Configuring Authentication

Authentication provides a method to identify users, which includes the login and password dialog, challenge and response, messaging support, and encryption, depending on the selected security protocol. Authentication is the way a user is identified prior to being allowed access to the network and network services.

Prerequisites for Configuring Authentication

The implementation of authentication is divided into Authentication, Authorization, and Accounting (AAA) authentication and nonauthentication methods. Cisco recommends that, whenever possible, AAA security services be used to implement authentication.

Restrictions for Configuring Authentication

  • The number of AAA method lists that can be configured is 250.

  • If you configure the same RADIUS server IP address for a different UDP destination port for accounting requests by using the acct-port keyword and a UDP destination port for authentication requests by using the auth-port keyword with and without the nonstandard option, the RADIUS server does not accept the nonstandard option.

Information About Authentication

Named Method Lists for Authentication

A named list of authentication methods is first defined before AAA authentication can be configured, and the named list is then applied to various interfaces. The method list defines the types of authentication and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which is named “default”). The default method list is automatically applied to all interfaces, except those that have a named method list explicitly defined. A defined method list overrides the default method list.

A method list is a sequential list describing the authentication methods to be queried to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. Cisco software uses the first listed method to authenticate users. If that method fails to respond, the Cisco software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.

Note that the software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle, that is, the security server or local username database responds by denying the user access, then the authentication process stops and no other authentication methods are attempted.

Method Lists and Server Groups

A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. The figure below shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS servers. T1 and T2 make up the group of TACACS+ servers.

Figure 1. Configuration of a Typical AAA Network

Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define R1 and R2 as a server group, and define T1 and T2 as a separate server group.

Server groups also can include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service--for example, authentication--the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order in which they are configured.)

For more information about configuring server groups and about configuring server groups based on Dialed Number Identification Service (DNIS) numbers, see the “Configuring RADIUS” or “Configuring TACACS+” chapters.

Login Authentication Using AAA

Login Authentication Using Enable Password

Use the aaa authentication login command with the enable keyword to specify the enable password as the login authentication method. For example, to specify the enable password as the method of user authentication at login when no other method list has been defined, enter the following command:

Device(config)# aaa authentication login default enable

Before you can use the enable password as the login authentication method, you need to define the enable password. For more information about defining enable passwords, see chapter “Controlling Switch Access with Passwords and Privilege Levels.”

Login Authentication Using Line Password

Use the aaa authentication login default command with the line keyword to specify the line password as the login authentication method. For example, to specify the line password as the method of user authentication at login when no other method list has been defined, enter the following command:

Device(config)# aaa authentication login default line

Before you can use a line password as the login authentication method, you need to define a line password.

Login Authentication Using Local Password

Use the aaa authentication login default command with the local keyword to specify that the Cisco device will use the local username database for authentication. For example, to specify the local username database as the method of user authentication at login when no other method list has been defined, enter the following command:

Device(config)# aaa authentication login default local

Login Authentication Using Group RADIUS

Use the aaa authentication login default command with the group radius to specify RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, enter the following command:

Device(config)# aaa authentication login default group radius

Before you can use RADIUS as the login authentication method, you need to enable communication with the RADIUS security server. For more information about establishing communication with a RADIUS server, refer to the chapter “Configuring RADIUS.”

RADIUS Attribute 8 in Access Requests

After you have used the aaa authentication login command to specify RADIUS and your login host has been configured to request its IP address from the NAS, you can send attribute 8 (Framed-IP-Address) in access-request packets by using the radius-server attribute 8 include-in-access-req command in global configuration mode. This command makes it possible for NAS to provide the RADIUS server a hint of the user IP address in advance for user authentication.

Login Authentication Using Group TACACS

Use the aaa authentication login default command with the group tacacs+ to specify TACACS+ as the login authentication method. For example, to specify TACACS+ as the method of user authentication at login when no other method list has been defined, enter the following command:

Device(config)# aaa authentication login default group tacacs+

Before you can use TACACS+ as the login authentication method, you need to enable communication with the TACACS+ security server. For more information about establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”

Login Authentication Using Group Name

Use the aaa authentication login default command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to use as the login authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group loginrad :

Device> enable 
Device# configure terminal 
Device(config)# aaa group server radius loginrad
Device(config-sg-radius)# server 172.16.2.3
Device(config-sg-radius)# server 172.16.2 17
Device(config-sg-radius)# server 172.16.2.32
Device(config-sg-radius)# end

This command specifies RADIUS servers 172.16.2.3, 172.16.2.17, and 172.16.2.32 as members of the group loginrad .

