-
Dial Solutions Configuration Guide
-
About The Cisco IOS Software Documentation
- Part 1: Business Applications and Scenarios
-
Part 2: Dial-In Port Set-Up
-
Overview of Lines, Interfaces, and Controllers
-
Configuring Modem Support and Asynchronous Devices
-
Managing Modems
-
Configuring Terminal Characteristics for Dial Sessions
-
Setting Up ISDN Basic Rate Service
-
Configuring Synchronous Serial Ports
-
Configuring Channelized E1 and Channelized T1
-
Configuring Special ISDN Signaling
-
-
Part 3: Dial-In Terminal Service and Remote Node Configuration
-
Configuring Dial-In Terminal Services
-
Configuring Protocol Translation and Virtual Async Devices
-
Configuring the Cisco PAD Facility for X.25 Connections
-
Configuring Media-Independent PPP and Multilink PPP
-
Configuring Asynchronous PPP and SLIP
-
Configuring V.120 Remote Node Access
-
Configuring AppleTalk Remote Access
-
- Part 4: Dial Authentication
- Part 5: Dial-on-Demand Routing
- Part 6: Dial Backup
- Part 7: Dial-Out Modem Pooling
- Part 8: Large-Scale Dial Solutions
- Part 9: Cost-Control Solutions
- Part 10: Virtual Private Dialup Networks
- Part 11: Other Network Traffic on ISDN Channels
- Part 12: Dial-Related Addressing Services
-
Table Of Contents
Securing Access to Privileged EXEC and Configuration Mode
Enabling Communication between the Access Server and the Security Server
Communicating with a TACACS+ Server
Communicating with a RADIUS Server
Configuring Authentication on a TACACS+ Server
Enabling AAA Globally on the Access Server
Defining Authentication Method Lists
Issue the aaa authentication Command
Specify Protocol or Login Authentication
Specify the Authentication Method
Populate the Local Username Database if Necessary
Authentication Method List Examples
Authentication Method List Examples for Users Dialing In Using PPP
Applying Authentication Method Lists
Comprehensive Security Examples
TACACS+ Security Example for Login, PPP, and ARA
RADIUS Example for Login and PPP
Configuring Authentication
Using the AAA facility, you can authenticate users with either a local or a remote security database. For more information about what a local and remote security database are, refer to the chapter "Local Versus Remote Server Authentication."
Whether you maintain a local or remote security database, or use TACACS+ or RADIUS authentication and authorization, the process of configuring the access server for these different databases and protocols is similar. The basic process of configuring the Cisco IOS software for authentication requires the following tasks:
1
Securing Access to Privileged EXEC and Configuration Mode
2
3
4
5
•
•
•
•
6
•
•
•
7
Note
Securing Access to Privileged EXEC and Configuration Mode
The first thing you secure is access to privileged EXEC (enable) mode. Enable mode provides access to configuration mode, which enables any type of configuration change to the access server. To secure Privileged EXEC mode, use one of the commands listed in :
CautionIf you use the enable secret command and specify an encryption type, you must enter the encrypted version of a specific password. Do not enter the cleartext version of the password after specifying an encryption type. You must comply with the following procedure when you specify an encryption type or you will be locked irretrievably out of privileged EXEC (enable) mode. The only way to regain access to privileged EXEC mode will be to erase the contents of NVRAM, erase your entire configuration, and reconfigure the router again.
To enter an encryption type with the enable secret command, perform the following steps:
Step 1
Step 2
router(config)# enable secret mypasswordrouter(config)# exitrouter# show running-configBuilding configuration...Current configuration:!version 11.1! some of the configuration skippedenable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570! the rest of the configuration skippedStep 3
Step 4
router(config)# enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570Step 5
router(config)# exitrouter# copy running-config startup-configYou can also specify additional protection for privileged EXEC mode, including the following:
•
•
•
•
Enabling Communication between the Access Server and the Security Server
This section describes the Cisco IOS software commands that enable the access server to communicate with a security server. This process is similar for communicating with TACACS+ and RADIUS servers, and the following sections describe the process.
