Manualshelf

Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router
141142143144145146147148149150
7-8 Dial Solutions Quick Configuration Guide
Configuring Authentication
On the access server, you configure authentication on all lines including the VTY and Console
lines by entering the following commands, beginning in privileged EXEC mode:
2511# configure terminal
2511(config)# aaa new-model
2511(config)# aaa authentication login default tacacs+ enable
Caution When you issue the aaa authentication login default tacacs+ enable command, you are
specifying that if your TACACS+ server fails to respond (because it is set up incorrectly), you can
log in to the access server by using your enable password. If you do not have an enable password set
on the router, you will not be able to log in to it until you have a functioning TACACS+ daemon
configured with usernames and passwords. The enable password in this case is a last-resort
authentication method. You also can specify none as the last-resort method, which means that no
authentication is required if all other methods failed.
Enabling AAA Globally on the Access Server
To use the AAA security facility in the Cisco IOS software, you must issue the aaa new-model
command from global configuration mode.
When you issue the aaa new-model command, all lines on the access server receive the implicit
login authentication default method list, and all interfaces with PPP enabled have an implicit
ppp authentication pap default method list applied.
Caution If you intend to authenticate users via a security server, make sure you do not inadvertently
lock yourself out of the access server ports after you issue the aaa new-model command. Enter line
configuration mode and issue the aaa authentication login default tacacs+ enable global
configuration command. This command specifies that if your TACACS+ (or RADIUS) server is not
functioning properly, you can enter your enable password to log in to the access server. In general,
make sure you have a last-resort access method before you are certain that your security server is set
up and functioning properly. For more information about the aaa authentication command, refer to
the “Defining Authentication Method Lists” section.
Note Cisco recommends that you use CHAP authentication with PPP, rather than PAP. CHAP
passwords are encrypted when they cross the network, whereas PAP passwords are cleartext when
they cross the network. The Cisco IOS software selects PAP as the default, so you must manually
select CHAP. The process for specifying CHAP is described in the “Applying Authentication
Method Lists” section.
For example, enter the following commands to enable AAA in the Cisco IOS software:
2511# configure terminal
2511(config)# aaa new-model