Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router

151

152

153

154

155

156

157

158

159

160

Security Configuration 7-13

Configuring Authentication

Authentication List Examples for Dial-In Users Using ARA to Access Network Resources

The following example creates a local authentication list for Macintosh users dialing in to an

AppleTalk network through the access server.

2511(config)# aaa authentication arap default local

The following example speciﬁes that Macintosh users dialing into an AppleTalk network through

the access server be authenticated by a TACACS+ daemon:

2511(config)# aaa authentication arap default tacacs+

The following example creates an authentication method list that does the following:

• Enables guest access if the guest has been authenticated at the EXEC facility.

• Queries a TACACS+ daemon for authentication.

• Polls the line (login) authentication password if the TACACS+ server has no information about

the user or if no TACACS+ server on the network responds.

• Uses the local security database if there is no line password.

2511(config)# aaa authentication arap default auth-guest tacacs+ line local

Authentication Method List Examples for Users Dialing In Using PPP

The following example creates a TACACS+ authentication list for users connecting to interfaces

(such as ISDN BRI or asynchronous interfaces) conﬁgured for dial-in using PPP. The name of the

list is marketing. This example speciﬁes that a remote TACACS+ daemon be used as the security

database. If this security database is not available, the Cisco IOS software then polls the RADIUS

daemon. Users are not authenticated if they are already authenticated on a TTY line.

2511(config)# aaa authentication ppp marketing if-needed tacacs+ radius

In this example, default can be substituted for marketing if the administrator wants this list to be

the default list.

Applying Authentication Method Lists

As described in the “Deﬁning Authentication Method Lists” section, the aaa authentication global

conﬁguration command creates authentication method lists or proﬁles. You apply these

authentication method lists to lines or interfaces by issuing the login authentication,

arap authentication, or ppp authentication command, as described in Table 7-6.

Table 7-6 Line and Interface Authentication Method Lists

Interface and Line

Command

Action Port to which List is

Applied

Corresponding Global

Conﬁguration Command

server.

Console Port or VTY

lines.

aaa authentication login

arap authentication Uses ARA to access

AppleTalk network resources

TTY line aaa authentication arap

ppp authentication

1. If you issued the ppp authentication command, you must specify either CHAP or PAP authentication. PAP is enabled by default, but

Cisco recommends that you use CHAP because CHAP is more secure. For more information, refer to the Security Conﬁguration

Guide.

Uses PPP to access IP or IPX

network resources

Interface (asynchronous,

ISDN, or other WAN)

aaa authentication ppp