If you are using local authentication, you can refer to the section "Enabling AAA Globally on the Access Server," later in this chapter.
If you are using a remote security server for authentication and authorization, you must configure the security server before performing the tasks described in this chapter. The section "Comprehensive Security Examples" later in this chapter shows some typical TACACS+ and RADIUS server entries corresponding to the access server security configurations.
Communicating with a TACACS+ Server
To enable communication between the TACACS+ security (database) server and the access server, issue the commands listed in in global configuration mode.
For example, to enable the remote TACACS+ server to communicate with the access server, enter the commands as follows:
router# configure terminalrouter(config)# tacacs-server host alcatrazrouter(config)# tacacs-server key abra2cadThe host name of the TACACS+ server in the previous example is alcatraz. The key (abra2cad) in the previous example is the encryption key shared between the TACACS+ server and the access server.
For more information about these commands, refer to the Security Command Reference, which is part of the Cisco IOS configuration guides and command references documentation.
Communicating with a RADIUS Server
To enable communication between the RADIUS security (database) server and the access server, issue the commands listed in in global configuration mode.
For example, to enable the remote RADIUS server to communicate with the access server, enter the commands as follows:
router# configure terminalrouter(config)# radius-server host alcatrazrouter(config)# radius-server key abra2cadThe host name of the RADIUS server in the previous example is alcatraz. The key (abra2cad) in the previous example is the encryption key shared between the RADIUS server and the access server.
You can use any of the following optional commands to interact with the RADIUS server host:
•
This command specifies the number of times that the router transmits each RADIUS request to the server before the router gives up.
•
This command specifies the number of seconds that an access server waits for a reply to a RADIUS request before the access server retransmits the request. The default is five seconds. If the RADIUS server's response is slow (because of support for a large number of users or large network latency), increase the timeout value.
For more information about these commands, refer to the Security Command Reference, which is part of the Cisco IOS configuration guides and command references documentation.
Configuring Authentication on a TACACS+ Server
On most TACACS+ security servers, there are three ways to authenticate a user for login:
•
The following is the configuration for global authentication:
user = pierre {global = cleartext "pierre global password"}To assign different passwords for ARAP, CHAP, and a normal login, you must enter a string for each user that specifies the security protocols, whether the password is cleartext, and if it authentication is performed via a DES card. The following example shows a user carol, who has authentication configured for ARAP, CHAP, and login. Her ARAP and CHAP passwords, "arap password" and "chap password," are shown in cleartext. Her login password has been encrypted.
user = carol {arap = cleartext "arap password"chap = cleartext "chap password"login = des XQj4892fjk}•
The default authentication is to deny authentication. You can change this at the top level of the configuration file to have the default use passwd(5) file, by issuing the following command:
default authentication = /etc/passwd•
user= fred {login = skey}On the access server, you configure authentication on all lines including the VTY and console lines by entering the following commands, beginning in privileged EXEC mode:
router# configure terminalrouter(config)# aaa new-modelrouter(config)# aaa authentication login default tacacs+ enable
CautionWhen you issue the aaa authentication login default tacacs+ enable command, you are specifying that if your TACACS+ server fails to respond (because it is set up incorrectly), you can log in to the access server by using your enable password. If you do not have an enable password set on the router, you will not be able to log in to it until you have a functioning TACACS+ daemon configured with usernames and passwords. The enable password in this case is a last-resort authentication method. You also can specify none as the last-resort method, which means that no authentication is required if all other methods failed.
Enabling AAA Globally on the Access Server
To use the authentication, authorization, and accounting (AAA) security facility in the Cisco IOS software, you must issue the aaa new-model command from global configuration mode.
When you issue the aaa new-model command, all lines on the access server receive the implicit login authentication default method list, and all interfaces with Point-to-Point Protocol (PPP) enabled have an implicit ppp authentication pap default method list applied.
