Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router

141

142

143

144

145

146

147

148

149

150

Security Configuration 7-7

Configuring Authentication

You can use any of the following optional commands to interact with the RADIUS server host:

• radius-server retransmit number

This command speciﬁes the number of times that the router transmits each RADIUS request to

the server before the router gives up.

• radius-server timeout seconds

This command speciﬁes the number of seconds that an access server waits for a reply to a

RADIUS request before the access server retransmits the request. The default is ﬁve seconds. If

the RADIUS server’s response is slow (because of support for a large number of users or large

network latency), increase the timeout value.

For more information about these commands, refer to the Security Command Reference, which is

part of the Cisco IOS conﬁguration guides and command references documentation.

Conﬁguring Authentication on a TACACS+ Server

On most TACACS+ security servers, there are three ways to authenticate a user for login:

• Include a cleartext (DES) password for a user or for a group the user is a member of (each user

can belong to only one group). Note that ARAP, CHAP, and global user authentication must be

speciﬁed in cleartext.

The following is the conﬁguration for global authentication:

user = mswartz {

global = cleartext "mswartz global password"

}

To assign different passwords for ARAP, CHAP, and a normal login, you must enter a string for

each user that speciﬁes the security protocols, whether the password is cleartext, and if it

authentication is performed via a DES card. The following example shows a user carol, who has

authentication conﬁgured for ARAP, CHAP, and login. Her ARAP and CHAP passwords, “arap

password” and “chap password”, are shown in cleartext. Her login password has been encrypted.

user = carol {

arap = cleartext "arap password"

chap = cleartext "chap password"

}

• Use password (5) ﬁles instead of entering the password into the conﬁguration ﬁle directly.

The default authentication is to deny authentication. You can change this at the top level of the

conﬁguration ﬁle to have the default use passwd(5) ﬁle, by issuing the following command:

default authentication = /etc/passwd

• Authenticate using an s/key. If you have built and linked in an s/key library and compiled

TACACS+ to use the s/key, you can specify that a user be authenticated via the s/key, as shown

in the following example:

user= fred {

}