is disabled for all actions (equivalent to the keyword none).
Global configuration
This command first appeared in Cisco IOS Release 10.0.
Use the aaa authorization command to create at least one, and up to four, authorization methods that can be used when a user accesses the specified function. Method keywords are described in Table 6.
The additional methods of authorization are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.
If authorization is not specifically set for a function, the default is none and no authorization is performed.
| Keyword | Description |
|---|---|
| tacacs+ | Requests authorization information from the TACACS+ server. |
| if-authenticated | Allows the user to access the requested function if the user is authenticated. |
| none | No authorization is performed. |
| local | Uses the local database for authorization. |
| radius | Uses RADIUS to get authorization information. |
| krb5-instance | Uses the instance defined by the Kerberos instance map command. |
The authorization command causes a request packet containing a series of attribute value pairs to be sent to the TACACS daemon as part of the authorization process. The daemon can do one of the following:
Table 7 describes attribute value (AV) pairs associated with the aaa authorization command. Registered users can find more information about TACACS+ and attribute pairs on Cisco Connection Online (CCO).
| Attribute | Description | Cisco IOS Release 11.0 | Cisco IOS Release11.1 | Cisco IOS Release11.2 |
|---|---|---|---|---|
| service=x | The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included. | yes | yes | yes |
| protocol=x | A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, http, and unknown. | yes | yes | yes |
| cmd=x | A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to. | yes | yes | yes |
| cmd-arg=x | An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent. | yes | yes | yes |
| acl=x | ASCII number representing a connection access list. Used only when service=shell. | yes | yes | yes |
| inacl=x | ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. | yes | yes | yes |
| inacl# | ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connect ion. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx. | no | no | 11.2(4)F |
| outacl=x | ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces. | yes (PPP/IP only) | yes | yes |
| outacl# | ACSII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. | no | no | 11.2(4)F |
| zonelist=x | A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5). | yes | yes | yes |
| addr=x | A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=1.2.3.4. | yes | yes | yes |
| addr-pool=x | Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.
Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example: You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address. | yes | yes | yes |
| routing=x | Specifies whether routing information is to be propagated to, and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true). | yes | yes | yes |
| route | Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.
During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows: This indicates a temporary static route that is to be applied. dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server. If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates. | no | yes | yes |
| route# | Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. | no | no | 11.2(4)F |
| timeout=x | The number of minutes before an ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap. | yes | yes | yes |
| idletime=x | Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. | no | yes | yes |
| autocmd=x | Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell. | yes | yes | yes |
| noescape=x | Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true). | yes | yes | yes |
| nohangup=x | Used with service=shell. Specifies the nohangup option. Can be either true or false (for example, nohangup=false). | yes | yes | yes |
| priv-lvl=x | Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest. | yes | yes | yes |
| callback-dialstring | Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. | no | yes | yes |
| callback-line | The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. | no | yes | yes |
| callback-rotary | The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. | no | yes | yes |
| nocallback-verify | Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN. | no | yes | yes |
| tunnel-id | Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn. | no | no | yes |
| ip-addresses | Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn. | no | no | yes |
| nas-password | Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. | no | no | yes |
| gw-password | Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. | no | no | yes |
| rte-ftr-in# | Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. | no | no | 11.2(4)F |
| rte-ftr-out# | Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. | no | no | yes 11.2(4)F |
| sap# | Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx. | no | no | yes 11.2(4)F |
| sap-fltr-in# | Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. | no | no | yes 11.2(4)F |
| sap-fltr-out# | Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. | no | no | 11.2(4)F |
| pool-def# | Used to define IP address pools on the network access server. Used with service=ppp and protocol=ip. | no | no | 11.2(4)F |
| source-ip=x | Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command. | no | no | yes |
The following example specifies that TACACS+ authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.
aaa authorization network tacacs+ none
The following example specifies that TACACS+ authorization is run for level 15 commands. If this authorization method returns an error (that is, if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.
aaa authorization command 15 tacacs+ none
A dagger (+) indicates that the command is documented outside this chapter.
aaa accounting +
aaa new-model
To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization command level method command was issued.
aaa authorization config-commandsThis command has no arguments or keywords.
After the aaa authorization command level method has been issued, this command is enabled by default--meaning that all configuration commands in the EXEC mode will be authorized.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
If aaa authorization command level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server not from attempting configuration command authorization.