CautionIf you intend to authenticate users via a security server, make sure you do not inadvertently lock yourself out of the access server ports after you issue the aaa new-model command. Enter line configuration mode and issue the aaa authentication login default tacacs+ enable global configuration command. This command specifies that if your TACACS+ (or RADIUS) server is not functioning properly, you can enter your enable password to log in to the access server. In general, make sure you have a last-resort access method before you are certain that your security server is set up and functioning properly. For more information about the aaa authentication command, refer to the "Defining Authentication Method Lists" section later in this chapter.
Note
For example, enter the following commands to enable AAA in the Cisco IOS software:
router# configure terminalrouter(config)# aaa new-modelDefining Authentication Method Lists
After you enable AAA globally on the access server, you need to define authentication method lists, which you then apply to lines and interfaces. These authentication method lists are security profiles that indicate the protocol (ARAP or PPP) or login and authentication method (TACACS+, RADIUS, or local authentication).
To define an authentication method list, perform the following steps, which are described in this section:
1
2
3
4
5
After you define these authentication method lists, you apply them to one of the following:
•
•
See the section "Applying Authentication Method Lists" later in this chapter for information on how to apply these lists.
Issue the aaa authentication Command
To define an authentication method list, start by issuing the aaa authentication global configuration command, as shown in the following example:
router# configure terminalrouter(config)# aaa authenticationSpecify Protocol or Login Authentication
After you issue aaa authentication, you must specify one of the following dial-in protocols as applicable for your network:
•
•
•
You can specify only one dial-in protocol per authentication method list. However, you can create multiple authentication method lists with each of these options. You must give each list a different name, as described in the next section "Identify a List Name."
If you specify the ppp option, the default authentication method for PPP is PAP. For greater security, specify CHAP. The full command is aaa authentication ppp chap. If you specify the arap option, the authentication method built into ARA is used. The full command is aaa authentication arap.
For example, if you specify PPP authentication, the configuration thus far looks like this:
router# configure terminalrouter(config)# aaa authentication pppIdentify a List Name
A list name identifies each authentication list. You can choose either to use the keyword default, or choose any other name that describes the authentication list. For example, you might give it the name isdn-radius if you intend to apply it to interfaces configured for ISDN and RADIUS authentication. The list name can be any alphanumeric string. Use default as the list name for most lines and interfaces, and use different names on an exception basis.
You can create different authentication method lists and apply them to lines and interfaces selectively. You can even create a named authentication method list that you do not apply to a line or interface, but which you intend to apply at some later point, such as when you deploy a new login method for users.
After you define a list name, you must identify additional security attributes (such as local authentication versus TACACS+ or RADIUS).
In the following example, the default authentication method list for PPP dial-in clients uses the local security database:
router# configure terminalrouter(config)# aaa authentication ppp defaultIn the following example, the PPP authentication method list name is insecure:
router# configure terminalrouter(config)# aaa authentication ppp insecureIn the following example, the ARA authentication method list name is callback (because asynchronous callback is used on the access server):
router# configure terminalrouter(config)# aaa authentication arap callbackIn the following example, the login authentication method list name is deveng:
router# configure terminalrouter(config)# aaa authentication login devengSpecify the Authentication Method
After you identify a list name, you must specify an authentication method. An authentication method identifies how users are authenticated. For example, will users be authenticated by a local security database resident on the access server (local method)? Will they be authenticated by a remote security database, such as by a TACACS+ or RADIUS daemon? Will guest access to an AppleTalk network be permitted?
Authentication methods are defined with optional keywords in the aaa authentication command. The available authentication methods for PPP are described in . The available authentication methods for ARA are described in .
Timesaver
If you are not sure whether you should use TACACS+ or RADIUS, here are some comparisons: TACACS+ encrypts the entire payload of packets passed across the network, whereas RADIUS only encrypts the password when it crosses the network. TACACS+ can query the security server multiple times, whereas a RADIUS server gives one response only and is therefore not as flexible regarding per-user authentication and authorization attempts. Moreover, RADIUS does not support authentication of ARA.
