Table Of Contents
AAA Authentication Method Lists
AAA Authentication General Configuration Procedure
Configure Login Authentication Using AAA
Login Authentication Using Local Password
Login Authentication Using Line Password
Login Authentication Using Enable Password
Login Authentication Using RADIUS
Login Authentication Using TACACS+
Login Authentication Using Kerberos
Configure PPP Authentication Using AAA
PPP Authentication Using Local Password
PPP Authentication Using RADIUS
PPP Authentication Using TACACS+
PPP Authentication Using Kerberos
Configure ARA Authentication Using AAA
ARA Authentication Allowing Guest Logins
ARA Authentication Allowing Authorized Guest Logins
ARA Authentication Using Local Password
ARA Authentication Using Line Password
ARA Authentication Using TACACS+
Configure NASI Authentication Using AAA
NASI Authentication Using Enable Password
NASI Authentication Using Local Password
NASI Authentication Using Line Password
NASI Authentication Using TACACS+
Enable Password Protection at the Privileged Level
Enable an Authentication Override
Change the Text Displayed at the Password Prompt
How Double Authentication Works
Configure Double Authentication
Access User Profile after Double Authentication
Non-AAA Authentication Methods
Configure Line Password Protection
Establish Username Authentication
Enable CHAP or PAP Authentication
Inbound and Outbound Authentication
Enabling Outbound PAP Authentication
Refuse CHAP Authentication Requests
Delay CHAP Authentication Until Peer Authenticates
Configure TACACS and Extended TACACS Password Protection
Set TACACS Password Protection at the User Level
Disable Password Checking at the User Level
RADIUS Authentication Examples
TACACS+ Authentication Examples
TACACS and Extended TACACS Authentication Examples
Kerberos Authentication Examples
Double Authentication Configuration Example
Configuring the Local Host for AAA with Double Authentication Examples
Example Router Configuration with a RADIUS AAA
Example Router Configuration with a TACACS+ Server
Configuring the AAA Server for First-Stage (PPP) Authentication/Authorization Example
Example RADIUS AAA Server Configuration
Configuring the AAA Server for Second-Stage (Per-User) Authentication/Authorization Examples
Example RADIUS AAA Server Configurations
Complete Sample Configuration with TACACS+
Configuring Authentication
Authentication identifies users before they are allowed access to the network and network services. Basically, the Cisco IOS software implementation of authentication is divided into two main categories:
•
Non-AAA Authentication Methods
Authentication, for the most part, is implemented through the AAA security services. We recommend that, whenever possible, AAA be used to implement authentication.
This chapter describes both AAA and non-AAA authentication methods. For configuration examples, refer to the "Authentication Configuration Examples" section at the end of this chapter. For a complete description of the commands used in this chapter, refer to the "AAA Authentication Commands" chapter of the Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
AAA Authentication Method Lists
To configure AAA authentication, first define a named list of authentication methods, and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which, by coincidence, is named "default"). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.
A method list is simply a list describing the authentication methods to be queried, in sequence, to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. Cisco IOS software uses the first method listed to authenticate users; if that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined are exhausted.
It is important to note that the Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted.
Figure 3 Typical AAA Network Configuration
Method List Examples
shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers and T1 and T2 are TACACS+ servers. Suppose the system administrator has decided on a security solution where all interfaces will use the same authentication methods to authenticate PPP connections: R1 is contacted first for authentication information, then if there is no response, R2 is contacted. If R2 fails to respond, T1 is contacted; if T1 fails to respond, T2 is contacted. If all designated servers fail to respond, authentication falls over to the local username database on the access server itself. To implement this, the system administrator would create a default method list by entering the following command:
aaa authentication ppp default radius tacacs+ localIn this example, "default" is the name of the method list. The protocols included in this method list are listed after the name, in the order they are to be queried. The default list is automatically applied to all interfaces.
