Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
aaa authentication banner through aaa group server tacacs+
Downloads: This chapterpdf (PDF - 499.0KB) The complete bookPDF (PDF - 1.27MB) | Feedback

aaa authentication banner through aaa group server tacacs+

aaa authentication banner through aaa group server tacacs+

aaa authentication banner

To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode. To remove the banner, use the no form of this command.

aaa authentication banner dstringd

no aaa authentication banner

Syntax Description

d

Any delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Command Default

Not enabled

Command Modes


Global configuration

Command History

Release

Modification

11.3(4)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.

To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.


Note


The AAA authentication banner message is not displayed if TACACS+ is the first method in the method list.


Examples

The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)

aaa new-model
aaa authentication login default group radius

This configuration produces the following standard output:

User Verification Access
Username:
Password:

The following example configures a login banner (in this case, the phrase “Unauthorized use is prohibited.”) that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)

aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication login default group radius

This configuration produces the following login banner:

Unauthorized use is prohibited.
Username:

Related Commands

Command

Description

aaa authentication fail-message

Configures a personalized banner that will be displayed when a user fails login.

aaa authentication dot1x

To specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1X, use the aaa authentication dot1x command in global configuration mode. To disable authentication, use the no form of this command

aaa authentication dot1x { default | listname } method1 [ method2 . .. ]

no aaa authentication dot1x { default | listname } method1 [ method2 . .. ]

Syntax Description

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

listname

Character string used to name the list of authentication methods tried when a user logs in.

method1 [method2...]

At least one of these keywords:

  • enable --Uses the enable password for authentication.
  • group radius --Uses the list of all RADIUS servers for authentication.
  • line --Uses the line password for authentication.
  • local --Uses the local username database for authentication.
  • local-case --Uses the case-sensitive local username database for authentication.
  • none --Uses no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.

Command Default

No authentication is performed.

Global configuration

Command History

Release

Modification

12.1(6)EA2

This command was introduced for the Cisco Ethernet switch network module.

12.2(15)ZJ

This command was implemented on the following platforms for the Cisco Ethernet Switch Module: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.

12.3(2)XA

This command was introduced on the following Cisco router platforms: Cisco 806, Cisco 831, Cisco 836, Cisco 837, Cisco 1701, Cisco 1710, Cisco 1721, Cisco 1751-V, and Cisco 1760.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T. Router support was added for the following platforms: Cisco 1751, Cisco 2610XM - Cisco 2611XM, Cisco 2620XM - Cisco 2621XM, Cisco 2650XM - Cisco 2651XM, Cisco 2691, Cisco 3640, Cisco 3640A, and Cisco 3660.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The method argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly 802.1X-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the Cisco IOS configuration file. The enable and line methods use the enable and line passwords for authentication.

If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command. If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the clients with a password to provide access to the switch.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples

The following example shows how to enable AAA and how to create an authentication list for 802.1X. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication:

Router(config)# aaa new model
Router(config)# aaa authentication dot1x default group radius none

Related Commands

Command

Description

debug dot1x

Displays 802.1X debugging information.

identity profile default

Creates an identity profile and enters dot1x profile configuration mode.

show dot1x

Displays details for an identity profile.

show dot1x (EtherSwitch)

Displays 802.1X statistics, administrative status, and operational status for the switch or for the specified interface.

aaa authentication fail-message

To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command.

aaa authentication fail-message dstringd

no aaa authentication fail-message

Syntax Description

d

The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Command Default

Not enabled

Command Modes


Global configuration

Command History

Release

Modification

11.3(4)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.

To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Examples

The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)

aaa new-model
aaa authentication login default group radius

This configuration produces the following standard output:

User Verification Access
Username:
Password:
% Authentication failed.

