Configuring Authentication

A server group is a way to group existing Lightweight Directory Access Protocol (LDAP), RADIUS, or TACACS+ server hosts for use in method lists. The figure below shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS servers. T1 and T2 make up the group of TACACS+ servers.

Figure 1

Typical AAA Network Configuration

Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define R1 and R2 as one server group and T1 and T2 as a separate server group. For example, you can specify R1 and T1 in the method list for authentication login, while specifying R2 and T2 in the method list for PPP authentication.

Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service--for example, authentication--the second host entry acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order in which they are configured.)

See the "Configuring LDAP," "Configuring RADIUS," or "Configuring TACACS+" feature modules for more information about configuring server groups and configuring server groups based on Dialed Number Identification Service (DNIS) numbers.

To configure AAA authentication, perform the following tasks:

1. Enable AAA by using the aaa new-model command in global configuration mode.
2. Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using a security server. See "Configuring RADIUS," "Configuring TACACS+," and "Configuring Kerberos," respectively for more information.
3. Define the method lists for authentication by using an AAA authentication command.
4. Apply the method lists to a particular interface or line, if required.

Change of Authorization (CoA) requests, as described in RFC 5176, are used in a pushed model to allow for session identification, host reauthentication, and session termination. The model comprises one request (CoA-Request) and two possible response codes:

• CoA acknowledgement (ACK) [CoA-ACK]
• CoA nonacknowledgement (NAK) [CoA-NAK]

The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the device that acts as a listener.

• RFC 5176 Compliance

The CoA Request response code can be used to issue a command to the device. The supported commands are listed in the "CoA Request Commands" section.

• Session Identification
• CoA ACK Response Code
• CoA NAK Response Code

The commands supported on the device are shown in the table below. All CoA commands must include the session identifier between the device and the CoA client.

• Session Reauthentication
• Session Termination
• CoA Request Disable Host Port
• CoA Request Bounce-Port
• Domain Stripping

The following task is used to prevent an access-request with an expired username from being sent to the RADIUS server. The Easy VPN client is notified by the RADIUS server that its password has expired. The password-expiry feature also provides a generic way for the user to change the password.

Note	The radius-server vsa send authentication command must be configured to make the password-expiry feature work.

1.    enable

2.    configure terminal

3.    aaa new-model

4.    aaa authentication login {default | list-name} passwd-expiry method1 [method2...]

5.    radius-server vsa send authentication

6.    end

Use the aaa authentication login command with the enable keyword to specify the enable password as the login authentication method. For example, to specify the enable password as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default enable

Before you can use the enable password as the login authentication method, you need to define the enable password. For more information about defining enable passwords, refer to the chapter "Configuring Passwords and Privileges."

Authentication using Kerberos is different from most other authentication methods: the user's password is never sent to the remote access server. Remote users logging in to the network are prompted for a username. If the key distribution center (KDC) has an entry for that user, it creates an encrypted ticket granting ticket (TGT) with the password for that user and sends it back to the device. The user is then prompted for a password, and the device attempts to decrypt the TGT with that password. If it succeeds, the user is authenticated and the TGT is stored in the user's credential cache on the device.

Although krb5 uses the KINIT program, a user need not run the KINIT program to get a TGT to authenticate to the device. This is because KINIT has been integrated into the login procedure in the Cisco implementation of Kerberos.

Use the aaa authentication login command with the krb5 keyword to specify Kerberos as the login authentication method. For example, to specify Kerberos as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default krb5

Before you can use Kerberos as the login authentication method, you must enable communication with the Kerberos security server. See the chapter "Configuring Kerberos" for more information about establishing communication with a Kerberos server.

Use the aaa authentication login command with the line keyword to specify the line password as the login authentication method. For example, to specify the line password as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default line

Before you can use a line password as the login authentication method, you must define a line password. For more information about defining line passwords, see the section "Configuring Line Password Protection."

Use the aaa authentication login command with the local keyword to specify that the Cisco device or access server will use the local username database for authentication. For example, to specify the local username database as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default local

For information about adding users into the local username database, see the chapter "Establishing Username Authentication."