Suppose the system administrator wanted to apply this method list only to a particular interface or set of interfaces. In this case, the system administrator would create a named method list and then apply this named list to the applicable interfaces. The following example shows how the system administrator would implement the previous scenario if that authentication method were to be applied only to interface 3:
aaa authentication ppp apple radius tacacs+ localinterface async 3ppp authentication chap appleIn this example, "apple" is the name of the method list, and the protocols included in this method list are listed after the name in the order in which they are to be performed. After the method list has been created, it is applied to the appropriate interface. Please note that the method list name in both the aaa authentication command and the ppp authentication commands must match.
When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 fails to respond, then the network access server processes that as an ERROR and queries R2 for authentication information. This pattern would continue through the remaining designated methods until the user is either authenticated, rejected, or the session terminated.
It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has failed to respond to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list.
AAA Authentication General Configuration Procedure
To configure AAA authentication, no matter what method of authentication you select, you need to perform the following tasks:
1
2
3
4
AAA Authentication Methods
This section discusses the following AAA authentication methods:
•
•
•
•
•
•
Note
Configure Login Authentication Using AAA
The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login command to enable AAA authentication no matter which of the supported login authentication methods you decide to use. With the aaa authentication login command, you create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command.
To configure login authentication by using AAA, perform the following tasks, beginning in global configuration mode:
The keyword list-name is any character string used to name the list you are creating. The keyword method refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
For example, to specify that authentication should succeed even if (in this example) the TACACS+ server returns an error, enter the following:
aaa authentication login default tacacs+ none
Note
To create a default list that is used if no list is specified in the login authentication command, use the default argument followed by the methods you want used in default situations. The default method list is automatically applied to all interfaces.
For example, to specify RADIUS as the default method for user authentication during login, enter the following:
aaa authentication login default radiuslists the supported login authentication methods.
Login Authentication Using Local Password
Use the aaa authentication login command with the local method keyword to specify that the Cisco router or access server will use the local username database for authentication. For example, to specify the local username database as the method of user authentication at login when no other method list has been defined, enter the following:
aaa authentication login default localFor information about adding users into the local username database, refer to the "Establish Username Authentication" section in this chapter.
Login Authentication Using Line Password
Use the aaa authentication login command with the line method keyword to specify the line password as the login authentication method. For example, to specify the line password as the method of user authentication at login when no other method list has been defined, enter the following:
aaa authentication login default lineBefore you can use a line password as the login authentication method, you need to define a line password. For more information about defining line passwords, refer to the "Configure Line Password Protection" section in this chapter.
Login Authentication Using Enable Password
Use the aaa authentication login command with the enable method keyword to specify the enable password as the login authentication method. For example, to specify the enable password as the method of user authentication at login when no other method list has been defined, enter:
aaa authentication login default enableBefore you can use the enable password as the login authentication method, you need to define the enable password. For more information about defining enable passwords, refer to the "Configuring Passwords and Privileges" chapter.
Login Authentication Using RADIUS
Use the aaa authentication login command with the radius method keyword to specify RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, enter:
aaa authentication login default radiusBefore you can use RADIUS as the login authentication method, you need to enable communication with the RADIUS security server. For more information about establishing communication with a RADIUS server, refer to the "Configuring RADIUS" chapter.
Login Authentication Using TACACS+
Use the aaa authentication login command with the tacacs+ method keyword to specify TACACS+ as the login authentication method. For example, to specify TACACS+ as the method of user authentication at login when no other method list has been defined, enter:
aaa authentication login default tacacs+Before you can use TACACS+ as the login authentication method, you need to enable communication with the TACACS+ security server. For more information about establishing communication with a TACACS+ server, refer to the "Configuring TACACS+" chapter.
Login Authentication Using Kerberos
Authentication via Kerberos is different from most other authentication methods: the user's password is never sent to the remote access server. Remote users logging in to the network are prompted for a username. If the key distribution center (KDC) has an entry for that user, it creates an encrypted ticket granting ticket (TGT) with the password for that user and sends it back to the router. The user is then prompted for a password, and the router attempts to decrypt the TGT with that password. If it succeeds, the user is authenticated and the TGT is stored in the user's credential cache on the router.
