The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Authentication provides a method to identify users, which includes the login and password dialog, challenge and response, messaging support, and encryption, depending on the selected security protocol. Authentication is the way a user is identified prior to being allowed access to the network and network services.
The implementation of authentication is divided into Authentication, Authorization, and Accounting (AAA) authentication and nonauthentication methods. Cisco recommends that, whenever possible, AAA security services be used to implement authentication.
The number of AAA method lists that can be configured is 250.
If you configure the same RADIUS server IP address for a different UDP destination port for accounting requests by using the acct-port keyword and a UDP destination port for authentication requests by using the auth-port keyword with and without the nonstandard option, the RADIUS server does not accept the nonstandard option.
A named list of authentication methods is first defined before AAA authentication can be configured, and the named list is then applied to various interfaces. The method list defines the types of authentication and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which is named “default”). The default method list is automatically applied to all interfaces, except those that have a named method list explicitly defined. A defined method list overrides the default method list.
A method list is a sequential list describing the authentication methods to be queried to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. Cisco software uses the first listed method to authenticate users. If that method fails to respond, the Cisco software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.
Note that the software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle, that is, the security server or local username database responds by denying the user access, then the authentication process stops and no other authentication methods are attempted.
A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. The figure below shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS servers. T1 and T2 make up the group of TACACS+ servers.
Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define R1 and R2 as a server group, and define T1 and T2 as a separate server group.
Server groups also can include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service--for example, authentication--the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order in which they are configured.)
For more information about configuring server groups and about configuring server groups based on Dialed Number Identification Service (DNIS) numbers, see the “Configuring RADIUS” or “Configuring TACACS+” chapters.
Use the aaa authentication login command with the enable keyword to specify the enable password as the login authentication method. For example, to specify the enable password as the method of user authentication at login when no other method list has been defined, enter the following command:
Device(config)# aaa authentication login default enable
Before you can use the enable password as the login authentication method, you need to define the enable password. For more information about defining enable passwords, see chapter “Controlling Switch Access with Passwords and Privilege Levels.”
Use the aaa authentication login default command with the line keyword to specify the line password as the login authentication method. For example, to specify the line password as the method of user authentication at login when no other method list has been defined, enter the following command:
Device(config)# aaa authentication login default line
Before you can use a line password as the login authentication method, you need to define a line password.
Use the aaa authentication login default command with the local keyword to specify that the Cisco device will use the local username database for authentication. For example, to specify the local username database as the method of user authentication at login when no other method list has been defined, enter the following command:
Device(config)# aaa authentication login default local
Use the aaa authentication login default command with the group radius to specify RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, enter the following command:
Device(config)# aaa authentication login default group radius
Before you can use RADIUS as the login authentication method, you need to enable communication with the RADIUS security server. For more information about establishing communication with a RADIUS server, refer to the chapter “Configuring RADIUS.”
After you have used the aaa authentication login command to specify RADIUS and your login host has been configured to request its IP address from the NAS, you can send attribute 8 (Framed-IP-Address) in access-request packets by using the radius-server attribute 8 include-in-access-req command in global configuration mode. This command makes it possible for NAS to provide the RADIUS server a hint of the user IP address in advance for user authentication.
Use the aaa authentication login default command with the group tacacs+ to specify TACACS+ as the login authentication method. For example, to specify TACACS+ as the method of user authentication at login when no other method list has been defined, enter the following command:
Device(config)# aaa authentication login default group tacacs+
Before you can use TACACS+ as the login authentication method, you need to enable communication with the TACACS+ security server. For more information about establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”
Use the aaa authentication login default command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to use as the login authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group loginrad :
Device> enable
Device# configure terminal
Device(config)# aaa group server radius loginrad
Device(config-sg-radius)# server 172.16.2.3
Device(config-sg-radius)# server 172.16.2 17
Device(config-sg-radius)# server 172.16.2.32
Device(config-sg-radius)# end
This command specifies RADIUS servers 172.16.2.3, 172.16.2.17, and 172.16.2.32 as members of the group loginrad .