To specify group loginrad as the method of user authentication at login when no other method list has been defined, enter the following command:

Device(config)# aaa authentication login default group loginrad

Before you can use a group name as the login authentication method, you need to enable communication with the RADIUS or TACACS+ security server. For more information about establishing communication with a RADIUS server, refer to the chapter “Configuring RADIUS.” For more information about establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”

Specifying the Amount of Time for Login Input

The timeout login response command allows you to specify how long the system will wait for login input (such as username and password) before timing out. The default login value is 30 seconds; with the timeout login response command, you can specify a timeout value from 1 to 300 seconds. To change the login timeout value from the default of 30 seconds, use the following command in line configuration mode:
Device(config-line)# timeout login response 30

Password Protection at the Privileged Level

Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level. You can specify up to four authentication methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

Use the following command in global configuration mode:
Device(config)# authentication enable default radius
or
Device(config)# authentication enable default tacacs

Changing the Text Displayed at the Password Prompt

Use the aaa authentication password-prompt command to change the default text that the Cisco IOS XE software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the following default value:

Password:

The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ or RADIUS server.

The aaa authentication password-prompt command works when RADIUS is used as the login method. You will be able to see the password prompt defined in the command shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the NAS with the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt defined in the aaa authentication password-prompt command may be used.

Use the following command in global configuration mode:
Device(config)# aaa authentication password-prompt “Enter your password now:”

Domain Stripping

The AAA Broadcast Accounting feature allows accounting information to be sent to multiple AAA servers at the same time, that is, accounting information can be broadcast to one or more AAA servers simultaneously. This functionality allows you to send accounting information to private and public AAA servers. It also provides redundant billing information for voice applications.

The Domain Stripping feature allows domain stripping to be configured at the server group level.

Per-server group configuration overrides the global configuration. If domain stripping is not enabled globally, but it is enabled in a server group, then it is enabled only for that server group. Also, if virtual routing and forwarding (VRF)-specific domain stripping is configured globally and in a server group for a different VRF, domain stripping is enabled in both the VRFs. VRF configurations are taken from server-group configuration mode. If server-group configurations are disabled in global configuration mode but are available in server-group configuration mode, all configurations in server-group configuration mode are applicable.

After the domain stripping and broadcast accounting are configured, you can create separate accounting records as per the configurations.

If both domain-stripping and directed-request commands are enabled, domain stripping takes precedence and directed request functionality will not work.

How to Configure Authentication

Configuring Login Authentication Using AAA

The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login command to enable AAA authentication no matter which of the supported login authentication methods you decide to use. With the aaa authentication login command, you create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command.

To configure login authentication by using AAA, use the following commands beginning in global configuration mode:

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables AAA.

Step 4

aaa authentication login {default | list-name } method1 [method2 ...]

Example:

Device(config)# aaa authentication login default local

Creates a local authentication list.

Step 5

line [aux | console | tty | vty ] line-number [ending-line-number ]

Example:

Device(config)# line vty 1

Enters line configuration mode for the lines to which you want to apply the authentication list.

Step 6

login authentication {default | list-name}

Example:

Device(config-line)# login authentication default

Applies the authentication list to a line or set of lines.

Step 7

end

Example:

Device(config-line)# end

Exits line configuration mode and returns to privileged EXEC mode.

What to do next

The list-name is a character string used to name the list you are creating. The method argument refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

For example, to specify that authentication should succeed even if (in this example) the TACACS+ server returns an error, enter the following command:

Device(config)# aaa authentication login default group tacacs+ none

Note


Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.


To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.

For example, to specify RADIUS as the default method for user authentication during login, enter the following command:

Device(config)# aaa authentication login default group radius

Preventing an Access Request with a Blank Username from Being Sent to the RADIUS Server

The following configuration steps provide the ability to prevent an Access Request with a blank username from being sent to the RADIUS server. This functionality ensures that unnecessary RADIUS server interaction is avoided, and RADIUS logs are kept short.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables AAA globally.

Step 4

aaa authentication suppress null-username

Example:

Device(config)# aaa authentication suppress null-username

Prevents an Access Request with a blank username from being sent to the RADIUS server.

Step 5

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring Message Banners for AAA Authentication

AAA supports the use of configurable, personalized login and failed-login banners. You can configure message banners that will be displayed when a user logs in to the system to be authenticated using AAA and when, for whatever reason, authentication fails.

Configuring a Login Banner

To configure a banner that is displayed when a user logs in (replacing the default message for login), perform the following task:

Before you begin

To create a login banner, you must configure a delimiting character that notifies the system that the following text string must be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string for the banner.

Procedure
  Command or Action Purpose

Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:
Device(config)# aaa new-model

Enables AAA.

Step 4

aaa authentication banner delimiter string delimiter

Example:
Device(config)# aaa authentication banner *Unauthorized use is prohibited.*

Creates a personalized login banner.

Step 5

end

Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring a Failed-Login Banner

To configure a message that is displayed when a user login fails (replacing the default message for failed login), perform the following task:

Before you begin

To create a failed-login banner, you must configure a delimiting character, which notifies the system that the following text string must be displayed as the banner, and then configure the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the failed-login banner. The delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Procedure
  Command or Action Purpose

Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:
Device(config)# aaa new-model

Enables AAA.