A user does not need to run the KINIT program to get a TGT to authenticate to the router. This is because KINIT has been integrated into the login procedure in the Cisco IOS implementation of Kerberos.
Use the aaa authentication login command with the krb5 method keyword to specify Kerberos as the login authentication method. For example, to specify Kerberos as the method of user authentication at login when no other method list has been defined, enter:
aaa authentication login default krb5Before you can use Kerberos as the login authentication method, you need to enable communication with the Kerberos security server. For more information about establishing communication with a Kerberos server, refer to the "Configuring Kerberos" chapter.
Configure PPP Authentication Using AAA
Many users access network access servers through dialup via async or ISDN. Dialup via async or ISDN bypasses the CLI completely; instead, a network protocol (such as PPP or ARAP) starts as soon as the connection is established.
The AAA security services facilitate a variety of authentication methods for use on serial interfaces running PPP. Use the aaa authentication ppp command to enable AAA authentication no matter which of the supported PPP authentication methods you decide to use.
To configure AAA authentication methods for serial lines using PPP, perform the following tasks in global configuration mode:
With the aaa authentication ppp command, you create one or more lists of authentication methods that are tried when a user tries to authenticate via PPP. These lists are applied using the ppp authentication line configuration command.
To create a default list that is used if no list is specified in the ppp authentication command, use the default argument followed by the methods you want used in default situations.
For example, to specify the local username database as the default method for user authentication, enter the following:
aaa authentication ppp default localThe keyword list-name is any character string used to name the list you are creating. The keyword method refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
For example, to specify that authentication should succeed even if (in this example) the TACACS+ server returns an error, enter the following:
aaa authentication ppp default tacacs+ none
Note
lists the supported login authentication methods.
PPP Authentication Using Local Password
Use the aaa authentication ppp command with the method keyword local to specify that the Cisco router or access server will use the local username database for authentication. For example, to specify the local username database as the method of authentication for use on lines running PPP when no other method list has been defined, enter:
aaa authentication ppp default localFor information about adding users into the local username database, refer to the "Establish Username Authentication" section in this chapter.
PPP Authentication Using RADIUS
Use the aaa authentication ppp command with the radius method keyword to specify RADIUS as the authentication method for use on interfaces running PPP. For example, to specify RADIUS as the method of user authentication when no other method list has been defined, enter:
aaa authentication ppp default radiusBefore you can use RADIUS as the authentication method, you need to enable communication with the RADIUS security server. For more information about establishing communication with a RADIUS server, refer to the "Configuring RADIUS" chapter.
PPP Authentication Using TACACS+
Use the aaa authentication ppp command with the tacacs+ method keyword to specify TACACS+ as the authentication method for use on interfaces running PPP. For example, to specify TACACS+ as the method of user authentication when no other method list has been defined, enter:
aaa authentication ppp default tacacs+Before you can use TACACS+ as the authentication method, you need to enable communication with the TACACS+ security server. For more information about establishing communication with a TACACS+ server, refer to the "Configuring TACACS+" chapter.
PPP Authentication Using Kerberos
Use the aaa authentication ppp command with the krb5 method keyword to specify Kerberos as the authentication method for use on interfaces running PPP. For example, to specify Kerberos as the method of user authentication when no other method list has been defined, enter:
aaa authentication ppp default krb5Before you can use Kerberos as the login authentication method, you need to enable communication with the Kerberos security server. For more information about establishing communication with a Kerberos server, refer to the "Configuring Kerberos" chapter.
Note
Configure ARA Authentication Using AAA
With the aaa authentication arap command, you create one or more lists of authentication methods that are tried when AppleTalk Remote Access (ARA) users attempt to log in to the router. These lists are used with the arap authentication line configuration command.