Note
You can specify multiple authentication methods for each authentication list. The following example authentication method list for PPP first queries a TACACS+ server, then a RADIUS server, then the local security database. Multiple authentication methods can be useful if you have multiple types of security servers on the network and one or more types of security server do not respond:
router(config)# aaa authentication ppp testbed tacacs+ radius localIf you specify more than one authentication method and the first method (TACACS+ in the previous example) is not available, the Cisco IOS software attempts to authenticate using the next method (such as RADIUS). If in the previous example the RADIUS server has no information about the user, or if no RADIUS server can be found, the user is authenticated using the local username database that was populated with the username command.
However, if authentication fails using the first method listed, the Cisco IOS software does not permit access. It does not attempt to authenticate using the subsequent security methods if the user entered the incorrect password.
Populate the Local Username Database if Necessary
If you specify local as the security method, you must specify username profiles for each user who might log in. An example of specifying local authentication is as follows:
router(config)# aaa authentication login deveng localThis command specifies that any time a user attempts to log in to a line on an access server, the Cisco IOS software checks the username database. To create a local username database, define username profiles using the username global configuration command.
The following example shows how to use the username command for a user gmcmilla with password n1vriti:
router(config)# username gmcmilla password n1vritiThe show running-config command shows the encrypted version of the password, as follows:
router# show running-configBuilding configuration...Current configuration:!version 11.1! most of config omittedusername gmcmilla password 7 0215055500070C294D
Note
Authentication Method List Examples
This section shows some examples of authentication lists.
Authentication Method List Examples for Users Logging in to the Access Server
The following example creates a local authentication list for users logging in to any line on the access server.
router(config)# aaa authentication login default localThe following example specifies login authentication using RADIUS (the RADIUS daemon is polled for authentication profiles):
router(config)# aaa authentication login default radiusThe following example specifies login authentication using TACACS+ (the TACACS+ daemon is polled for authentication profiles):
router(config)# aaa authentication login default tacacs+Authentication List Examples for Dial-in Users Using ARA to Access Network Resources
The following example creates a local authentication list for Macintosh users dialing in to an AppleTalk network through the access server.
router(config)# aaa authentication arap default localThe following example specifies that Macintosh users dialing in to an AppleTalk network through the access server be authenticated by a TACACS+ daemon:
router(config)# aaa authentication arap default tacacs+The following example creates an authentication method list that does the following:
•
•
•
•
aaa authentication arap default auth-guest tacacs+ line localAuthentication Method List Examples for Users Dialing In Using PPP
The following example creates a TACACS+ authentication list for users connecting to interfaces (such as ISDN BRI or asynchronous interfaces) configured for dialin using PPP. The name of the list is marketing. This example specifies that a remote TACACS+ daemon be used as the security database. If this security database is not available, the Cisco IOS software then polls the RADIUS daemon. Users are not authenticated if they are already authenticated on a TTY line.
aaa authentication ppp marketing if-needed tacacs+ radiusIn this example, default can be substituted for marketing if the administrator wants this list to be the default list.
Applying Authentication Method Lists
As described previously in the "Defining Authentication Method Lists" section, the aaa authentication global configuration command creates authentication method lists or profiles. You apply these authentication method lists to lines or interfaces by issuing the login authentication, arap authentication, or ppp authentication command, as described in .
Table 25 Line and Interface Authentication Method Lists
login authentication
Logs directly in to the access server.
Console Port or VTY lines
aaa authentication login
arap authentication
Uses ARA to access AppleTalk network resources
TTY line
aaa authentication arap
ppp authentication1
Uses PPP to access IP or IPX network resources
Interface (asynchronous, ISDN, or other WAN)
aaa authentication ppp
1 If you issued the ppp authentication command, you must specify either CHAP or PAP authentication. PAP is enabled by default, but Cisco recommends that you use CHAP because CHAP is more secure. For more information, refer to the Security Configuration Guide.
You can create more than one authentication list or profile for login and protocol authentication and apply them to different lines or interfaces. The following examples show the line or interface authentication commands that correspond to the aaa authentication global configuration command.
