Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router

141

142

143

144

145

146

147

148

149

150

Security Configuration 7-9

Configuring Authentication

Deﬁning Authentication Method Lists

After you enable AAA globally on the access server, you need to deﬁne authentication method lists,

which you then apply to lines and interfaces. These authentication method lists are security proﬁles

that indicate the protocol (ARAP or PPP) or login and authentication method (TACACS+, RADIUS,

or local authentication).

To deﬁne an authentication method list, perform the following steps, which are described in this

section:

1 Issue the aaa authentication command.

2 Specify protocol (ARAP or PPP) or login authentication.

3 Identify a list name or default. A list name is any alphanumeric string you choose. You assign

different authentication methods to different named lists.

4 Specify the authentication method. You can specify multiple methods, such as tacacs+, followed

by local in case a TACACS+ server is not available on the network.

5 Populate the local username database if you speciﬁed local as the authentication method (or one

of the authentication methods). To use a local username database, you must issue the username

global conﬁguration command. Refer to task 5.

After you deﬁne these authentication method lists, you apply them to one of the following:

• Lines—VTY lines or the console port for login and asynchronous lines (in most cases) for ARA

• Interfaces—Asynchronous or ISDN interfaces conﬁgured for PPP

The section “Applying Authentication Method Lists” describes how to apply these lists.

1. Issue the aaa authentication Command

To deﬁne an authentication method list, start by issuing the aaa authentication global conﬁguration

command, as shown in the following example:

2511# configure terminal

2511(config)# aaa authentication

2. Specify Protocol or Login Authentication

After you issue aaa authentication, you must specify one of the following dial-in protocols as

applicable for your network:

• If you are enabling dial-in PPP access, specify ppp

• If you are enabling dial-in ARA access, specify arap

• If you are enabling users to connect to the EXEC facility, specify login

You can specify only one dial-in protocol per authentication method list. However, you can create

multiple authentication method lists with each of these options. You must give each list a different

name, as described in the next section “Identify a List Name.”

If you specify the ppp option, the default authentication method for PPP is PAP. For greater security,

specify CHAP. The full command is aaa authentication ppp chap. If you specify the arap option,

the authentication method built into ARA is used. The full command is aaa authentication arap.

For example, if you specify PPP authentication, the conﬁguration thus far looks like this:

2511# configure terminal

2511(config)# aaa authentication ppp