Perform at least the first of the following tasks starting in global configuration mode:
The list-name is any character string used to name the list you are creating. The method refers to the actual list of methods the authentication algorithm tries, in the sequence entered.
To create a default list that is used if no list is specified in the arap authentication command, use the default argument followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
Note
lists the supported login authentication methods.
For example, to create a default AAA authentication method list used with the ARA protocol, enter:
aaa authentication arap default if-needed noneTo create the same authentication method list for the ARA protocol but name the list MIS-access, enter:
aaa authentication arap MIS-access if-needed noneARA Authentication Allowing Guest Logins
Use the aaa authentication arap command with the guest keyword to allow guest logins. This method must be the first listed in the ARA authentication method list but it can be followed by other methods if it does not succeed. For example, to allow all guest logins as the default method of authentication, using TACACS+ only if that method fails, enter:
aaa authentication arap default guest tacacs+For more information about ARA guest logins, refer to the "Configuring AppleTalk" chapter in the Network Protocols Configuration Guide, Part 2.
ARA Authentication Allowing Authorized Guest Logins
Use the aaa authentication arap command with the auth-guest keyword to allow guest logins only if the user has already successfully logged in to the EXEC. This method must first in the ARA authentication method list but it can be followed by other methods if it does not succeed. For example, to allow all authorized guest logins—meaning logins by users who have already successfully logged into the EXEC—as the default method of authentication, using TACACS+ only if that method fails, enter:
aaa authentication arap default auth-guest tacacs+For more information about ARA authorized guest logins, refer to the "Configuring AppleTalk" chapter in the Network Protocols Configuration Guide, Part 2.
Note
ARA Authentication Using Local Password
Use the aaa authentication arap command with the method keyword local to specify that the Cisco router or access server will use the local username database for authentication. For example, to specify the local username database as the method of ARA user authentication when no other method list has been defined, enter:
aaa authentication arap default localFor information about adding users to the local username database, refer to the "Establish Username Authentication" section in this chapter.
ARA Authentication Using Line Password
Use the aaa authentication arap command with the method keyword line to specify the line password as the authentication method. For example, to specify the line password as the method of ARA user authentication when no other method list has been defined, enter:
aaa authentication arap default lineBefore you can use a line password as the ARA authentication method, you need to define a line password. For more information about defining line passwords, refer to the "Configure Line Password Protection" section in this chapter.
ARA Authentication Using TACACS+
Use the aaa authentication arap command with the tacacs+ method keyword to specify TACACS+ as the ARA authentication method. For example, to specify TACACS+ as the method of ARA user authentication when no other method list has been defined, enter:
aaa authentication arap default tacacs+Before you can use TACACS+ as the ARA authentication method, you need to enable communication with the TACACS+ security server. For more information about establishing communication with a TACACS+ server, refer to the "Configuring TACACS+" chapter.
Configure NASI Authentication Using AAA
With the aaa authentication nasi command, you create one or more lists of authentication methods that are tried when Netware Asynchronous Services Interface (NASI) users attempt to log in to the router. These lists are used with the nasi authentication line configuration command.
Perform at least the first of the following tasks starting in global configuration mode:
The list-name is any character string used to name the list you are creating. The method refers to the actual list of methods the authentication algorithm tries, in the sequence entered.
To create a default list that is used if no list is specified in the aaa authentication nasi command, use the default argument followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
Note
lists the supported login authentication methods.
NASI Authentication Using Enable Password
Use the aaa authentication nasi command with the argument enable to specify the enable password as the authentication method. For example, to specify the enable password as the method of NASI user authentication when no other method list has been defined, enter:
aaa authentication nasi default enableBefore you can use the enable password as the authentication method, you need to define the enable password. For more information about defining enable passwords, refer to the "Configuring Passwords and Privileges" chapter.