Once the no form of this command has been issued, AAA authorization of configuration commands is completely disabled. Care should be taken before issuing the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization command level method command.
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-model aaa authorization command 15 tacacs+ none no aaa authorization config-commands
aaa authorization
To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable this functionality.
aaa new-modelThis command has no arguments or keywords.
AAA is not enabled.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
This command enables the AAA access control system and TACACS+. If you initialize AAA functionality and later decide to use TACACS or extended TACACS, issue the no version of this command before you enable the version of TACACS that you want to use.
After enabling AAA/TACACS+ with the aaa new-model command, you must use the tacacs-server key command to set the authentication key used in all TACACS+ communications with the TACACS+ daemon.
The following example initializes AAA and TACACS+:
aaa new-model
A dagger (+) indicates that the command is documented outside this chapter.
aaa accounting +
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
tacacs-server key
To enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default | list-name}| **before**If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.@@before@@ | Caution **after**If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.@@after@@ |
| default | Default list created with the aaa authentication arap command. |
| list-name | Indicated list created with the aaa authentication arap command. |
ARA protocol authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.
Line configuration
This command first appeared in Cisco IOS Release 11.0.
This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.
Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.
The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:
line 7 arap authentication MIS-access
aaa authentication arap
Use the clear kerberos creds EXEC command to delete the contents of your credentials cache.
clear kerberos credsThis command has no keywords or arguments.
EXEC
This command first appeared in Cisco IOS Release 11.1.
Credentials are cleared when the user logs out.
The following example illustrates the clear kerberos creds command:
cisco-2500> show kerberos creds Default Principal: chet@cisco.com Valid Starting Expires Service Principal 18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COM cisco-2500> clear kerberos creds cisco-2500> show kerberos creds No Kerberos credentials. cisco-2500>
show kerberos creds
To specify what happens if the TACACS and extended TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. Use the no form of this command to restore the default.
enable last-resort {password | succeed}| password | Allows you to enter enable mode by entering the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
| succeed | Allows you to enter enable mode without further question. |
Access to enable mode is denied.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
The secondary authentication is used only if the first attempt fails.
In the following example, if the TACACS servers do not respond to the enable command, the user can enable by entering the privileged level password:
enable last-resort password
A dagger (+) indicates that the command is documented outside this chapter.
enable +
To enable use of the TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no form of this command to disable TACACS verification.
enable use-tacacs| **before**If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.@@before@@ | Caution **after**If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.@@after@@ |
This command has no arguments or keywords.
Disabled
Global configuration
This command first appeared in Cisco IOS Release 10.0.
When you add this command to the configuration file, the EXEC enable command prompts for a new username and password pair. This pair is then passed to the TACACS server for authentication. If you are using extended TACACS, it also passes any existing UNIX user identification code to the server.
The following example sets TACACS verification on the privileged EXEC-level login sequence:
enable use-tacacs tacacs-server authenticate enable
A dagger (+) indicates that the command is documented outside this chapter.
tacacs-server authenticate enable +
Use the ip radius source-interface global configuration command to force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. Use the no form of this command to disable use of a specified interface IP address.
ip radius source-interface subinterface-name| subinterface-name | Name of the interface that RADIUS uses for all of its outgoing packets. |
This command has no factory-assigned default.
Global configuration
This command first appeared in Cisco IOS Release 11.1.
Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many interfaces, and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2
A dagger (+) indicates that the command is documented outside this chapter.
ip tacacs source-interface +
ip telnet source-interface +
ip tftp source-interface +
Use the ip tacacs source-interface global configuration command to force TACACS to use the IP address of a specified interface for all outgoing TACACS packets. Use the no form of this command to disable use of a specified interface IP address.
ip tacacs source-interface subinterface-name| subinterface-name | Name of the interface that TACACS uses for all of its outgoing packets. |
This command has no factory-assigned default.
Global configuration
This command first appeared in Cisco IOS Release 11.1.
Use this command to set a subinterface's IP address for all outgoing TACACS packets. This address is used as long as the interface is in the up state. In this way, the TACACS server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces, and you want to ensure that all TACACS packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
The following example makes TACACS use the IP address of subinterface s2 for all outgoing TACACS (TACACS, extended TACACS, or TACACS+) packets:
ip tacacs source-interface s2
A dagger (+) indicates that the command is documented outside this chapter.
ip radius source-interface +
ip telnet source-interface +
ip tftp source-interface +
Use the kerberos clients mandatory global configuration command to cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server. Use the no form of this command to disable this option.
kerberos clients mandatoryThis command has no arguments or keywords.