To specify group loginrad as the method of user authentication at login when no other method list has been defined, enter the following command:
Device(config)# aaa authentication login default group loginrad
Before you can use a group name as the login authentication method, you need to enable communication with the RADIUS or TACACS+ security server. For more information about establishing communication with a RADIUS server, refer to the chapter “Configuring RADIUS.” For more information about establishing communication with a TACACS+ server, refer to the chapter “Configuring TACACS+.”
Device(config-line)# timeout login response 30Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level. You can specify up to four authentication methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
Device(config)# authentication enable default radiusDevice(config)# authentication enable default tacacsUse the aaa authentication password-prompt command to change the default text that the Cisco IOS XE software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the following default value:
Password:
The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ or RADIUS server.
The aaa authentication password-prompt command works when RADIUS is used as the login method. You will be able to see the password prompt defined in the command shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the NAS with the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt defined in the aaa authentication password-prompt command may be used.
Device(config)# aaa authentication password-prompt “Enter your password now:”The AAA Broadcast Accounting feature allows accounting information to be sent to multiple AAA servers at the same time, that is, accounting information can be broadcast to one or more AAA servers simultaneously. This functionality allows you to send accounting information to private and public AAA servers. It also provides redundant billing information for voice applications.
The Domain Stripping feature allows domain stripping to be configured at the server group level.
Per-server group configuration overrides the global configuration. If domain stripping is not enabled globally, but it is enabled in a server group, then it is enabled only for that server group. Also, if virtual routing and forwarding (VRF)-specific domain stripping is configured globally and in a server group for a different VRF, domain stripping is enabled in both the VRFs. VRF configurations are taken from server-group configuration mode. If server-group configurations are disabled in global configuration mode but are available in server-group configuration mode, all configurations in server-group configuration mode are applicable.
After the domain stripping and broadcast accounting are configured, you can create separate accounting records as per the configurations.
If both domain-stripping and directed-request commands are enabled, domain stripping takes precedence and directed request functionality will not work.
The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login command to enable AAA authentication no matter which of the supported login authentication methods you decide to use. With the aaa authentication login command, you create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command.
To configure login authentication by using AAA, use the following commands beginning in global configuration mode:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa new-model Example: |
Enables AAA. |
|
Step 4 |
aaa authentication login {default | list-name } method1 [method2 ...] Example: |
Creates a local authentication list. |
|
Step 5 |
line [aux | console | tty | vty ] line-number [ending-line-number ] Example: |
Enters line configuration mode for the lines to which you want to apply the authentication list. |
|
Step 6 |
login authentication {default | list-name} Example: |
Applies the authentication list to a line or set of lines. |
|
Step 7 |
end Example: |
Exits line configuration mode and returns to privileged EXEC mode. |
The list-name is a character string used to name the list you are creating. The method argument refers to the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
For example, to specify that authentication should succeed even if (in this example) the TACACS+ server returns an error, enter the following command:
Device(config)# aaa authentication login default group tacacs+ none
 Note |
Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication. |
To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
For example, to specify RADIUS as the default method for user authentication during login, enter the following command:
Device(config)# aaa authentication login default group radius
The following configuration steps provide the ability to prevent an Access Request with a blank username from being sent to the RADIUS server. This functionality ensures that unnecessary RADIUS server interaction is avoided, and RADIUS logs are kept short.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa new-model Example: |
Enables AAA globally. |
|
Step 4 |
aaa authentication suppress null-username Example: |
Prevents an Access Request with a blank username from being sent to the RADIUS server. |
|
Step 5 |
end Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
AAA supports the use of configurable, personalized login and failed-login banners. You can configure message banners that will be displayed when a user logs in to the system to be authenticated using AAA and when, for whatever reason, authentication fails.