NASI Authentication Using Local Password
Use the aaa authentication nasi command with the method keyword local to specify that the Cisco router or access server will use the local username database for authentication information. For example, to specify the local username database as the method of NASI user authentication when no other method list has been defined, enter:
aaa authentication nasi default localFor information about adding users to the local username database, refer to the "Establish Username Authentication" section in this chapter.
NASI Authentication Using Line Password
Use the aaa authentication nasi command with the method keyword line to specify the line password as the authentication method. For example, to specify the line password as the method of NASI user authentication when no other method list has been defined, enter:
aaa authentication nasi default lineBefore you can use a line password as the NASI authentication method, you need to define a line password. For more information about defining line passwords, refer to the "Configure Line Password Protection" section in this chapter.
NASI Authentication Using TACACS+
Use the aaa authentication nasi command with the tacacs+ method keyword to specify TACACS+ as the NASI authentication method. For example, to specify TACACS+ as the method of NASI user authentication when no other method list has been defined, enter:
aaa authentication nasi default tacacs+Before you can use TACACS+ as the authentication method, you need to enable communication with the TACACS+ security server. For more information about establishing communication with a TACACS+ server, refer to the "Configuring TACACS+" chapter.
Enable Password Protection at the Privileged Level
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level. You can specify up to four authentication methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication succeed even if all methods return an error, specify none as the final method in the command line.
Perform the following task in global configuration mode:
Enable user ID and password checking for users requesting privileged EXEC level.
aaa authentication enable default method1 [method2...]
The method refers to the actual list of methods the authentication algorithm tries, in the sequence entered. lists the supported login authentication methods.
Enable an Authentication Override
To configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override command. This command is useful when you want to configure an override to the normal authentication process for certain personnel (such as system administrators).
Perform the following task in global configuration mode:
Change the Text Displayed at the Password Prompt
Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the following default value:
Password:The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ server.
The aaa authentication password-prompt command works when using RADIUS as the login method. You will be able to see the password prompt defined in the command shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the NAS the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt defined in the aaa authentication password-prompt command may be used.
Perform the following task in global configuration mode:
Change the default text displayed when a user is prompted to enter a password.
aaa authentication password-prompt text-string
Enable Double Authentication
Double Authentication provides additional authentication for Point-to-Point Protocol (PPP) sessions. Previously, PPP sessions could only be authenticated by using a single authentication method: either PAP or CHAP. Double Authentication requires remote users to pass a second stage of authentication—after CHAP or PAP authentication—before gaining network access.
This second ("double") authentication requires a password that is known to the user but not stored on the user's remote host. Therefore, the second authentication is specific to a user, not to a host. This provides an additional level of security that will be effective even if information from the remote host is stolen. In addition, this also provides greater flexibility by allowing customized network privileges for each user.
The second stage authentication can use one-time passwords such as token card passwords, which are not supported by CHAP. If one-time passwords are used, a stolen user password is of no use to the perpetrator.
How Double Authentication Works
With Double Authentication, there are two authentication/authorization stages. These two stages occur after a remote user dials in and a PPP session is initiated.
In the first stage, the user logs in using the remote host name; CHAP (or PAP) authenticates the remote host, and then PPP negotiates with AAA to authorize the remote host. In this process, the network access privileges associated with the remote host are assigned to the user.
Note
In the second stage, the remote user must Telnet to the network access server to be authenticated. When the remote user logs in, the user must be authenticated with AAA login authentication. The user then must enter the access-profile command to be reauthorized using AAA. When this authorization is complete, the user has been double authenticated, and can access the network according to per-user network privileges.
The system administrator determines what network privileges remote users will have after each stage of authentication by configuring appropriate parameters on a security server. To use Double Authentication, the user must activate it by issuing the access-profile command.
CautionDouble Authentication can cause certain undesirable events if multiple hosts share a PPP connection to a network access server, as shown in .