Use the aaa authentication login command with the group ldap method to specify ldap as the login authentication method. For example, to specify ldap as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default group ldap

Use the aaa authentication login command with the group radius method to specify RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default group radius

Before you can use RADIUS as the login authentication method, you must enable communication with the RADIUS security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server.

After you have used the aaa authentication login command to specify RADIUS and your login host has been configured to request its IP address from the NAS, you can send attribute 8 (Framed-IP-Address) in access-request packets by using the radius-server attribute 8 include-in-access-req command in global configuration mode. This command makes it possible for NAS to provide the RADIUS server a hint of the user IP address in advance for user authentication. For more information about attribute 8, refer to the appendix "RADIUS Attributes" at the end of the book.

Use the aaa authentication login command with the group tacacs+ method to specify TACACS+ as the login authentication method. For example, to specify TACACS+ as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default group tacacs+

Before you can use TACACS+ as the login authentication method, you must enable communication with the TACACS+ security server. See the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication login command with the group group-name method to specify a subset of LDAP, RADIUS, or TACACS+ servers to be used as the login authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group loginrad:

aaa group server radius loginrad
 server 192.0.2.3
 server 192.0.2 17
 server 192.0.2.32

This command specifies RADIUS servers 192.0.2.3, 192.0.2.17, and 192.0.2.32 as members of the group loginrad.

To specify group loginrad as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication login default group loginrad

Before you can use a group name as the login authentication method, you must enable communication with the RADIUS or TACACS+ security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server. See the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication ppp command with the krb5 method keyword to specify Kerberos as the authentication method for use on interfaces running PPP. For example, to specify Kerberos as the method of user authentication when no other method list has been defined, use the following command:

aaa authentication ppp default krb5

Before you can use Kerberos as the PPP authentication method, you must enable communication with the Kerberos security server. See the chapter "Configuring Kerberos" for more information about establishing communication with a Kerberos server.

Note	Kerberos login authentication works only with PPP PAP authentication.

Use the aaa authentication ppp command with the method keyword local to specify that the Cisco device or access server will use the local username database for authentication. For example, to specify the local username database as the method of authentication for use on lines running PPP when no other method list has been defined, use the following command:

aaa authentication ppp default local

For information about adding users into the local username database, see the section "Establishing Username Authentication."

Use the aaa authentication ppp command with the group radius method to specify RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication ppp default group radius

Before you can use RADIUS as the PPP authentication method, you must enable communication with the RADIUS security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server.

After you have used the aaa authentication ppp command with the group radius method to specify RADIUS as the login authentication method, you can configure your device to send attribute 44 (Acct-Session-ID) in access-request packets by using the radius-server attribute 44 include-in-access-req command in global configuration mode. This command allows the RADIUS daemon to track a call from the beginning to the end.

Use the aaa authentication ppp command with the group tacacs+ method to specify TACACS+ as the login authentication method. For example, to specify TACACS+ as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication ppp default group tacacs+

Before you can use TACACS+ as the PPP authentication method, you must enable communication with the TACACS+ security server. See the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication ppp command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to be used as the login authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group ppprad:

aaa group server radius ppprad
 server 192.0.2.3
 server 192.0.2 17
 server 192.0.2.32

This command specifies RADIUS servers 192.0.2.3, 192.0.2.17, and 192.0.2.32 as members of the group ppprad.

To specify group ppprad as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication ppp default group ppprad

Before you can use a group name as the PPP authentication method, you must enable communication with the RADIUS or TACACS+ security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server, and the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication arap command with the auth-guest keyword to allow guest logins only if the user has already successfully logged in to the EXEC mode. This method must be the first listed in the ARAP authentication method list, but it can be followed by other methods. For example, to allow all authorized guest logins--logins by users who have already successfully logged in to the EXEC mode--as the default method of authentication, using RADIUS only if that method fails, use the following command:

aaa authentication arap default auth-guest group radius

Note	By default, guest logins through ARAP are disabled when you initialize AAA. To allow guest logins, you must use the aaa authentication arap command with either the guest or the auth-guest keyword.