Disabled
Global configuration
This command first appeared in Cisco IOS Release 11.2.
If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the un-Kerberized protocols if unsuccessful.
If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate the Keberos protocol.
The following example illustrates the kerberos clients mandatory command:
kerberos clients mandatory
A dagger (+) indicates that this command is documented outside this chapter.
copy rcp +
kerberos credentials forward
rlogin +
rsh +
telnet +
Use the kerberos credentials forward global configuration command to force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication. Use the no form of this command to turn off Kerberos credentials forwarding.
kerberos credentials forwardThis command has no arguments or keywords.
Disabled
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Enable credentials forwarding to have users' TGTs forwarded to the host they authenticate to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.
The following example illustrates the kerberos credentials forward command:
kerberos credentials forward
A dagger (+) indicates that the command is documented outside this chapter.
copy rcp +
rlogin +
rsh +
telnet +
Use the kerberos instance map global configuration command to map Kerberos instances to Cisco IOS privilege levels. Use the no form of this command to remove a Kerberos instance map.
kerberos instance map instance privilege-level| instance | Name of a Kerberos instance. |
| privilege-level | The privilege level at which a user is set if the user's Kerberos principle contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. |
Privilege level 1
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command to create user instances with access to administrative commands.
In the following example, the privilege level is set to 15 for authenticated Kerberos users with the admin instance in Kerberos realm cisco.com:
kerberos instance map admin 15
aaa authorization
Use the kerberos local-realm global configuration command to specify the Kerberos realm in which the router is located. Use the no form of this command to remove the specified Kerberos realm from this router.
kerberos local-realm kerberos-realmDisabled
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.
The following example illustrates the kerberos local realm command:
kerberos local-realm MURUGA.COM
kerberos preauth
kerberos realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote
Use the kerberos preauth global configuration command to specify a preauthentication method to use to communicate with the KDC. Use the no form of this command to disable Kerberos preauthentication.
kerberos preauth [encrypted-unix-timestamp | none]| encrypted-unix-timestamp | Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC. |
| none | Do not use Kerberos preauthentication. |
Disabled
Global Configuration
This command first appeared in Cisco IOS Release 11.2.
It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.
The no form of this command is equivalent to using then none keyword.
The following example illustrates how to enable and disable Kerberos preauthentication:
kerberos preauth encrypted-unix-timestamp kerberos preauth none
kerberos local-realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote
Use the kerberos realm global configuration command to map a host name or Domain Naming System (DNS) domain to a Kerberos realm. Use the no form of this command to remove a Kerberos realm map.
kerberos realm {dns-domain | host} kerberos-realm| dns-domain | Name of a DNS domain or host. |
| host | Name of a DNS host. |
| kerberos-realm | Name of the Kerberos realm the specified domain or host belongs to. |
Disabled
Global configuration
This command first appeared in Cisco IOS Release 11.1.
DNS domains are specified with a leading dot (.) character; hostnames cannot begin with a dot (.) character. There can be multiple entries of this line.
A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.
The following example illustrates the kerberos realm command:
kerberos realm .muruga.com MURUGA.COM kerberos realm muruga.com MURUGA.COM
kerberos local-realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote
Use the kerberos server global configuration command to specify the location of the Kerberos server for a given Kerberos realm. Use the no form of this command to remove a Kerberos server for a specified Kerberos realm.
kerberos server kerberos-realm {hostname | ip-address} [port-number]| kerberos-realm | Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. |
| hostname | Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry). |
| ip-address | IP address of the host functioning as a Kerberos server for the specified Kerberos realm. |
| port-number | (Optional) Port that the KDC/TGS monitors (defaults to 88). |
Disabled
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The following example specifies 126.38.47.66 as the Kerberos server for the Kerberos realm MURUGA.COM:
kerberos server MURUGA.COM 126.38.47.66
kerberos local-realm
kerberos realm
kerberos srvtab entry
kerberos srvtab remote
Use the kerberos srvtab remote global configuration command (not kerberos srvtab entry) to retrieve a SRVTAB file from a remoe host and automatically generate a Kerberos SRVTAB entry configuration. (The Kerberos SRVTAB entry is the router's locally stored SRVTAB.) Use the no form of this command to remove a SRVTAB entry from the router's configuration.
kerberos srvtab entry kerberos-principle principle-type timestamp key-version number| kerberos-principle | A service on the router. |
| principle-type | Version of the Kerberos SRVTAB. |
| timestamp | Number representing the date and time the SRVTAB entry was created. |
| key-version number | Version of the encryption key format. |
| key-type | Type of encryption used. |
| key-length | Length, in bytes, of the encryption key. |
| encrypted-keytab | Secret key the router shares with the KDC. It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration. |
Global configuration.