First, if a user, Bob, initiates a PPP session and activates Double Authentication at the NAS (per ), any other user will automatically have the same network privileges as Bob until Bob's PPP session expires. This happens because Bob's authorization profile is applied to the NAS's interface during the PPP session and any PPP traffic from other users will use the PPP session Bob established.
Second, if Bob initiates a PPP session and activates Double Authentication, and then—before Bob's PPP session has expired—another user, Jane, executes the access-profile command (or, if she Telnets to the NAS and autocommand access-profile is executed), a reauthorization will occur and Jane's authorization profile will be applied to the interface—replacing Bob's profile. This can disrupt or halt Bob's PPP traffic, or grant Bob additional authorization privileges he should not have.
Figure 4 Possibly Risky Topology: Multiple Hosts Share a PPP Connection to a NAS
Configure Double Authentication
To configure Double Authentication, you must complete the following steps:
1
2
3
4
5
6
Note
Follow these rules when creating the user-specific authorization statements (These rules relate to the default behavior of the access-profile command):
•
•
•
•
To troubleshoot Double Authentication, use the debug aaa per-user debug command. For more information about this command, refer to the Debug Command Reference.
Access User Profile after Double Authentication
In Double Authentication, when a remote user establishes a PPP link to the local host using the local host name, the remote host is CHAP (or PAP) authenticated. After CHAP (or PAP) authentication, PPP negotiates with AAA to assign network access privileges associated with the remote host to the user. (We suggest that privileges at this stage be restricted to allow the user to connect to the local host only by establishing a Telnet connection.)
When the user needs to initiate the second phase of Double Authentication, establishing a Telnet connection to the local host, the user enters a personal username and password (different from the CHAP or PAP username and password). This action causes AAA reauthentication to occur according to the personal username/password. The initial rights associated with the local host, though, are still in place. By using the access-profile command, the rights associated with the local host are replaced by or merged with those defined for the user in the user's profile.
To access the rights associated with the user after Double Authentication, perform the following tasks in EXEC configuration mode:
Access the rights associated for the user after Double Authentication.
access profile [merge | replace | ignore-sanity-checks]
If you configured the access-profile command to be executed as an autocommand, it will be executed automatically after the remote user logs in.
Non-AAA Authentication Methods
This section discusses the following non-AAA authentication tasks:
•
•
•
•
Configure Line Password Protection
You can provide access control on a terminal line by entering the password and establishing password checking. To do so, perform the following tasks in line configuration mode:
Assign a password to a terminal or other device on a line.
password password
Enable password checking at login.
login
The password checker is case sensitive and can include spaces; for example, the password "Secret" is different from the password "secret," and "two words" is an acceptable password.
You can disable line password verification by disabling password checking. To do so, perform the following task in line configuration mode:
Disable password checking or allow access to a line without password verification.
no login
If you configure line password protection and then configure TACACS or Extended TACACS, the TACACS username and password take precedence over line passwords. If you have not yet implemented a security policy, we recommend that you use AAA.
Establish Username Authentication
You can create a username-based authentication system, which is useful in the following situations:
•
•
To establish username authentication, perform the following tasks in global configuration mode as needed for your system configuration:
The keyword noescape prevents users from using escape characters on the hosts to which they are connected. The nohangup feature does not disconnect after using the autocommand.
CautionPasswords will be displayed in clear text in your configuration unless you enable the service password-encryption command. For more information about the service password-encryption command, refer to the "Password and Privileges Commands" chapter in the Security Command Reference.
Enable CHAP or PAP Authentication
One of the most common transport protocols used in Internet Service Providers' (ISPs') dial solutions is the Point-to-Point Protocol (PPP). Traditionally, remote users dial in to an access server to initiate a PPP session. After PPP has been negotiated, remote users are connected to the ISP network and to the Internet.
Because ISPs want only customers to connect to their access servers, remote users are required to authenticate to the access server before they can start up a PPP session. Normally, a remote user authenticates by typing in a username and password when prompted by the access server. Although this is a workable solution, it is difficult to administer and awkward for the remote user.