To configure a banner that is displayed when a user logs in (replacing the default message for login), perform the following task:
To create a login banner, you must configure a delimiting character that notifies the system that the following text string must be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string for the banner.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa new-model Example: |
Enables AAA. |
|
Step 4 |
aaa authentication banner delimiter string delimiter Example: |
Creates a personalized login banner. |
|
Step 5 |
end Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
To configure a message that is displayed when a user login fails (replacing the default message for failed login), perform the following task:
To create a failed-login banner, you must configure a delimiting character, which notifies the system that the following text string must be displayed as the banner, and then configure the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the failed-login banner. The delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa new-model Example: |
Enables AAA. |
|
Step 4 |
aaa authentication fail-message delimiter string delimiter Example: |
Creates a message to be displayed when a user login fails. |
|
Step 5 |
end Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
Packet of disconnect (POD) terminates connections on the network access server (NAS) when particular session attributes are identified. By using session information obtained from AAA, the POD client residing on a UNIX workstation sends disconnect packets to the POD server running on the network access server. The NAS terminates any inbound user session with one or more matching key attributes. It rejects requests when required fields are missing or when an exact match is not found.
To configure POD, perform the following tasks in global configuration mode:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa accounting network default start-stop radius Example: |
Enables AAA accounting records. |
|
Step 4 |
aaa accounting delay-start Example: |
(Optional) Delays generation of the start accounting record until the Framed-IP-Address is assigned, allowing its use in the POD packet. |
|
Step 5 |
aaa pod server server-key string Example: |
Enables POD reception. |
|
Step 6 |
radius server name non-standard Example: |
Configures a RADIUS server and enters RADIUS server configuration mode. |
|
Step 7 |
address {ipv4 | ipv6} hostname Example: |
Configures a RADIUS host. |
|
Step 8 |
end Example: |
Exits RADIUS server configuration mode and returns to privileged EXEC mode. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa group server radius server-name Example: |
|
|
Step 4 |
domain-stripping [strip-suffix word] [right-to-left ] [prefix-delimiter word] [delimiter word] Example: |
Configures domain stripping at the server group level. |
|
Step 5 |
end Example: |
Exits server group RADIUS configuration mode and returns to the privileged EXEC mode. |
This task is used to provide access control on a terminal line by entering the password and establishing password checking.
Note |
If you configure line password protection and then configure TACACS or extended TACACS, the TACACS username and password take precedence over line passwords. If you have not yet implemented a security policy, we recommend that you use AAA. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 3 |
line [aux | console | tty | vty ] line-number [ending-line-number ] Example: |
Enters line configuration mode. |
||
|
Step 4 |
password password Example: |
Assigns a password to a terminal or other device on a line. The password checker is case sensitive and can include spaces; for example, the password “Secret” is different from the password “secret,” and “two words” is an acceptable password. |
||
|
Step 5 |
login Example: |
Enables password checking at login. You can disable line password verification by disabling password checking by using the no version of this command.
|
||
|
Step 6 |
end Example: |
Exits line configuration mode and returns to privileged EXEC mode. |
You can create a username-based authentication system, which is useful in the following situations:
To provide a TACACS-like username and encrypted password-authentication system for networks that cannot support TACACS
To provide special-case logins: for example, access list verification, no password verification, autocommand execution at login, and “no escape” situations
To establish username authentication, perform the following task:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
Do one of the following:
Example: |
Establishes username authentication with encrypted passwords. or (Optional) Establishes username authentication by access list. |
|
Step 4 |
username name [privilege level ] Example: |
(Optional) Sets the privilege level for the user. |
|
Step 5 |
username name [autocommand command ] Example: |
(Optional) Specifies a command to be executed automatically. |
|
Step 6 |
username name [noescape ] [nohangup ] Example: |
(Optional) Sets a “no escape” login environment. |
|
Step 7 |
end Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
The keyword noescape prevents users from using escape characters on the hosts to which they are connected. The nohangup feature does not disconnect after using the autocommand.
 Caution |
Passwords will be displayed in clear text in your configuration unless you enable the service password-encryption command. |
Feedback