This command first appeared in Cisco IOS Release 11.2.
When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.
If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.
If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.
Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.
In the following example, host/new-router.loki.com@LOKI.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:
kerberos srvtab entry host/new-router.loki.com@LOKI.COM 0 817680774 1 1 8 .cCN.YoU.okK
kerberos srvtab remote
key config-key
Use the kerberos srvtab remote configuration command to retrieve a krb5 SRVTAB file from the specified host.
kerberos srvtab remote {hostname | ip-address} {filename}| hostname | Machine with the Kerberos SRVTAB file. |
| ip-address | IP address of the machine with the Kerberos SRVTAB file. |
| filename | Name of the SRVTAB file. |
Configuration
This command first appeared in Cisco IOS Release 11.2.
When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with the private Data Encryption Standard (DES) key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write the router's running configuration to NVRAM.
The command in the following example copies the SRVTAB file residing on bucket.cisco.com to a router named scooter.cisco.com:
kerberos srvtab remote bucket.cisco.com scooter.cisco.com-new-srvtab
kerberos srvtab entry
key config-key
Use the key config-key global configuration command to define a private DES key for the router. Use the no form of this command to delete a private Data Encryption Standard (DES) key for the router.
key config-key 1 string| string | Private DES key (can be up to 8 alphanumeric characters). |
No DES-key defined.
Global configuration.
This command first appeared in Cisco IOS Release 11.2.
This command defines for the router a private DES key that will not show up in the router configuration. This private DES key can be used to DES-encrypt certain parts of the router's configuration.
| **before** The private DES key is unrecoverable. If you encrypt part of your configuration with the private DES key and lose or forget the key, you will not be able to recover the encrypted data.@@before@@ | Caution **after** The private DES key is unrecoverable. If you encrypt part of your configuration with the private DES key and lose or forget the key, you will not be able to recover the encrypted data.@@after@@ |
The command in the following example sets bubba as the private DES key on the router:
key config-key 1 bubba
kerberos srvtab entry
kerberos srvtab remote
To configure your router to use TACACS user authentication, use the login tacacs line configuration command. Use the no form of this command to disable TACACS user authentication for a line.
login tacacsThis command has no arguments or keywords.
Disabled
Line configuration
This command first appeared in Cisco IOS Release 10.0.
You can use TACACS security if you have configured a TACACS server and you have a command control language (CCL) script that allows you to use TACACS security. For information about using files provided by Cisco Systems to modify CCL scripts to support TACACS user authentication, refer to the "Configuring AppleTalk Remote Access" chapter in the Access Services Configuration Guide.
In the following example, lines 1 through 16 are configured for TACACS user authentication:
line 1 16 login tacacs
To enable TACACS+ authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication line configuration command. Use the no form of the command to return to the default, as specified by the aaa authentication nasi command.
nasi authentication {default | list-name}| default | Uses the default list created with the aaa authentication nasi command. |
| list-name | Uses the list created with the aaa authentication nasi command. |
Uses the default set with the aaa authentication nasi command.
Line configuration
This command first appeared in Cisco IOS Release 11.1.
This command is a per-line command used with AAA authentication that specifies the name of a list of TACACS+ authentication methods to try at login. If no list is specified, the default list is used, even if it is specified in the command line. (You create defaults and lists with the aaa authentication nasi command.) Entering the no form of this command has the same effect as entering the command with the default argument.
| **before**If you use a list-name value that was not configured with the aaa authentication nasi command, you will disable login on this line. @@before@@ | Caution **after**If you use a list-name value that was not configured with the aaa authentication nasi command, you will disable login on this line. @@after@@ |
Before issuing this command, create a list of authentication processes by using the aaa authentication nasi global configuration command.