The following example configures both a login banner (“Unauthorized use is prohibited.”) and a login-fail message (“Failed login. Try again.”). The login message will be displayed when a user logs in to the system. The failed-login message will display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.

aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication fail-message *Failed login. Try again.*
aaa authentication login default group radius

This configuration produces the following login and failed login banner:

Unauthorized use is prohibited.
Username: 
Password: 
Failed login. Try again.

Related Commands

Command

Description

aaa authentication banner

Configures a personalized banner that will be displayed at user login.

aaa authentication login

To set authentication, authorization, and accounting (AAA) authentication at login, use the aaa authentication login command in global configuration mode. To disable AAA authentication, use the no form of this command.

aaa authentication login { default | list-name } [passwd-expiry] method1 [ method2 . .. ]

no aaa authentication login { default | list-name } [passwd-expiry] method1 [ method2 . .. ]

Syntax Description

default

Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in.

list-name

Character string used to name the list of authentication methods activated when a user logs in. See the “Usage Guidelines” section for more information.

passwd-expiry

Enables password aging on a local authentication list.

Note   

The radius-server vsa send authentication command is required to make the passwd-expiry keyword work.

method1 [method2...]

The list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods. Method keywords are described in the table below.

Command Default

AAA authentication at login is disabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.3

This command was introduced.

12.0(5)T

This command was modified. The group radius, group tacacs+, and local-case keywords were added as methods for authentication.

12.4(6)T

This command was modified. The password-expiry keyword was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB. The cache group-name keyword and argument were added as a method for authentication.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.0(1)M

This command was integrated into Cisco IOS Release 15.0(1)M.

15.1(1)T

This command was modified. The group ldap keyword was added.

Cisco IOS XE Release 3.1S

This command was integrated into Cisco IOS XE Release 3.1S and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

15.0(1)S

This command was integrated into Cisco IOS Release 15.0(1)S.

Usage Guidelines

If the default keyword is not set, only the local user database is checked. This has the same effect as the following command:

aaa authentication login default local

Note


On the console, login will succeed without any authentication checks if default keyword is not set.


The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.

Create a list by entering the aaa authentication login list-name methodcommand for a particular protocol. The list-name argument is the character string used to name the list of authentication methods activated when a user logs in. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. The aaa authentication login section lists authentication methods that cannot be used for the list-name argument and the table below describes the method keywords.

To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.

Authentication Methods That Cannot Be Used for the list-name Argument

The authentication methods that cannot be used for the list-name argument are as follows:

  • auth-guest
  • enable
  • guest
  • if-authenticated
  • if-needed
  • krb5
  • krb-instance
  • krb-telnet
  • line
  • local
  • none
  • radius
  • rcmd
  • tacacs
  • tacacsplus

Note


In the table below, the group radius, group tacacs +, group ldap, and groupgroup-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius, aaa group server ldap,and aaa group server tacacs+ commands to create a named group of servers.


The table below describes the method keywords.

Table 1 aaa authentication login Methods Keywords

Keyword

Description

cache group-name

Uses a cache server group for authentication.

enable

Uses the enable password for authentication. This keyword cannot be used.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

group ldap

Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

krb5

Uses Kerberos 5 for authentication.

krb5-telnet

Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

passwd-expiry

Uses the login list to provide password aging support.

Examples

The following example shows how to create an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access group tacacs+ enable none

The following example shows how to create the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication login default group tacacs+ enable none

The following example shows how to set authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:

aaa authentication login default krb5

The following example shows how to configure password aging by using AAA with a crypto client:

aaa authentication login userauthen passwd-expiry group radius

Related Commands

Command

Description

aaa new-model

Enables the AAA access control model.

login authentication

Enables AAA authentication for logins.

aaa authorization

To set the parameters that restrict user access to a network, use the aaa authorization command in global configuration mode. To remove the parameters, use the no form of this command.

aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | exec | ipmobile | multicast | network | policy-if | prepaid | radius-proxy | reverse-access | subscriber-service | template } { default | list-name } [ method1 [ method2 . .. ] ]

no aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | exec | ipmobile | multicast | network | policy-if | prepaid | radius-proxy | reverse-access | subscriber-service | template } { default | list-name } [ method1 [ method2 . .. ] ]

Syntax Description

auth-proxy

Runs authorization for authentication proxy services.

cache

Configures the authentication, authorization, and accounting (AAA) server.

commands

Runs authorization for all commands at the specified privilege level.

level

Specific command level that should be authorized. Valid entries are 0 through 15.

config-commands

Runs authorization to determine whether commands entered in configuration mode are authorized.

configuration

Downloads the configuration from the AAA server.

console

Enables the console authorization for the AAA server.

exec

Runs authorization to determine if the user is allowed to run an EXEC shell. This facility returns user profile information such as the autocommand information.

ipmobile

Runs authorization for mobile IP services.

multicast

Downloads the multicast configuration from the AAA server.

network

Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).

policy-if

Runs authorization for the diameter policy interface application.

prepaid

Runs authorization for diameter prepaid services.

radius-proxy

Runs authorization for proxy services.

reverse-access

Runs authorization for reverse access connections, such as reverse Telnet.

subscriber-service

Runs authorization for iEdge subscriber services such as virtual private dialup network (VPDN).

template

Enables template authorization for the AAA server.

default

Uses the listed authorization methods that follow this keyword as the default list of methods for authorization.

list-name

Character string used to name the list of authorization methods.

method1 [method2...]

(Optional) Identifies an authorization method or multiple authorization methods to be used for authorization. A method may be any one of the keywords listed in the table below.

Command Default

Authorization is disabled for all actions (equivalent to the method keyword none).

Command Modes


Global configuration (config)

Command History

Release

Modification

10.0

This command was introduced.

12.0(5)T

This command was modified. The group radius and group tacacs+ keywords were added as methods for authorization.

12.2(28)SB

This command was modified. The cache group-name keyword and argument were added as a method for authorization.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.0(1)M

This command was integrated into Cisco IOS Release 15.0(1)M.

15.1(1)T

This command was modified. The group ldap keyword was added.

Usage Guidelines

Use the aaa authorizationcommand to enable authorization and to create named methods lists, which define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways in which authorization will be performed and the sequence in which these methods will be performed. A method list is a named list that describes the authorization methods (such as RADIUS or TACACS+) that must be used in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all the defined methods are exhausted.


Note


The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle--meaning that the security server or the local username database responds by denying the user services--the authorization process stops and no other authorization methods are attempted.


If the aaa authorization command for a particular authorization type is issued without a specified named method list, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place. The default authorization method list must be used to perform outbound authorization, such as authorizing the download of IP pools from the RADIUS server.

Use the aaa authorization command to create a list by entering the values for the list-nameand the method arguments, where list-name is any character string used to name this list (excluding all method names) and methodidentifies the list of authorization methods tried in the given sequence.


Note


In the table below, the group group-name, group ldap, group radius, and group tacacs + methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius, aaa group server ldap,and aaa group server tacacs+ commands to create a named group of servers.


The table below describes the method keywords.

Table 2 aaa authorization Methods

Keyword

Description

cache group-name

Uses a cache server group for authorization.

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name command.

group ldap

Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

Note   

The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated.

local

Uses the local database for authorization.

none

Indicates that no authorization is performed.

Cisco IOS software supports the following methods for authorization:

  • Cache Server Groups--The router consults its cache server groups to authorize specific rights for users.
  • If-Authenticated --The user is allowed to access the requested function provided the user has been authenticated successfully.
  • Local --The router or access server consults its local database, as defined by the username command, to authorize specific rights for users. Only a limited set of functions can be controlled through the local database.
  • None --The network access server does not request authorization information; authorization is not performed over this line or interface.
  • RADIUS --The network access server requests authorization information from the RADIUS security server group. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the appropriate user.
  • TACACS+ --The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.