Use the aaa authentication arap command with the guest keyword to allow guest logins. This method must be the first listed in the ARAP authentication method list, but it can be followed by other methods if it does not succeed. For example, to allow all guest logins as the default method of authentication, using RADIUS only if that method fails, use the following command:

aaa authentication arap default guest group radius

Use the aaa authentication arap command with the keyword line to specify the line password as the authentication method. For example, to specify the line password as the method of ARAP user authentication when no other method list has been defined, use the following command:

aaa authentication arap default line

Before you can use a line password as the ARAP authentication method, you must define a line password. For more information about defining line passwords, refer to the section "Configuring Line Password Protection."

Use the aaa authentication arap command with the keyword local to specify that the Cisco device or access server will use the local username database for authentication. For example, to specify the local username database as the method of ARAP user authentication when no other method list has been defined, use the following command:

aaa authentication arap default local

For information about adding users to the local username database, refer to the section "Establishing Username Authentication."

Use the aaa authentication arap command with the group radius method to specify RADIUS as the ARAP authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication arap default group radius

Before you can use RADIUS as the ARAP authentication method, you must enable communication with the RADIUS security server.

Use the aaa authentication arap command with the group tacacs+ method to specify TACACS+ as the ARAP authentication method. For example, to specify TACACS+ as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication arap default group tacacs+

Before you can use TACACS+ as the ARAP authentication method, you must enable communication with the TACACS+ security server. See the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication arap command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to use as the ARAP authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group araprad:

aaa group server radius araprad
 server 192.0.2.3
 server 192.0.2.17
 server 192.0.2.32

This command specifies RADIUS servers 192.0.2.3, 192.0.2.17, and 192.0.2.32 as members of the group araprad.

To specify group araprad as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication arap default group araprad

Before you can use a group name as the ARAP authentication method, you must enable communication with the RADIUS or TACACS+ security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server, and the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication nasi command with the keyword enable to specify the enable password as the authentication method. For example, to specify the enable password as the method of NASI user authentication when no other method list has been defined, use the following command:

aaa authentication nasi default enable

Before you can use the enable password as the authentication method, you need to define the enable password. For more information about defining enable passwords, refer to the chapter "Configuring Passwords and Privileges."

Use the aaa authentication nasi command with the keyword line to specify the line password as the authentication method. For example, to specify the line password as the method of NASI user authentication when no other method list has been defined, use the following command:

aaa authentication nasi default line

Before you can use a line password as the NASI authentication method, you must define a line password. For more information about defining line passwords, refer to the section "Configuring Line Password Protection."

Use the aaa authentication nasi command with the keyword local to specify that the Cisco device or access server will use the local username database for authentication information. For example, to specify the local username database as the method of NASI user authentication when no other method list has been defined, use the following command:

aaa authentication nasi default local

For information about adding users to the local username database, refer to the chapter "Establishing Username Authentication."

Use the aaa authentication nasi command with the group radius method to specify RADIUS as the NASI authentication method. For example, to specify RADIUS as the method of NASI user authentication when no other method list has been defined, use the following command:

aaa authentication nasi default group radius

Before you can use RADIUS as the NASI authentication method, you must enable communication with the RADIUS security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server.

Use the aaa authentication nasi command with the group tacacs+ keyword to specify TACACS+ as the NASI authentication method. For example, to specify TACACS+ as the method of NASI user authentication when no other method list has been defined, use the following command:

aaa authentication nasi default group tacacs+

Before you can use TACACS+ as the authentication method, you must enable communication with the TACACS+ security server. See the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

Use the aaa authentication nasi command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to be used as the NASI authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group nasirad:

aaa group server radius nasirad
 server 192.0.2.3
 server 192.0.2 17
 server 192.0.2.32

This command specifies RADIUS servers 192.0.2.3, 192.0.2.17, and 192.0.2.32 as members of the group nasirad.