The following example specifies that the default AAA authentication be used on line 4:
line 4 nasi authentication default
The following example specifies that the AAA authentication list called list1 be used on line 7:
line 7 nasi authentication list1
A dagger (+) indicates that the command is documented outside this chapter.
aaa authentication nasi
ipx nasi-server enable +
show ipx nasi connections +
show ipx spx-protocol +
To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication interface configuration command. Use the no form of the command to disable this authentication.
ppp authentication {chap | chap pap | pap chap | pap } [if-needed] [list-name | default]| chap | Enables CHAP on a serial interface. |
| pap | Enables PAP on a serial interface. |
| chap pap | Enables both CHAP and PAP, and performs CHAP authentication before PAP. |
| pap chap | Enables both CHAP and PAP, and performs PAP authentication before CHAP. |
| if-needed | (Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asychronous interfaces. |
| list-name | (Optional) Used with AAA/TACACS+. Specifies the name of a list of TACACS+ methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
| default | The name of the method list is created with the aaa authentication ppp command. |
| callin | Specifies authentication on incoming (received) calls only. |
 | Caution If you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface. |
PPP authentication is not enabled.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
When you enable CHAP or PAP Authentication, or both, the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP Authentication requires the remote device to send a name and password, which is checked against a matching entry in the local username database or in the remote TACACS/TACACS+ database. CHAP Authentication sends a Challenge to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local Router in a Response message. The local router attempts to match the remote device's name with an associated secret stored in the local username or remote TACACS/TACACS+ database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match.
You can enable PAP or CHAP, or both, in either order. If you enable both methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only CHAP, and some support only PAP. Base the order in which you specify methods on the remote device's ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as cleartext strings, which can be intercepted and reused. CHAP has eliminated most of the known security holes.
Enabling or disabling PPP authentication does not affect the local router's willingness to authenticate itself to the remote device.
If you are using autoselect on a TTY line, you probably want to use the ppp authentication command to turn on PPP authentication for the corresponding interface.
The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access:
interface async 4 encapsulation ppp ppp authentication chap MIS-access
A dagger (+) indicates that the command is documented outside this chapter.
aaa authentication ppp
aaa new-model
autoselect +
encapsulation ppp +
ppp use-tacacs
username +
Use the ppp chap hostname interface configuration command to create a pool of dialup routers that all appear to be the same host when authenticating with CHAP. To disable this function, use the no form of the command.
ppp chap hostname hostname| hostname | The name sent in the CHAP challenge. |
Disabled. The router name is sent in any CHAP challenges.
Interface configuration
This command first appeared in Cisco IOS Release 11.2.
Currently, a router dialing a pool of access routers requires a username entry for each possible router in the pool because each router challenges with its hostname. If a router is added to the dialup rotary pool, all connecting routers must be updated. The ppp chap hostname command allows you to specify a common alias for all routers in a rotary group to use so that only one username must be configured on the dialing routers.
This command is normally used with local CHAP authentication (when the router authenticates to the peer), but it can also be used for remote CHAP authentication.
The commands in the following example identify the dialer interface 0 as the dialer rotary group leader and specifies ppp as the method of encapsulation used by all member interfaces. CHAP authentication is used on received calls only. The username ISPCorp will be sent in all CHAP challenges and responses.
interface dialer 0 encapsulation ppp ppp authentication chap callin ppp chap hostnmae ISPCorp
aaa authentication ppp
ppp authentication
ppp chap password
ppp pap
Use the ppp chap password interface configuration command to enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer. To disable this function, use the no form of this command.
ppp chap password secret| secret | The secret used to compute the response value for any CHAP challenge from an unknown peer. |
Disabled.
Interface configuration.
This command first appeared in Cisco IOS Release 11.2.
This command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.
This command is used for remote CHAP authentication only (when routers authenticate to the peer) and does not affect local CHAP authentication.
The commands in the following example specify Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) number 0. The method of encapsulation on the interface is PPP. If a CHAP challenge is received from a peer whose name is not found in the global list of usernames, the encrypted secret 7 1267234591 is decrypted and used to create a CHAP response value.
interface bri 0 encapsulation ppp ppp chap password 7 1234567891
aaa authentication ppp
ppp authentication
ppp chap hostname
ppp pap
To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username interface configuration command. Use the no form of this command to disable remote PAP support.
ppp pap sent-username username password password
no ppp pap sent-username
| username | Username sent in the PAP authentication request. |
| password | Password sent in the PAP authentication request. |
| password | Must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
Remote PAP support disabled.