Method lists are specific to the type of authorization being requested. AAA supports five different types of authorization:

  • Commands --Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
  • EXEC --Applies to the attributes associated with a user EXEC terminal session.
  • Network --Applies to network connections. The network connections can include a PPP, SLIP, or ARA connection.

Note


You must configure the aaa authorization config-commands command to authorize global configuration commands, including EXEC commands prepended by the do command.


  • Reverse Access --Applies to reverse Telnet sessions.
  • Configuration --Applies to the configuration downloaded from the AAA server.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.

Once defined, the method lists must be applied to specific lines or interfaces before any of the defined methods are performed.

The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:

  • Accept the request as is.
  • Make changes to the request.
  • Refuse the request and authorization.

For a list of supported RADIUS attributes, see the module RADIUS Attributes. For a list of supported TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.


Note


Five commands are associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.


Examples

The following example shows how to define the network authorization method list named mygroup, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, local network authorization will be performed.

aaa authorization network mygroup group radius local 

Related Commands

Command

Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

aaa group server tacacs+

Groups different TACACS+ server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.

tacacs-server host

Specifies a TACACS+ host.

username

Establishes a username-based authentication system.

aaa dnis map accounting network

To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group that will be used for AAA accounting, use the aaa dnis map accounting networkcommand in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.

aaa dnis map dnis-number accounting network [ start-stop | stop-only | none ] [broadcast] group groupname

no aaa dnis map dnis-number accounting network

Syntax Description

dnis-number

Number of the DNIS.

start-stop

(Optional) Indicates that the defined security server group will send a “start accounting” notice at the beginning of a process and a “stop accounting” notice at the end of a process. The “start accounting” record is sent in the background. (The requested user process begins regardless of whether the “start accounting” notice was received by the accounting server.)

stop-only

(Optional) Indicates that the defined security server group will send a “stop accounting” notice at the end of the requested user process.

none

(Optional) Indicates that the defined security server group will not send accounting notices.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group groupname

At least one of the keywords described in the table below.

Command Default

This command is disabled by default.

Command Modes


Global configuration

Command History

Release

Modification

12.0(7)T

This command was introduced.

12.1(1)T

  • The optional broadcast keyword was added.
  • The ability to specify multiple server groups was added.
  • To accommodate multiple server groups, the name of the command was changed from aaa dnis map accounting network group to aaa dnis map accounting network.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command lets you assign a DNIS number to a particular AAA server group so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.

The table below contains descriptions of accounting method keywords.

Table 3 AAA Accounting Methods

Keyword

Description

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

In the table above, the group radiusand group tacacs + methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Examples

The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.

aaa new-model
radius-server host 172.30.0.0 acct-port 1646 key cisco1
aaa group server radius group1
 server 172.30.0.0
aaa dnis map enable
aaa dnis map 7777 accounting network group group1

Related Commands

Command

Description

aaa dnis map authentication ppp group

Maps a DNIS number to a particular authentication server group.

aaa dnis map enable

Enables AAA server selection based on DNIS.

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.

aaa dnis map authentication group

To map a dialed number identification service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting [AAA] authentication), use the aaa dnis map authentication group command in AAA-server-group configuration mode. To remove the DNIS number from the defined server group, use the no form of this command.

aaa dnis map dnis-number authentication { ppp | login } group server-group-name

no aaa dnis map dnis-number authentication { ppp | login } group server-group-name

Syntax Description

dnis-number

Number of the DNIS.

ppp

Enables PPP authentication methods.

login

Enables character-mode authentication.

server-group-name

Character string used to name a group of security servers associated in a server group.

Command Default

A DNIS number is not mapped to a server group.

Command Modes


AAA-server-group configuration

Command History

Release

Modification

12.0(7)T

This command was introduced.

12.1(3)XL1

This command was modified with the addition of the login keyword to include character-mode authentication.

