Table Of Contents

Authentication Commands

aaa authentication arap

aaa authentication banner

aaa authentication enable default

aaa authentication fail-message

aaa authentication login

aaa authentication nasi

aaa authentication password-prompt

aaa authentication ppp

aaa authentication username-prompt

aaa new-model

aaa processes

access-profile

arap authentication

clear ip trigger-authentication

ip trigger-authentication (global configuration)

ip trigger-authentication (interface configuration)

login authentication

login tacacs

nasi authentication

ppp authentication

ppp chap hostname

ppp chap password

ppp chap refuse

ppp chap wait

ppp pap sent-username

ppp use-tacacs

show ip trigger-authentication

show ppp queues

timeout login response

Authentication Commands

---

This chapter describes the commands used to configure both AAA and non-AAA authentication methods. Authentication identifies users before they are allowed access to the network and network services. Basically, the Cisco IOS software implementation of authentication is divided into two main categories:

•AAA Authentication Methods

•Non-AAA Authentication Methods

Authentication, for the most part, is implemented through the AAA security services. We recommend that, whenever possible, AAA be used to implement authentication.

For information on how to configure authentication using either AAA or non-AAA methods, refer to the "Configuring Authentication" chapter in the Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "Authentication Examples" section located at the end of the "Configuring Authentication" chapter in the Security Configuration Guide.

aaa authentication arap

To enable an AAA authentication method for AppleTalk Remote Access (ARA) using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.

aaa authentication arap {default | list-name} method1 [method2...]

no aaa authentication arap {default | list-name} method1 [method2...]

Syntax Description

default	Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name	Character string used to name the following list of authentication methods tried when a user logs in.
method	One of the keywords described in Table 393.

Defaults

If the default list is not set, only the local user database is checked. This has the same effect as the following command:

aaa authentication arap default local

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed in Table 393. You can only use one of these methods; they are mutually exclusive.

Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. See Table 393 for descriptions of method keywords.

To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails.

Use the more system:running-config command to view currently configured lists of authentication methods.

Table 393 aaa authentication arap Methods

Keyword	Description
guest	Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.
auth-guest	Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.
line	Uses the line password for authentication.
local	Uses the local username database for authentication.
tacacs+	Uses TACACS+ authentication.

---

Note This command cannot be used with TACACS or extended TACACS.

---

Examples

The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:

aaa authentication arap MIS-access tacacs+ none

The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:

aaa authentication arap default tacacs+ none

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model.

aaa authentication banner

To configure a personalized banner that will be displayed at user login, use the aaa authentication banner global configuration command. Use the no form of this command to remove the banner.

aaa authentication banner dstringd

no aaa authentication banner

Syntax Description

d	The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string	Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Defaults

Not enabled

Command Modes

Global configuration

Command History

Release	Modification
11.3(4)T	This command was introduced.

Usage Guidelines

Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.

To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Examples

The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)

aaa new-model

aaa authentication login default radius

This configuration produces the following standard output:

User Verification Access

Username:

Password:

The following example configures a login banner (in this case, the phrase "Unauthorized use is prohibited.") that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)

aaa new-model

aaa authentication banner *Unauthorized use is prohibited.*

aaa authentication login default radius

This configuration produces the following login banner:

Unauthorized use is prohibited.

Username:

Related Commands

Command	Description
aaa authentication fail-message	Configures a personalized banner that will be displayed when a user fails login.

aaa authentication enable default

To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.

aaa authentication enable default method1 [method2...]

no aaa authentication enable default method1 [method2...]

Syntax Description

method

At least one of the keywords described in Table 394.

Defaults

If the default list is not set, only the enable password is checked. This has the same effect as the following command:

aaa authentication enable default enable

On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in Table 394. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

All aaa authentication enable default requests sent by the router to a RADIUS server include the username "$enab15$." Requests sent to a TACACS+ server will include the username that is entered for login authentication.

If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the more system:running-config command to view currently configured lists of authentication methods.

Table 394 aaa authentication enable Default Methods 

Keyword	Description
enable	Uses the enable password for authentication.
line	Uses the line password for authentication.
none	Uses no authentication.
tacacs+	Uses TACACS+ authentication.
radius	Uses RADIUS authentication. Note The RADIUS method does not work on a per-username basis.

---

Note This command cannot be used with TACACS or extended TACACS.

---

Examples

The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication enable default tacacs+ enable none

Related Commands

Command	Description
aaa authorization	Sets parameters that restrict network access to a user.
aaa new-model	Enables the AAA access control model.
enable password	Sets a local password to control access to various privilege levels.

aaa authentication fail-message

To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message global configuration command. Use the no form of this command to remove the failed login message.

aaa authentication fail-message dstringd

no aaa authentication fail-message

Syntax Description

d	The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string	Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Defaults

Not enabled

Command Modes

Global configuration

Command History

Release	Modification
11.3(4)T	This command was introduced.

