Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router

151

152

153

154

155

156

157

158

159

160

Security Configuration 7-11

Configuring Authentication

Timesaver If you are not sure whether you should use TACACS+ or RADIUS, here are some comparisons:

TACACS+ encrypts the entire payload of packets passed across the network, whereas RADIUS only encrypts

the password when it crosses the network. TACACS+ can query the security server multiple times, whereas

a RADIUS server gives one response only and is therefore not as ﬂexible regarding per-user authentication

and authorization attempts. Moreover, RADIUS does not support authentication of ARA.

Note RADIUS does not support ARA. If you want to authenticate Macintosh users with RADIUS,

you must conﬁgure AppleTalk to run over PPP, which is referred to as ATCP. For more information

about conﬁguring AppleTalk–PPP, refer to the “IP, IPX, and AppleTalk Dial-Up Environments”

chapter.

You can specify multiple authentication methods for each authentication list. The following example

authentication method list for PPP ﬁrst queries a TACACS+ server, then a RADIUS server, then the

local security database. Multiple authentication methods can be useful if you have multiple types of

security servers on the network and one or more types of security server do not respond:

2511(config)# aaa authentication ppp testbed tacacs+ radius local

If you specify more than one authentication method and the ﬁrst method (TACACS+ in the previous

example) is not available, the Cisco IOS software attempts to authenticate using the next method

(such as RADIUS). If in the previous example the RADIUS server has no information about the user,

or if no RADIUS server can be found, the user is authenticated using the local username database

that was populated with the username command.

none No authentication is required. Do not prompt for a username

or password.

radius Use RADIUS authentication as deﬁned on a RADIUS

security server.

tacacs+ Use TACACS+ authentication as deﬁned on a TACACS+

security server.

Table 7-5 ARA Authentication Methods

Authentication Methods for ARA Purpose

auth-guest Allows guests to log in only if they have already been

authenticated at the EXEC.

guest Allows guests to log in.

line Uses the line (login) password for authentication.

local Uses the local username database in the access server for

authentication. This database is deﬁned with the username

global conﬁguration command.

tacacs+ Use TACACS+ authentication as deﬁned on a TACACS+

security server.

Table 7-4 PPP Authentication Methods (Continued)

Authentication Methods for PPP Purpose