Specifications

ManualsBrandsCisco ManualsComputer equipmentAS5800

161

162

163

164

165

166

167

168

169

170

Table Of Contents

4-30

Cisco AS5800 Operations, Administration, Maintenance, and Provisioning Guide

DOC-7810814=

Chapter 4 Administration

Access Service Security

Refer to the “Applying Authentication Method Lists” section on page 4-33 for information about

applying these lists.

Issue the aaa authentication Command

To define an authentication method list, enter the aaa authentication global configuration command, as

shown in the following example:

5800-1# configure terminal

5800-1(config)# aaa authentication

Specify Protocol or Login Authentication

After you enter aaa authentication, you must specify one of the following dial-in protocols as

applicable for your network:

• If you are enabling dial-in PPP access, specify ppp.

• If you are enabling users to connect to the EXEC facility, specify login.

You can specify only one dial-in protocol per authentication method list; however, you can create

multiple authentication method lists with each of these options. You must give each list a different name,

as described in Identify a List Name, page 4-30.

If you specify the ppp option, the default authentication method for PPP is PAP. For greater security,

specify CHAP. The full command is aaa authentication ppp chap.

For example, if you specify PPP authentication, the configuration looks like this:

5800-1# configure terminal

5800-1(config)# aaa authentication ppp

Identify a List Name

A list name identifies each authentication list. You can choose either to use the keyword default, or

choose any other name that describes the authentication list. For example, you name it ppp-radius if you

intend to apply it to interfaces configured for PPP and RADIUS authentication. The list name can be any

alphanumeric string. Use default as the list name for most lines and interfaces, and use different names

on an exception basis.

You can create different authentication method lists and apply them to lines and interfaces selectively.

You can even create a named authentication method list that you do not apply to a line or interface, but

which you intend to apply at some later point, such as when you deploy a new log-in method for users.

After you define a list name, you must identify additional security attributes (such as local authentication

versus TACACS+ or RADIUS).

In the following example, the default authentication method list for PPP dial-in clients uses the local

security database:

5800-1# configure terminal

5800-1(config)# aaa authentication ppp default

In the following example, the PPP authentication method list name is insecure:

5800-1# configure terminal

5800-1(config)# aaa authentication ppp insecure

In the following example, the login authentication method list name is deveng:

5800-1# configure terminal

5800-1(config)# aaa authentication login deveng