Specifications

ManualsBrandsCisco ManualsComputer equipmentAS5300 - Universal Access Server

111

112

113

114

115

116

117

118

119

120

Configuring Authentication

Cisco AS5300 Universal Access Server Software Configuration Guide

4-12

In the following example, the ARA authentication method list name is callback (because

asynchronous callback is used on the access server):

5300# configure terminal

5300(config)# aaa authentication arap callback

In the following example, the login authentication method list name is deveng:

5300# configure terminal

5300(config)# aaa authentication login deveng

Specify the Authentication Method

After you identify a list name, you must specify an authentication method. An authentication method

identifies how users are authenticated. For example, will users be authenticated by a local security

database resident on the access server (local method)? Will they be authenticated by a remote

security database, such as by a TACACS+ or RADIUS daemon? Will guest access to an AppleTalk

network be permitted?

Authentication methods are defined with optional keywords in the aaa authentication command.

See Tables 4-5 and 4-6.

Table 4-5 Authentication Methods for PPP

Timesaver

If you are not sure whether you should use TACACS+ or RADIUS, here are some comparisons:

TACACS+ encrypts the entire payload of packets passed across the network, whereas RADIUS only encrypts

the password when it crosses the network. TACACS+ can query the security server multiple times, whereas

a RADIUS server gives one response only and is therefore not as flexible regarding per-user authentication

and authorization attempts. Moreover, RADIUS does not support authentication of ARA.

Table 4-6 Authentication Methods for ARA

Method Description

if-needed Authenticates only if not already authenticated. No duplicate authentication.

krb5 Specifies Kerberos 5 authentication.

local Uses the local username database in the access server. This is defined with the

username global configuration command.

none No authentication is required. Do not prompt for a username or password.

radius Use RADIUS authentication as defined on a RADIUS security server.

tacacs+ Use TACACS+ authentication as defined on a TACACS+ security server.

Method Description

auth-guest Allows guests to log in only if they have already been authenticated at the EXEC.

guest Allows guests to log in.

line Uses the line (login) password for authentication.

local Uses the local username database in the access server for authentication. This

database is defined with the username global configuration command.

tacacs+ Use TACACS+ authentication as defined on a TACACS+ security server.