To specify group nasirad as the method of user authentication at login when no other method list has been defined, use the following command:

aaa authentication nasi default group nasirad

Before you can use a group name as the NASI authentication method, you must enable communication with the RADIUS or TACACS+ security server. See the chapter "Configuring RADIUS" for more information about establishing communication with a RADIUS server and the chapter "Configuring TACACS+" for more information about establishing communication with a TACACS+ server.

1.    Device(config)# aaa new-model

2.    Device(config)# aaa authentication banner delimiter string delimiter

3.   Device(config)# end

The maximum number of characters that can be displayed in the login banner is 2996.

1.    Device(config)# aaa new-model

2.    Device(config)# aaa authentication fail-message delimiter string delimiter

3.   Device(config)# end

The maximum number of characters that can be displayed in the failed-login banner is 2996 characters.

With double authentication, there are two authentication/authorization stages. These two stages occur after a remote user dials in and a PPP session is initiated.

In the first stage, the user logs in using the remote host name; CHAP (or PAP) authenticates the remote host, and then PPP negotiates with AAA to authorize the remote host. In this process, the network access privileges associated with the remote host are assigned to the user.

Note	Cisco suggests that the network administrator restrict authorization at this first stage to allow only Telnet connections to the local host.

In the second stage, the remote user must Telnet to the network access server to be authenticated. When the remote user logs in, the user must be authenticated with AAA login authentication. The user must then enter the access-profile command to be reauthorized using AAA. When this authorization is complete, the user has been double authenticated, and can access the network according to per-user network privileges.

The system administrator determines the network privileges that the remote users will have after each stage of authentication by configuring appropriate parameters on a security server. To use double authentication, the user must activate it by using the access-profile command.

Caution

Double authentication can cause certain undesirable events if multiple hosts share a PPP connection to a network access server, as shown in the figure below. First, if a user, Bob, initiates a PPP session and activates double authentication at the network access server (per the figure below), any other user will automatically have the same network privileges as Bob until Bob's PPP session expires. This happens because Bob's authorization profile is applied to the network access server's interface during the PPP session and any PPP traffic from other users will use the PPP session Bob established. Second, if Bob initiates a PPP session and activates double authentication, and then--before Bob's PPP session has expired--another user, Jane, executes the access-profile command (or, if Jane telnets to the network access server and theautocommand access-profile command is executed), a reauthorization will occur and Jane's authorization profile will be applied to the interface, replacing Bob's profile. This can disrupt or halt Bob's PPP traffic or grant Bob additional authorization privileges, which Bob should not have.

Figure 2

Possibly Risky Topology: Multiple Hosts Share a PPP Connection to a Network Access Server

To configure double authentication, you must complete the following steps:

1. Enable AAA by using the aaa-new model global configuration command. For more information about enabling AAA, refer to the chapter "AAA Overview."
2. Use the aaa authentication command to configure your network access server to use login and PPP authentication method lists, and then apply those method lists to the appropriate lines or interfaces.
3. Use the aaa authorization command to configure AAA network authorization at login. For more information about configuring network authorization, refer to the "Configuring Authorization" chapter.
4. Configure security protocol parameters (for example, RADIUS or TACACS+). See the chapter "Configuring RADIUS" for more information about RADIUS and the chapter "Configuring TACACS+" for more information about TACACS+.
5. Use access control list AV pairs on the security server that the user can connect to the local host only by establishing a Telnet connection.
6. (Optional) Configure the access-profile command as an autocommand. If you configure the autocommand, remote users will not have to manually enter the access-profile command to access the authorized rights associated with their personal user profile. To learn about configuring autocommands, refer to the autocommand command in the Dial Technologies Command Reference: Network Services.

Note	If the access-profile command is configured as an autocommand, users will still have to telnet to the local host and log in to complete double authentication.