Usage Guidelines

Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.

To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Examples

The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)

aaa new-model

aaa authentication login default radius

This configuration produces the following standard output:

User Verification Access

Username:

Password:

% Authentication failed.

The following example configures both a login banner ("Unauthorized use is prohibited.") and a login-fail message ("Failed login. Try again."). The login message will be displayed when a user logs in to the system. The failed-login message will displayed when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.

aaa new-model

aaa authentication banner *Unauthorized use is prohibited.*

aaa authentication fail-message *Failed login. Try again.*

aaa authentication login default radius

This configuration produces the following login and failed login banner:

Unauthorized use is prohibited.

Username: 

Password: 

Failed login. Try again.

Related Commands

Command	Description
aaa authentication banner	Configures a personalized banner that will be displayed at user login.

aaa authentication login

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.

aaa authentication login {default | list-name} method1 [method2...]

no aaa authentication login {default | list-name} method1 [method2...]

Syntax Description

default	Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name	Character string used to name the list of authentication methods activated when a user logs in.
method	At least one of the keywords described in Table 395.

Defaults

If the default list is not set, only the local user database is checked. This has the same effect as the following command:

aaa authentication login default local

---

Note On the console, login will succeed without any authentication checks if default is not set.

---

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.

Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 395.

To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.

Table 395 aaa authentication login Methods 

Keyword	Description
enable	Uses the enable password for authentication.
krb5	Uses Kerberos 5 for authentication.
line	Uses the line password for authentication.
local	Uses the local username database for authentication.
none	Uses no authentication.
radius	Uses RADIUS authentication.
tacacs+	Uses TACACS+ authentication.
krb5-telnet	Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

---

Note This command cannot be used with TACACS or extended TACACS.

---

Examples

The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access tacacs+ enable none

The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication login default tacacs+ enable none

The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:

aaa authentication login default KRB5-TELNET krb5

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model.
login authentication	Enables AAA authentication for logins.

aaa authentication nasi

To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.

aaa authentication nasi {default | list-name} method1 [method2...]

no aaa authentication nasi {default | list-name} method1 [method2...]

Syntax Description

default	Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.
list-name	Character string used to name the list of authentication methods activated when a user logs in.
method1 [method2...]	At least one of the methods described in Table 396.

Defaults

If the default list is not set, only the local user database is selected. This has the same effect as the following command:

aaa authentication nasi default local

Command Modes

Global configuration

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command.

Create a list by entering the aaa authentication nasi command, where list-name is any character string that names the list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described in Table 396.

To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations.

The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.

Table 396 aaa authentication nasi Methods 

Keyword	Description
enable	Uses the enable password for authentication.
line	Uses the line password for authentication.
local	Uses the local username database for authentication.
none	Uses no authentication.
tacacs+	Uses TACACS+ authentication.

---

Note This command cannot be used with TACACS or extended TACACS.

---

Examples

The following example creates an AAA authentication list called list1. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication nasi list1 tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication nasi default tacacs+ enable none

Related Commands

Command	Description
ipx nasi-server enable	Enables NASI clients to connect to asynchronous devices attached to a router.
ip trigger-authentication (global configuration)	Enables the automated part of double authentication at a device.
nasi authentication	Enables AAA authentication for NASI clients connecting to a router.
show ipx nasi connections	Displays the status of NASI connections
show ipx spx-protocol	Displays the status of the SPX protocol stack and related counters.

aaa authentication password-prompt

To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.

aaa authentication password-prompt text-string

no aaa authentication password-prompt text-string

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").

Defaults

There is no user-defined text-string, and the password prompt appears as "Password."

Command Modes

Global configuration

Command History

Release	Modification
11.0	This command was introduced.

Usage Guidelines

Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:

Password:

The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ server.

The aaa authentication password-prompt command works when using RADIUS as the login method. You will be able to see the password prompt defined in the command shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the NAS the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt defined in the aaa authentication password-prompt command may be used.

Examples

The following example changes the text for the password prompt:

aaa authentication password-prompt "Enter your password now:"

Related Commands

Command	Description
aaa authentication username-prompt	Changes the text displayed when users are prompted to enter a username.
aaa new-model	Enables the AAA access control model.
enable password	Sets a local password to control access to various privilege levels.

aaa authentication ppp

To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.

aaa authentication ppp {default | list-name} method1 [method2...]

no aaa authentication ppp {default | list-name} method1 [method2...]

Syntax Description

default	Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name	Character string used to name the list of authentication methods tried when a user logs in.
method1 [method2...]	At least one of the keywords described in Table 397.