You must configure this command for each interface.
This command first appeared in Cisco IOS Release 11.2.
Use this command to reenable remote PAP support (for example to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP Authentication Request.
This is a per-interface command.
The commands in the following example identify dialer interface 0 as the dialer rotary group leader and specify PPP as the method of encapsulation used by the interface. Authentication is by CHAP or PAP on received calls only. ISPCor is the username sent to the peer if the peer requires the router to authenticate with PAP.
interface dialer0 encapsulation ppp ppp authentication chap pap callin ppp chap hostname ISPCor ppp pap sent username ISPCorp password 7 fjhfeu ppp pap sent-username ISPCorp password 7 1123659238
aaa authentication ppp
ppp authentication
ppp chap hostname
ppp chap password
ppp use-tacacs
To enable TACACS for PPP authentication, use the ppp use-tacacs interface configuration command. Use the no form of the command to disable TACACS for PPP authentication.
ppp use-tacacs [single-line]| single-line | (Optional) Accept the username and password in the username field. This option applies only when using CHAP authentication. |
TACACS is not used for PPP authentication.
Interface configuration
This command first appeared in Cisco IOS Release 10.3.
This is a per-interface command. Use this command only when you have set up an extended TACACS server.
When CHAP authentication is being used, the ppp use-tacacs command with the single-line option specifies that if a username and password are specified in the username, separated by an asterisk (*), a standard TACACS login query is performed using that username and password. If the username does not contain an asterisk, then normal CHAP authentication is performed.
This feature is useful when integrating TACACS with other authentication systems that require a cleartext version of the user's password. Such systems include one-time password systems, token card systems, and Kerberos.
 | Caution Normal CHAP authentications prevent the cleartext password from being transmitted over the link. When you use the single-line option, passwords cross the link as cleartext. |
If the username and password are contained in the CHAP password, the CHAP secret is not used by the Cisco IOS software. Because most PPP clients require that a secret be specified, you can use any arbitrary string, and the Cisco IOS software ignores it.
In the following example, asynchronous serial interface 1 is configured to use TACACS for CHAP authentication:
interface async 1 ppp authentication chap ppp use-tacacs
In the following example, asynchronous serial interface 1 is configured to use TACACS for PAP authentication:
interface async 1 ppp authentication pap ppp use-tacacs
ppp authentication
tacacs-server extended
tacacs-server host
To improve RADIUS response times when some servers might be unavailable, use the radius-server dead-time global configuration command to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.
radius-server dead-time minutes| minutes | Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours). |
Dead time is set to 0.
Global configuration
Use this command to cause the Cisco IOS to mark as "dead" RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."
The following example specifies 5 minutes dead-time for RADIUS servers that fail to respond to authentication requests.
radius-server dead-time 5
radius-server host
radius-server retransmit
radius-server timeout
To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]| hostname | DNS name of the RADIUS server host. |
| ip-address | IP address of the RADIUS server host. |
| auth-port | Specifies the UDP destination port for authentication requests. |
| port-number | Port number for authentication requests; the host is not used for authentication if set to 0. |
| acct-port | Specifies the UDP destination port for accounting requests. |
| port-number | Port number for accounting requests; the host is not used for accounting if set to 0. |
No RADIUS host is specified.
Global configuration
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.
radius-server host host1.company.com
The following example specifies port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named host1:
radius-server host host1.company.com auth-port 12 acct-port 16
Note that because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.company.com auth-port 0
radius-server host host2.company.com acct-port 0
A dagger (+) indicates that the command is documented outside this chapter.
aaa accounting +
aaa authentication
aaa authorization
login authentication +
login tacacs
ppp+
ppp authentication
slip +
tacacs-server
username +
Use the radius-server key global configuration command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. Use the no form of the command to disable the key.
radius-server key {string}| string | (Optional) The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon. |
Disabled
Global Configuration
This command first appeared in Cisco IOS Release 11.1.