Follow these rules when creating user-specific authorization statements (These rules relate to the default behavior of the access-profile command):

• Use valid AV pairs when configuring access control list AV pairs on the security server. For a list of valid AV pairs, refer to the chapter "Authentication Commands" in the CiscoISecurity Command Reference.
• If you want remote users to use the interface's existing authorization (which existed prior to the second stage authentication/authorization), but you want them to have different access control lists (ACLs), you should specify only ACL AV pairs in the user-specific authorization definition. This might be desirable if you set up a default authorization profile to apply to the remote host, but want to apply specific ACLs to specific users.
• When these user-specific authorization statements are later applied to the interface, they can either be added to the existing interface configuration or replace the existing interface configuration, depending on which form of the access-profile command is used to authorize the user. You should understand how the access-profile command works before configuring the authorization statements.
• If you are using ISDN or Multilink PPP, you must also configure virtual templates at the local host.

To troubleshoot double authentication, use the debug aaa per-user debug command. For more information about this command, refer to the CiscoDebug Command Reference.

In double authentication, when a remote user establishes a PPP link to the local host using the local host name, the remote host is CHAP (or PAP) authenticated. After CHAP (or PAP) authentication, PPP negotiates with AAA to assign network access privileges associated with the remote host to the user. (Cisco suggests that privileges at this stage be restricted to allow the user to connect to the local host only by establishing a Telnet connection.)

When the user needs to initiate the second phase of double authentication, establishing a Telnet connection to the local host, the user enters a personal username and password (different from the CHAP or PAP username and password). This action causes AAA reauthentication to occur according to the personal username/password. The initial rights associated with the local host, though, are still in place. By using the access-profile command, the rights associated with the local host are replaced by or merged with those defined for the user in the user's profile.

To access the user profile after double authentication, use the following command in EXEC configuration mode:

 Device> access-profile [merge | replace] [ignore-sanity-checks]

If you configured the access-profile command to be executed as an autocommand, it will be executed automatically after the remote user logs in.

1.    Device(config)# ip trigger-authentication

2.   Enter one of the following:

3.    Device(config-if)# ip trigger-authentication

4.   Device(config-if)# end

1.   Device# show ip trigger-authentication

2.    Device# clear ip trigger-authentication

3.   Device# debug ip trigger-authentication

To enable PPP encapsulation, use the following command in interface configuration mode:

Device(config-if)# encapsulation ppp

To enable CHAP or PAP authentication on an interface configured for PPP encapsulation, use the following command in interface configuration mode:

  Device(config-if)# ppp authentication {protocol1 [protocol2...]} [if-needed] {default | list-name} [callin] [one-time]

If you configure ppp authentication chap on an interface, all incoming calls on that interface that initiate a PPP connection will have to be authenticated using CHAP; likewise, if you configure ppp authentication pap, all incoming calls that start a PPP connection will have to be authenticated using PAP. If you configure ppp authentication chap pap, the access server will attempt to authenticate all incoming calls that start a PPP session with CHAP. If the remote device does not support CHAP, the access server will try to authenticate the call using PAP. If the remote device does not support either CHAP or PAP, authentication will fail and the call will be dropped. If you configure ppp authentication pap chap, the access server will attempt to authenticate all incoming calls that start a PPP session with PAP. If the remote device does not support PAP, the access server will try to authenticate the call using CHAP. If the remote device does not support either protocol, authentication will fail and the call will be dropped. If you configure the ppp authentication command with the callin keyword, the access server will only authenticate the remote device if the remote device initiated the call.

Authentication method lists and the one-time keyword are only available if you have enabled AAA--they will not be available if you are using TACACS or extended TACACS. If you specify the name of an authentication method list with the ppp authentication command, PPP will attempt to authenticate the connection using the methods defined in the specified method list. If AAA is enabled and no method list is defined by name, PPP will attempt to authenticate the connection using the methods defined as the default. The ppp authentication command with the one-time keyword enables support for one-time passwords during authentication.