Defaults

If the default list is not set, only the local user database is checked. This has the same effect as the following command:

aaa authentication ppp default local

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.

Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 397.

The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.

If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.

Table 397 aaa authentication ppp Methods 

Keyword	Description
if-needed	Does not authenticate if user has already been authenticated on a TTY line.
krb5	Uses Kerberos 5 for authentication (can only be used for PAP authentication).
local	Uses the local username database for authentication.
none	Uses no authentication.
radius	Uses RADIUS authentication.
tacacs+	Uses TACACS+ authentication.

---

Note This command cannot be used with TACACS or extended TACACS.

---

Examples

The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.

aaa authentication ppp MIS-access tacacs+ none

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model.
ppp authentication	Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface.

aaa authentication username-prompt

To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.

aaa authentication username-prompt text-string

no aaa authentication username-prompt text-string

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").

Defaults

There is no user-defined text-string, and the username prompt appears as "Username."

Command Modes

Global configuration

Command History

Release	Modification
11.0	This command was introduced.

Usage Guidelines

Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:

Username:

Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.

---

Note The aaa authentication username-prompt command does not change any dialog that is supplied by a remote TACACS+ server.

---

Examples

The following example changes the text for the username prompt:

aaa authentication username-prompt "Enter your name here:"

Related Commands

Command	Description
aaa authentication password-prompt	Changes the text displayed when users are prompted for a password.
aaa new-model	Enables the AAA access control model.
enable password	Sets a local password to control access to various privilege levels.

aaa new-model

To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable the AAA access control model.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

Defaults

AAA is not enabled.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

This command enables the AAA access control system. After you have enabled AAA, TACACS and extended TACACS commands are no longer available. If you initialize AAA functionality and later decide to use TACACS or extended TACACS, issue the no version of this command, and then enable the version of TACACS that you want to use.

Examples

The following example initializes AAA:

aaa new-model

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.
aaa authentication arap	Enables an AAA authentication method for ARA using TACACS+.
aaa authentication enable default	Enables AAA authentication to determine if a user can access the privileged command level.
aaa authentication login	Sets AAA authentication at login.
aaa authentication ppp	Specifies one or more AAA authentication method for use on serial interfaces running PPP.
aaa authorization	Sets parameters that restrict network access to a user.

aaa processes

To allocate a specific number of background processes to be used to process AAA authentication and authorization requests for PPP, use the aaa processes global configuration command. Use the no form of this command to restore the default value for this command.

aaa processes number

no aaa processes number

Syntax Description

number

Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.

Defaults

The default for this command is one allocated background process.

Command Modes

Global configuration

Command History

Release	Modification
11.3(2)AA	This command was introduced.

Usage Guidelines

Use the aaa processes command to allocate a specific number of background processes to simultaneously handle multiple AAA authentication and authorization requests for PPP. Previously, only one background process handled all AAA requests for PPP, so only one new user could be authenticated or authorized at a time. This command configures the number of processes used to handle AAA requests for PPP, increasing the number of users that can be simultaneously authenticated or authorized.

The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP. This argument also defines the number of new users that can be simultaneously authenticated and can be increased or decreased at any time.

Examples

This example shows the aaa processes command within a standard AAA configuration. The authentication method list "dialins" specifies RADIUS as the method of authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP. Ten background processes have been allocated to handle AAA requests for PPP.

configure terminal

 aaa new-model

 aaa authentication ppp dialins radius local

 aaa processes 10

interface 10

 encap ppp

 ppp authentication pap dialins

Related Commands

Command	Description
show ppp queues	Monitors the number of requests processed by each AAA background process.

access-profile

To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile privileged EXEC command. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed, and ACLs defined in your per-user configuration to be installed.

access-profile [merge | replace] [ignore-sanity-checks]

Syntax Description

merge	(Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface. However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all AV pairs defined in the AAA per-user configuration (the user's authorization profile). The interface's resulting authorization attributes are a combination of the previous and new configurations.
replace	(Optional) This option removes existing ACLs and all other existing authorization attributes for the interface. A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration. This option is not normally recommended because it initially deletes all existing configuration, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information.
ignore-sanity-checks	(Optional) Enables you to use any AV pairs, whether or not they are valid.

Command Modes

User EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

Remote users can use this command to activate Double Authentication for a PPP session. Double Authentication must be correctly configured for this command to have the desired effect.

You should use this command when remote users establish a PPP link to gain local network access.

After you have been authenticated with CHAP (or PAP), you will have limited authorization. To activate Double Authentication and gain your appropriate user network authorization, you must Telnet to the network access server and execute the access-profile command. (This command could also be set up as an autocommand, which would eliminate the need to manually enter the command.)