After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The following example illustrates how to set the authentication and encryption key to "dare to go":
radius-server key dare to go
A dagger (+) indicates that the command is documented outside this chapter.
login authentication +
login tacacs
ppp +
ppp authentication
slip +
tacacs-server
username +
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit global configuration command. Use the no form of this command to disable retransmission.
radius-server retransmit retries| retries | Maximum number of retransmission attempts. |
Three retries
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
The following example specifies a retransmit counter value of five times:
radius-server retransmit 5
To set the interval a router waits for a server host to reply, use the radius-server timeout global configuration command. Use the no form of this command to restore the default.
radius-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds. |
5 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The following example changes the interval timer to 10 seconds:
radius-server timeout 10
A dagger (+) indicates that the command is documented outside this chapter.
login authentication +
login tacacs
ppp +
ppp authentication+
slip +
tacacs-server +
username +
Use the show kerberos creds EXEC command to display the contents of your credentials cache.
show kerberos credsThis command has no keywords or arguments.
EXEC
This command first appeared in Cisco IOS Release 11.1.
The show kerberos creds command is equivalent to the UNIX klist command.
When users authenticate themselves with Kerberos, they are issued an authentication ticket called a credential. The credential is stored in a credential cache.
In the following example, the entries in the credentials cache are displayed:
Router> show kerberos creds
Default Principal: chet@cisco.com
Valid Starting Expires Service Principal
18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COM
In the following example, output is returned that acknowledges that credentials do not exist in the credentials cache:
Router> show kerberos creds
No Kerberos credentials
clear kerberos creds
To display your current level of privilege, use the show privilege EXEC command.
show privilegeThis command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 10.3.
The following is sample output from the show privilege command. The current privilege level is 15.
Router# show privilege
Current privilege level is 15
A dagger (+) indicates that the command is documented outside this chapter.
enable password +
Use the tacacs-server key global configuration command to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon. Use the no form of the command to disable the key.
tacacs-server key key| key | Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon. |
Global Configuration
This command first appeared in Cisco IOS Release 11.1.
After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The following example illustrates how to set the authentication and encryption key to "dare to go":
tacacs-server key dare to go
aaa new-model
tacacs-server host
To specify how long the system will wait for login input (such as username and password) before timing out, use the tacacs-server login-timeout global configuration command. Use the no form of this command to restore the default value of 30 seconds.
tacacs-server login-timeout seconds| seconds | Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds. |
The default login timeout value is 30 seconds.
Global configuration
With aaa new-model enabled, the default login timeout value is 30 seconds. The tacacs-server login-timeout command lets you change this timeout value from 1 to 300 seconds. To restore the default login timeout value of 30 seconds, use the no tacacs-server login-timeout command.
The following example changes the login timeout value to 60 seconds:
tacacs login 60
To configure the Cisco IOS software to indicate whether a user can perform an attempted action under TACACS and extended TACACS, use the tacacs-server authenticate global configuration command.
tacacs-server authenticate {connection [always]enable | slip [always] [access-lists]}| connection | Configures a required response when a user makes a TCP connection. |
| enable | Configures a required response when a user enters the enable command. |
| slip | Configures a required response when a user starts a SLIP or PPP session. |
| always | (Optional) Performs authentication even when a user is not logged in. This option only applies to the slip keyword. |
| access-lists | (Optional) Requests and installs access lists. This option only applies to the slip keyword. |
Global configuration
The tacacs-server authenticate [connection | enable] command first appeared in Cisco IOS Release 10.0. The tacacs-server authenticate {connection [always]enable | slip [always] [access-lists]} command first appeared in Cisco IOS Release 10.3.
Enter one of the keywords to specify the action (when a user enters enable mode, for example).
Before you use the tacacs-server authenticate command, you must enable the tacacs-server extended command.
The following example configures TACACS logins that authenticate users to use Telnet or rlogin:
tacacs-server authenticate connect
A dagger (+) indicates that the command is documented outside this chapter.
enable secret +
enable use-tacacs
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. Use the no form of this command to disable the direct-request feature.
tacacs-server directed-requestThis command has no arguments or keywords.
Enabled
Global configuration
This command first appeared in Cisco IOS Release 11.1.
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default tacacs server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS server software that parses the whole string and makes decisions based on it.
With tacacs-server directed-request enabled, only configured TACACS servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS server configured by the administrator, the user input is rejected.
Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS servers and to cause the entire string to be passed to the default server.
The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS server:
no tacacs-server directed-request
To enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.
tacacs-server extendedThis command has no arguments or keywords.
Disabled
Global configuration
This command first appeared in Cisco IOS Release 10.0.
This command initializes extended TACACS. To initialize AAA/TACACS+, use the aaa new-model command.