The if-needed keyword is only available if you are using TACACS or extended TACACS. The ppp authenticationcommand with the if-needed keyword means that PPP will only authenticate the remote device using PAP or CHAP if they have not yet authenticated during the life of the current call. If the remote device authenticated via a standard login procedure and initiated PPP from the EXEC prompt, PPP will not authenticate via CHAP if ppp authentication chap if-needed is configured on the interface.

Caution

If you use a list-name that has not been configured with the aaa authentication pppcommand, you disable PPP on the line.

For information about adding a username entry for each remote system from which the local device or access server requires authentication, see Establishing Username Authentication.

PPP supports two-way authentication. Normally, when a remote device dials in to an access server, the access server requests that the remote device prove that it is allowed access. This is known as inbound authentication. At the same time, the remote device can also request that the access server prove that it is who it says it is. This is known as outbound authentication. An access server also does outbound authentication when it initiates a call to a remote device.

To enable outbound PAP authentication, use the following command in interface configuration mode:

 Device(config-if)# ppp pap sent-username username password password

The access server uses the username and password specified by the ppp pap sent-username command to authenticate itself whenever it initiates a call to a remote device or when it has to respond to a remote device's request for outbound authentication.

To refuse PAP authentication from peers requesting it, meaning that PAP authentication is disabled for all calls, use the following command in interface configuration mode:

  Device(config-if)#  pap refuse

If the refuse keyword is not used, the device will not refuse any PAP authentication challenges received from the peer.

For remote CHAP authentication only, you can configure your device to create a common CHAP secret password to use in response to challenges from an unknown peer; for example, if your device calls a rotary of devices (either from another vendor, or running an older version of the Cisco software) to which a new (that is, unknown) device has been added. The ppp chap password command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.

To enable a device calling a collection of devices to configure a common CHAP secret password, use the following command in interface configuration mode:

  Device(config-if)# ppp chap password  secret

To refuse CHAP authentication from peers requesting it, meaning that CHAP authentication is disabled for all calls, use the following command in interface configuration mode:

  Device(config-if)# ppp chap refuse [callin]

If the callin keyword is used, the device will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the device sends.

If outbound PAP has been enabled (using the ppp pap sent-username command), PAP will be suggested as the authentication method in the refusal packet.

To specify that the device will not authenticate to a peer requesting CHAP authentication until after the peer has authenticated itself to the device, use the following command in interface configuration mode:

 Device(config-if)# ppp chap wait  secret

This command (which is the default) specifies that the device will not authenticate to a peer requesting CHAP authentication until the peer has authenticated itself to the device. The no ppp chap wait command specifies that the device will respond immediately to an authentication challenge.

1.    Device(config-if)# encapsulation ppp

2.    Device(config-if)# ppp authentication ms-chap [if-needed] [list-name | default] [callin] [one-time]

If you configure ppp authentication ms-chap on an interface, all incoming calls on that interface that initiate a PPP connection will have to be authenticated using MS-CHAP. If you configure the ppp authentication command with the callin keyword, the access server will only authenticate the remote device if the remote device initiated the call.

Authentication method lists and the one-time keyword are only available if you have enabled AAA--they will not be available if you are using TACACS or extended TACACS. If you specify the name of an authentication method list with the ppp authentication command, PPP will attempt to authenticate the connection using the methods defined in the specified method list. If AAA is enabled and no method list is defined by name, PPP will attempt to authenticate the connection using the methods defined as the default. The ppp authentication command with the one-time keyword enables support for one-time passwords during authentication.

The if-needed keyword is only available if you are using TACACS or extended TACACS. The ppp authentication command with the if-needed keyword means that PPP will only authenticate the remote device via MS-CHAP if that device has not yet authenticated during the life of the current call. If the remote device authenticated through a standard login procedure and initiated PPP from the EXEC prompt, PPP will not authenticate through MS-CHAP if ppp authentication chap if-needed is configured.

Note	If PPP authentication using MS-CHAP is used with username authentication, you must include the MS-CHAP secret in the local username/password database. For more information about username authentication, refer to the "Establish Username Authentication" section.