Step 4

aaa authentication fail-message delimiter string delimiter

Example:
Device(config)# aaa authentication fail-message *Failed login. Try again.*

Creates a message to be displayed when a user login fails.

Step 5

end

Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring AAA Packet of Disconnect

Packet of disconnect (POD) terminates connections on the network access server (NAS) when particular session attributes are identified. By using session information obtained from AAA, the POD client residing on a UNIX workstation sends disconnect packets to the POD server running on the network access server. The NAS terminates any inbound user session with one or more matching key attributes. It rejects requests when required fields are missing or when an exact match is not found.

To configure POD, perform the following tasks in global configuration mode:

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa accounting network default start-stop radius

Example:

Device(config)# aaa accounting network default start-stop radius

Enables AAA accounting records.

Step 4

aaa accounting delay-start

Example:

Device(config)# aaa accounting delay-start

(Optional) Delays generation of the start accounting record until the Framed-IP-Address is assigned, allowing its use in the POD packet.

Step 5

aaa pod server server-key string

Example:

Device(config)# aaa pod server server-key xyz123

Enables POD reception.

Step 6

radius server name non-standard

Example:

Device(config)# radius server radser

Configures a RADIUS server and enters RADIUS server configuration mode.

Step 7

address {ipv4 | ipv6} hostname

Example:

Device(config-radius-server)# address ipv4 radius-host

Configures a RADIUS host.

Step 8

end

Example:

Device(config-radius-server)# end

Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Domain Stripping at the Server Group Level

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa group server radius server-name

Example:

Device(config)# aaa group server radius rad1
Adds the RADIUS server and enters server group RADIUS configuration mode.
  • The server-name argument specifies the RADIUS server group name.

Step 4

domain-stripping [strip-suffix word] [right-to-left ] [prefix-delimiter word] [delimiter word]

Example:

Device(config-sg-radius)# domain-stripping delimiter username@example.com

Configures domain stripping at the server group level.

Step 5

end

Example:

Device(config-sg-radius)# end

Exits server group RADIUS configuration mode and returns to the privileged EXEC mode.

Configuring Non-AAA Authentication Methods

Configuring Line Password Protection

This task is used to provide access control on a terminal line by entering the password and establishing password checking.


Note


If you configure line password protection and then configure TACACS or extended TACACS, the TACACS username and password take precedence over line passwords. If you have not yet implemented a security policy, we recommend that you use AAA.


Procedure
  Command or Action Purpose

Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

line [aux | console | tty | vty ] line-number [ending-line-number ]

Example:
Device(config)# line console 0

Enters line configuration mode.

Step 4

password password

Example:
Device(config-line)# secret word

Assigns a password to a terminal or other device on a line. The password checker is case sensitive and can include spaces; for example, the password “Secret” is different from the password “secret,” and “two words” is an acceptable password.

Step 5

login

Example:
Device(config-line)# login

Enables password checking at login.

You can disable line password verification by disabling password checking by using the no version of this command.

Note

 

The login command only changes username and privilege level but it does not execute a shell; therefore autocommands will not be executed. To execute autocommands under this circumstance, you need to establish a Telnet session back into the device (loop-back). Make sure that the device has been configured for secure Telnet sessions if you choose to implement autocommands this way.

Step 6

end

Example:
Device(config-line)# end

Exits line configuration mode and returns to privileged EXEC mode.

Establishing Username Authentication

You can create a username-based authentication system, which is useful in the following situations:

  • To provide a TACACS-like username and encrypted password-authentication system for networks that cannot support TACACS

  • To provide special-case logins: for example, access list verification, no password verification, autocommand execution at login, and “no escape” situations

To establish username authentication, perform the following task:

Procedure
  Command or Action Purpose

Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

Do one of the following:

  • username name [nopassword | password password | password encryption-type encrypted password ]
  • username name [access-class number ]
Example:
Device(config)# username superuser password superpassword password 7 encrypted-password
Device(config)# username user1 access-class access-user

Establishes username authentication with encrypted passwords.

or

(Optional) Establishes username authentication by access list.

Step 4

username name [privilege level ]

Example:
Device(config)# username user1 privilege 5

(Optional) Sets the privilege level for the user.

Step 5

username name [autocommand command ]

Example:
Device(config)# username user1 autocommand show users

(Optional) Specifies a command to be executed automatically.

Step 6

username name [noescape ] [nohangup ]

Example:
Device(config)# username user1 noescapee

(Optional) Sets a “no escape” login environment.

Step 7

end

Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

What to do next

The keyword noescape prevents users from using escape characters on the hosts to which they are connected. The nohangup feature does not disconnect after using the autocommand.


Caution


Passwords will be displayed in clear text in your configuration unless you enable the service password-encryption command.