The following example enables extended TACACS mode:
tacacs-server extended
To specify a TACACS host, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address.
tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]| hostname | Name or IP address of the host. |
| single-connection | Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon. |
| port | Specify a server port number. |
| integer | Port number of the server (in the range 1 to 10,000). |
| timeout | Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only. |
| integer | Integer value, in seconds, of the timeout interval. |
| key | Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only. |
| string | Character string specifying authentication and encryption key. |
No TACACS host is specified.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the single-connection, port, timeout, and key options only when running a AAA/TACACS+ server.
Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.
The following example specifies a TACACS host named Sea_Change:
tacacs-server host Sea_Change
The following example specifies that, for AAA confirmation, the router consult the CiscoSecure TACACS+ host named Sea_Cure on port number 51. The timeout value for requests on this connection is 3 seconds; the encryption key is a_secret.
tacacs-server host Sea_Cure single-connection port 51 timeout 3 key a_secret
A dagger (+) indicates that the command is documented outside this chapter.
login tacacs
ppp +
slip +
tacacs-server key
tacacs-server timeout
Use the tacacs-server key global configuration command to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon. Use the no form of the command to disable the key.
tacacs-server key key| key | Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon. |
Global Configuration
This command first appeared in Cisco IOS Release 11.1.
After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The following example illustrates how to set the authentication and encryption key to "dare to go":
tacacs-server key dare to go
aaa new-model
tacacs-server host
To cause the network access server to request the privileged password as verification, or to allow successful login without further input from the user, use the tacacs-server last-resort global configuration command. Use the no tacacs-server last-resort command to restore the system to the default behavior.
tacacs-server last-resort {password | succeed}| password | Allows the user to access the EXEC command mode by entering the password set by the enable command. |
| succeed | Allows the user to access the EXEC command mode without further question. |
If, when running the TACACS server, the TACACS server does not respond, the default action is to deny the request.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
Use the tacacs-server last-resort command to be sure that login can occur; for example, when a systems administrator needs to log in to troubleshoot TACACS servers that might be down.
The following example forces successful login:
tacacs-server last-resort succeed
A dagger (+) indicates that the command is documented outside this chapter.
enable password +
login (EXEC) +
Use the tacacs-server notify global configuration command to cause a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to 5 minutes. Use the no form of this command to disable notification.
tacacs-server notify {connection [always] | enable | logout [always] | slip [always]}| connection | Specifies that a message be transmitted when a user makes a TCP connection. |
| always | (Optional) Sends a message even when a user is not logged in. This option applies only to SLIP or PPP sessions and can be used with the logout or slip keywords. |
| enable | Specifies that a message be transmitted when a user enters the enable command. |
| logout | Specifies that a message be transmitted when a user logs out. |
| slip | Specifies that a message be transmitted when a user starts a SLIP or PPP session. |
No message is transmitted to the TACACS server.
Global configuration
This command first appeared in Cisco IOS Release 10.0. The always and slip commands first appeared in Cisco IOS Release 11.0.
The terminal user receives an immediate response, allowing access to the feature specified. Enter one of the keywords to specify notification of the TACACS server upon receipt of the corresponding action (when user logs out, for example).
The following example sets up notification of the TACACS server when a user logs out:
tacacs-server notify logout
To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.
tacacs-server optional-passwordsThis command has no arguments or keywords.
Disabled
Global configuration
This command first appeared in Cisco IOS Release 10.0.
When the user enters in the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the TACACS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The TACACS server must support authentication for users without passwords to make use of this feature. This feature supports all TACACS requests--login, SLIP, enable, and so on.
The following example configures the first login to not require TACACS verification:
tacacs-server optional-passwords
To specify the number of times the Cisco IOS software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. Use the no form of this command to disable retransmission.
tacacs-server retransmit retries| retries | Integer that specifies the retransmit count. |
Two retries
Global configuration
This command first appeared in Cisco IOS Release 10.0.
The Cisco IOS software will try all servers, allowing each one to time out before increasing the retransmit count.
The following example specifies a retransmit counter value of five times:
tacacs-server retransmit 5
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default.
tacacs-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds (between 1 and 300). |
5 seconds
Global configuration
This command first appeared in Cisco IOS Release 10.0.
The following example changes the interval timer to 10 seconds:
tacacs-server timeout 10
tacacs-server host
|
|