This command causes all subsequent network authorizations to be made in your username, instead of in the remote host's username.

Any changes to the interface caused by this command will stay in effect for as long as the interface stays up. These changes will be removed when the interface goes down. This command does not affect the normal operation of the router or the interface.

The default form of the command, access-profile, causes existing ACLs to be unconfigured (removed), and new ACLs to be installed. The new ACLs come from your per-user configuration on an AAA server (such as a TACACS+ server). The ACL replacement constitutes a reauthorization of your network privileges.

The default form of the command can fail if your per-user configuration contains statements other than ACL AV pairs. Any protocols with non-ACL statements will be deconfigured, and no traffic for that protocol can pass over the PPP link.

The access-profile merge form of the command causes existing ACLs to be unconfigured (removed) and new authorization information (including new ACLs) to be added to the interface. This new authorization information consists of your complete per-user configuration on an AAA server. If any of the new authorization statements conflict with existing statements, the new statements could "override" the old statements or be ignored, depending on the statement and applicable parser rules. The resulting interface configuration is a combination of the original configuration and the newly installed per-user configuration.

---

Caution The new user authorization profile (per-user configuration) must not contain any invalid mandatory AV pairs, otherwise the command will fail and the PPP protocol (containing the invalid pair) will be dropped. If invalid AV pairs are included as optional in the user profile, the command will succeed, but the invalid AV pair will be ignored. Invalid AV pair types are listed later in this section.

---

The access-profile replace form of the command causes the entire existing authorization configuration to be removed from the interface, and the complete per-user authorization configuration to be added. This per-user authorization consists of your complete per-user configuration on an AAA server.

---

Caution Use extreme caution when using the access-profile replace form of the command. It might have detrimental and unexpected results, because this option deletes all authorization configuration information (including static routes) before reinstalling the new authorization configuration.

---

Invalid AV pair types

•addr

•addr-pool

•zonelist

•tunnel-id

•ip-addresses

•x25-addresses

•frame-relay

•source-ip

---

Note These AV pair types are only "invalid" when used with Double Authentication, in the user-specific authorization profile—they cause the access-profile command to fail. However, these AV pair types can be appropriate when used in other contexts.

---

Examples

This example activates Double Authentication for a remote user. This example assumes that the access-profile command was not configured as an autocommand.

The remote user connects to the corporate headquarters network per Figure 2.

Figure 2 Network Topology for Activating Double Authentication (Example)

The remote user runs a terminal emulation application to Telnet to the corporate network access server, an AS5200 local host named "hqnas." The remote user, named Bob, has the username "BobUser."

This example replaces ACLs on the local host PPP interface. The ACLs previously applied to the interface during PPP authorization are replaced with ACLs defined in the per-user configuration AV pairs.

The remote user Telnets to the local host and logs in:

login: BobUser

Password: <welcome>

hqnas> access-profile

Bob is reauthenticated when he logs in to hqnas, because hqnas is configured for login AAA authentication using the corporate RADIUS server. When Bob enters the access-profile command, he is reauthorized with his per-user configuration privileges. This causes the access lists and filters in his per-user configuration to be applied to the network access server interface.

After the reauthorization is complete, Bob is automatically logged out of the AS5200 local host.

Related Commands

Command	Description
connect	Logs in to a host that supports Telnet, rlogin, or LAT.
telnet	Logs in to a host that supports Telnet.

arap authentication

To enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.

arap authentication {default | list-name} [one-time]

no arap authentication {default | list-name}

---

Caution If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.

---

Syntax Description

default	Default list created with the aaa authentication arap command.
list-name	Indicated list created with the aaa authentication arap command.
one-time	(Optional) Accepts the username and password in the username field.

Defaults

ARA protocol authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.

Command Modes

Line configuration

Command History

Release	Modification
10.3	This command was introduced.
11.0	The one-time keyword was added.

Usage Guidelines

This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword.

Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.

Examples

The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:

line 7

 arap authentication MIS-access

Related Commands

Command	Description
aaa authentication arap	Enables an AAA authentication method for ARA using TACACS+.

clear ip trigger-authentication

To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication privileged EXEC configuration command.

clear ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

Defaults

Table entries are cleared after a timeout if you do not clear them manually with this command.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command when troubleshooting automated double authentication. This command clears the entries in the list of remote hosts displayed by the show ip trigger-authentication command.

Examples

The following example clears the remote host table:

router# show ip trigger-authentication

Trigger-authentication Host Table:

Remote Host          Time Stamp

172.21.127.114       2940514234

router# clear ip trigger-authentication

router# show ip trigger-authentication

router#

Related Commands

Command	Description
show ip trigger-authentication	Displays the list of remote hosts for which automated double authentication has been attempted.

ip trigger-authentication (global configurati