A better solution is to use the authentication protocols built into PPP. In this case, the remote user dials in to the access server and starts up a minimal subset of PPP with the access server. This does not give the remote user access to the ISP's network—it merely allows the access server to talk to the remote device.
PPP currently supports two authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Both are specified in RFC 1334 and are supported on synchronous and asynchronous interfaces. Authentication via PAP or CHAP is equivalent to typing in a username and password when prompted by the server. CHAP is considered to be more secure because the remote user's password is never sent across the connection.
PPP (with or without PAP or CHAP authentication) is also supported in dialout solutions. An access server utilizes a dialout feature when it initiates a call to a remote device and attempts to start up a transport protocol such as PPP.
See the "Configuring Interfaces" chapter in the Configuration Fundamentals Configuration Guide for more information about CHAP and PAP.
Note
When CHAP is enabled on an interface and a remote device attempts to connect to it, the access server sends a CHAP packet to the remote device. The CHAP packet requests or "challenges" the remote device to respond. The challenge packet consists of an ID, a random number, and the host name of the local router.
When the remote device receives the challenge packet, it concatenates the ID, the remote device's password, and the random number, and then encrypts all of it using the remote device's password. The remote device sends the results back to the access server, along with the name associated with the password used in the encryption process.
When the access server receives the response, it uses the name it received to retrieve a password stored in its user database. The retrieved password should be the same password the remote device used in its encryption process. The access server then encrypts the concatenated information with the newly-retrieved password—if the result matches the result sent in the response packet, authentication succeeds.
The benefit of using CHAP authentication is that the remote device's password is never transmitted in clear text. This prevents other devices from stealing it and gaining illegal access to the ISP's network.
CHAP transactions occur only at the time a link is established. The access server does not request a password during the rest of the call. (The local device can, however, respond to such requests from other devices during a call.)
When PAP is enabled, the remote router attempting to connect to the access server is required to send an authentication request. If the username and password specified in the authentication request are accepted, the Cisco IOS software sends an authentication acknowledgment.
After you have enabled CHAP or PAP, the access server will require authentication from remote devices dialing in to the access server. If the remote device does not support the enabled protocol, the call will be dropped.
To use CHAP or PAP, you must perform the following tasks:
1
2
3
Enable PPP Encapsulation
To enable PPP encapsulation, perform the following task in interface configuration mode:
Enable PAP or CHAP
To enable CHAP or PAP authentication on an interface configured for PPP encapsulation, perform the following task in interface configuration mode:
If you configure ppp authentication chap on an interface, all incoming calls on that interface that initiate a PPP connection will have to be authenticated using CHAP; likewise, if you configure ppp authentication pap, all incoming calls that start a PPP connection will have to be authenticated via PAP. If you configure ppp authentication chap pap, the access server will attempt to authenticate all incoming calls that start a PPP session with CHAP. If the remote device does not support CHAP, the access server will try to authenticate the call using PAP. If the remote device doesn't support either CHAP or PAP, authentication will fail and the call will be dropped. If you configure ppp authentication pap chap, the access server will attempt to authenticate all incoming calls that start a PPP session with PAP. If the remote device does not support PAP, the access server will try to authenticate the call using CHAP. If the remote device doesn't support either protocols, authentication will fail and the call will be dropped. If you configure the ppp authentication command with the callin keyword, the access server will only authenticate the remote device if the remote device initiated the call.
Authentication method lists and the one-time keyword are only available if you have enabled AAA—they will not be available if you are using TACACS or Extended TACACS. If you specify the name of an authentication method list with the ppp authentication command, PPP will attempt to authenticate the connection using the methods defined in the specified method list. If AAA is enabled and no method list is defined by name, PPP will attempt to authenticate the connection using the methods defined as the default. The ppp authentication command with the one-time keyword enables support for one-time passwords during authentication.