12.2(2)T

Support for the login keyword was added into Cisco IOS Release 12.2(2)T and this command was implemented for the Cisco 2600 series, Cisco 3600 series, and Cisco 7200 platforms.

12.2(8)T

This command was implemented on the Cisco 806, Cisco 828, Cisco 1710, Cisco SOHO 78, Cisco 3631, Cisco 3725, Cisco 3745, and Cisco URM for IGX8400 platforms.

12.2(11)T

This command was implemented on the Cisco AS5300 and Cisco AS5800 platforms.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa dnis map authentication group command to assign a DNIS number to a particular AAA server group so that the server group can process authentication requests for users that are dialing in to the network using that particular DNIS. To use the aaa dnis map authentication group command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.

Examples

The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 uses RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS number 7777.

aaa new-model
radius-server host 172.30.0.0 auth-port 1645 key cisco1
aaa group server radius group1
 server 172.30.0.0
 aaa dnis map enable
 aaa dnis map 7777 authentication ppp group group1
 aaa dnis map 7777 authentication login group group1

Related Commands

Command

Description

aaa dnis map accounting network group

Maps a DNIS number to a particular accounting server group.

aaa dnis map enable

Enables AAA server selection based on DNIS.

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.

aaa group server radius

To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radiuscommand in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.

aaa group server radius group-name

no aaa group server radius group-name

Syntax Description

group-name

Character string used to name the group of servers. See the table below for a list of words that cannot be used as the group-name argument.

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.

A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts.

The table below lists words that cannot be used as the group-name argument.

Table 4 Words That Cannot Be UsedAs the group-nameArgument

Word

auth-guest

enable

guest

if-authenticated

if-needed

krb5

krb-instance

krb-telnet

line

local

none

radius

rcmd

tacacs

tacacsplus

Examples

The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers:

aaa group server radius radgroup1 
 server 10.1.1.1 auth-port 1700 acct-port 1701
 server 10.2.2.2 auth-port 1702 acct-port 1703
 server 10.3.3.3 auth-port 1705 acct-port 1706

Note


If auth-port and acct-port are not specified, the default value of auth-port is 1645 and the default value of acct-port is 1646.


Related Commands

Command

Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa authentication login

Set AAA authentication at login.

aaa authorization

Sets parameters that restrict user access to a network.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.

aaa group server tacacs+

To group different TACACS+ server hosts into distinct lists and distinct methods, use the aaa group servertacacs+ command in global configuration mode. To remove a server group from the configuration list, use the no form of this command.

aaa group server tacacs+ group-name

no aaa group server tacacs+ group-name

Syntax Description

group-name

Character string used to name the group of servers. See the table below for a list of words that cannot be used as the group-name argument.

Command Default

No default behavior or values.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(54)SG

This command was integrated into Cisco IOS Release 12.2(54)SG.

Cisco IOS XE Release 3.2S

This command was modified. Support for IPv6 was added.

Usage Guidelines

The Authentication, Authorization, and Accounting (AAA) Server-Group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.

A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.

The table below lists the keywords that cannot be used for the group-name argument value.

Table 5 Words That Cannot Be UsedAs the group-nameArgument

Word

auth-guest

enable

guest

if-authenticated

if-needed

krb5

krb-instance

krb-telnet

line

local

none

radius

rcmd

tacacs

tacacsplus

Examples

The following example shows the configuration of an AAA server group named tacgroup1 that comprises three member servers:

aaa group server tacacs+ tacgroup1
server 10.1.1.1 
server 10.2.2.2 
server 10.3.3.3 

Related Commands

Command

Description

aaa accounting

Enables AAA accounting of requested services for billing or security.

aaa authentication login

Enables AAA accounting of requested services for billing or security purposes.

aaa authorization

Sets parameters that restrict user access to a network.

aaa new-model

Enables the AAA access control model.

tacacs-server host

Specifies a TACACS+ host.