Login Authentication Examples
The following example shows the default login authentication list applied to the console port and the default virtual terminal (VTY) lines on the access server:
aaa authentication login default localline console 0login authentication defaultline vty 0 4login authentication defaultIn the following example, the login authentication list named rtp2-office, which uses RADIUS authentication, is created. It is applied to all 40 lines on a Cisco 2509 access server, including the console (CTY) port, the 8 physical asynchronous (TTY) lines, the auxiliary (AUX) port, and 30 virtual terminal (VTY) lines:
aaa authentication login rtp2-office radiusline 0 39login authentication rtp2-officeThe following sample output shows lines and their status on the access server:
2509#show lineTty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns* 0 CTY - - - - - 0 0 0/0* 1 TTY 57600/57600 - inout - - - 0 0 0/0...I 8 TTY 115200/115200 - inout - - - 0 0 0/09 AUX 38400/38400 - - - - - 0 0 0/010 VTY - - - - - 0 0 0/0...39 VTY - - - - - 0 0 0/0ARA Authentication Examples
In the following example, the ARA authentication list bldg-d-list is created, then applied to lines 1 through 16 (the physical asynchronous lines) on a Cisco 2511 access server:
aaa authentication arap bldg-d-list auth-guest tacacs+line 1 16arap authentication bldg-d-listPPP Authentication Examples
The following example creates the PPP authentication list marketing, which uses TACACS+, then RADIUS authentication. The list marketing requires authentication only if the user has not already been authenticated on another line. It is then applied to asynchronous lines 1 through 48 on a Cisco AS5200 access server and uses CHAP authentication, instead of the default of PAP:
aaa authentication ppp marketing if-needed tacacs+ radiusline 1 48ppp authentication chap marketingComprehensive Security Examples
This series of examples shows complete security configuration components of a configuration file on an access server. Each of these examples shows authentication and authorization.
Simple Local Security Example
This sample configuration uses AAA to configure default authentication using a local security database on the access server. All lines and interfaces have the default authentication lists applied. Users dellain, gmcmilla, and scottyin have been assigned privilege level 7, which prevents them from issuing the ppp arap, and slip commands, because these commands have been assigned to privilege level 8.
aaa new-modelaaa authentication login default localaaa authentication arap default localaaa authentication ppp default localaaa authorization exec localaaa authorization network localaaa authorization!username dellain privilege exec level 7 privilege network level 8 password 7 095E470B1110username gmcmilla privilege network level 7 password 7 0215055500070C294Dusername scottyin privilege network level 7 password 7 095E4F10140A1916!privilege exec level 8 pppprivilege exec level 8 arapprivilege exec level 8 slip!interface Group-Async1ppp authentication chap defaultgroup-range 1 16!line console 0login authentication default!line 1 16arap authentication default!With this configuration, the sign-on dialog from a remote PC appears as follows:
atdt5551234CONNECT 14400/ARQ/V32/LAPM/V42BISUser Access VerificationUsername: dellainPassword:Router> enablePassword:Router#TACACS+ Security Example for Login, PPP, and ARA
The following example shows how to create and apply the following authentication lists:
•
•
•
•
Note
hostname router!tacacs-server host dog-housetacacs-server key shepard4!aaa authentication login rtp2-office tacacs+aaa authentication ppp marketing if-needed tacacs+aaa authentication arap park-central-office tacacs+!line console0login authentication rtp2-office!interface group-async0ppp authentication chap marketinggroup-range 1 16!line 1 16arap authentication park-central-office!RADIUS Example for Login and PPP
The following example shows how to create the following authentication lists:
•
•
•
radius-server host spikeradius-server key BaBe218!privilege exec level 14 configureprivilege exec level 14 reloadprivilege exec level 8 arapprivilege exec level 8 ppp!aaa authentication login fly radiusaaa authentication ppp maaaa if-needed radiusaaa authorization network radiusaaa authorization exec radius!line 1 39login authentication fly!interface group-async658ppp authentication chap maaaagroup-range 1 16!