The if-needed keyword is only available if you are using TACACS or Extended TACACS. The ppp authentication command with the if-needed keyword means that PPP will only authenticate the remote device via PAP or CHAP if they have not yet authenticated during the life of the current call. If the remote device authenticated via a standard login procedure and initiated PPP from the EXEC prompt, PPP will not authenticate via CHAP if ppp authentication chap if-needed is configured on the interface.
CautionIf you use a list-name that has not been configured with the aaa authentication ppp command, you disable PPP on the line.
For information about adding a username entry for each remote system from which the local router or access server requires authentication, see the "Establish Username Authentication" section.
Inbound and Outbound Authentication
PPP supports two-way authentication. Normally, when a remote device dials in to an access server, the access server requests that the remote device prove that it is allowed access. This is known as inbound authentication. At the same time, the remote device can also request that the access server prove that it is who it says it is. This is known as outbound authentication. An access server also does outbound authentication when it initiates a call to a remote device.
Enabling Outbound PAP Authentication
To enable outbound PAP authentication, perform the following task in interface configuration mode:
The access server uses the username and password specified by the ppp pap sent-username command to authenticate itself whenever it initiates a call to a remote device or when it has to respond to a remote device's request for outbound authentication.
Create a Common CHAP Password
For remote CHAP authentication only, you can configure your router to create a common CHAP secret password to use in response to challenges from an unknown peer; for example, if your router calls a rotary of routers (either from another vendor, or running an older version of the Cisco IOS software) to which a new (that is, unknown) router has been added. The ppp chap password command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.
To enable a router calling a collection of routers to configure a common CHAP secret password, perform the following task in interface configuration mode:
Enable a router calling a collection of routers to configure a common CHAP secret password.
ppp chap password secret
Refuse CHAP Authentication Requests
To refuse CHAP authentication from peers requesting it, meaning that CHAP authentication is disabled for all calls, perform the following task in interface configuration mode:
Refuse CHAP authentication from peers requesting CHAP authentication.
ppp chap refuse [callin]
If the callin keyword is used, the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends.
If outbound PAP has been enabled (using the ppp pap sent-username command), PAP will be suggested as the authentication method in the refusal packet.
Delay CHAP Authentication Until Peer Authenticates
To specify that the router will not authenticate to a peer requesting CHAP authentication until after the peer has authenticated itself to the router, perform the following task in interface configuration mode:
Configure the router to delay CHAP authentication until after the peer has authenticated itself to the router.
ppp chap wait secret
This command (which is the default) specifies that the router will not authenticate to a peer requesting CHAP authentication until the peer has authenticated itself to the router. The no ppp chap wait command specifies that the router will respond immediately to an authentication challenge.
Configure TACACS and Extended TACACS Password Protection
You can use TACACS or Extended TACACS to control login access to the router. Perform the tasks in the following sections:
•
•
Before performing these tasks, you must have enabled communication with a TACACS host on the network. For more information, refer to the "Configuring TACACS and Extended TACACS" chapter in the Security Configuration Guide.
Set TACACS Password Protection at the User Level
You can enable TACACS password checking at login by performing the following task in line configuration mode:
Disable Password Checking at the User Level
If a TACACS server does not respond to a login request, the Cisco IOS software denies the request by default. However, you can prevent login failure in one of two ways:
•
•
To specify one of these features, perform either of the following tasks in global configuration mode:
Allow a user to access privileged EXEC mode, or set last resort options for logins.
tacacs-server last-resort password
or
tacacs-server last-resort succeed
Authentication Examples
This section contains the following authentication configuration examples:
•
•
•
•
•
RADIUS Authentication Examples
This section provides two sample configurations using RADIUS.
The following example shows how to configure the router to authenticate and authorize using RADIUS:
aaa authentication login radius-login RADIUS localaaa authentication ppp radius-ppp if-needed radiusaaa authorization exec radius if-authenticatedaaa authorization network radiusline 3login authentication radius-logininterface serial 0ppp authentication radius-ppp
