aaa accounting through aaa local authentication attempts max-fail

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode or template configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}

no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}

Syntax Description

auth-proxy

Provides information about all authenticated-proxy user events.

system

Performs accounting for all system-level events not associated with users, such as reloads.

Note

 

When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.

network

Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).

exec

Runs accounting for the EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.

connection

Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.

commands level

Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.

dot1x

Provides information about all IEEE 802.1x-related user events.

default

Uses the listed accounting methods that follow this keyword as the default list of methods for accounting services.

list-name

Character string used to name the list of at least one of the following accounting methods:

  • group radius --Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

  • group tacacs + --Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

  • group group-name --Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.

guarantee-first

Guarantees system accounting as the first record.

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

VRF is used only with system accounting.

start-stop

Sends a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. The “start” accounting record is sent in the background. The requested user process begins regardless of whether the “start” accounting notice was received by the accounting server.

stop-only

Sends a stop accounting record for all cases including authentication failures regardless of whether the aaa accounting send stop-record authentication failure command is configured.

none

Disables accounting services on this line or interface.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

radius

Runs the accounting service for RADIUS.

group group-name

Specifies the accounting method list. Enter at least one of the following keywords:

  • auth-proxy --Creates a method list to provide accounting information about all authenticated hosts that use the authentication proxy service.

  • commands --Creates a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level.

  • connection --Creates a method list to provide accounting information about all outbound connections made from the network access server.

  • exec --Creates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times.

  • network --Creates a method list to provide accounting information for SLIP, PPP, NCPs, and ARAP sessions.

  • resource --Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.

  • tunnel --Creates a method list to provide accounting records (Tunnel-Start, Tunnel-Stop, and Tunnel-Reject) for virtual private dialup network (VPDN) tunnel status changes.

  • tunnel-link --Creates a method list to provide accounting records (Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject) for VPDN tunnel-link status changes.

delay-start

Delays PPP network start records until the peer IP address is known.

send

Sends records to the accounting server.

stop-record

Generates stop records for a specified event.

authentication

Generates stop records for authentication failures.

failure

Generates stop records for authentication failures.

success

Generates stop records for authenticated users.

remote-server

Specifies that the users are successfully authenticated through access-accept message, by a remote AAA server.

Command Default

AAA accounting is disabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.3

This command was introduced.

12.0(5)T

Group server support was added.

12.1(1)T

The broadcast keyword was added on the Cisco AS5300 and Cisco AS5800 universal access servers.

12.1(5)T

The auth-proxy keyword was added.

12.2(1)DX

The vrf keyword and vrf-name argument were added on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T.

12.2(15)B

The tunnel and tunnel-link accounting methods were introduced.

12.3(4)T

The tunnel and tunnel-link accounting methods were integrated into Cisco IOS Release 12.3(4)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

The dot1x keyword was integrated into Cisco IOS Release 12.4(11)T.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6. The radius keyword was added.

15.3(1)S

This command was integrated into Cisco IOS Release 15.3(1)S.

Usage Guidelines

General Information

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.

The table below contains descriptions of keywords for AAA accounting methods.

Table 1. aaa accounting Methods

Keyword

Description

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

In the table above, the group radius and group tacacs + methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Cisco IOS software supports the following two methods of accounting:

  • RADIUS--The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

  • TACACS+--The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering values for the list-name argument where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method list keywords to identify the methods to be tried in sequence as given.

If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.


Note


System accounting does not use named accounting lists; you can define the default list only for system accounting.


For minimal accounting, include the stop-only keyword to send a “stop” accounting record for all cases including authentication failures. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a “start” accounting notice at the beginning of the requested process and a “stop” accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless VRF is specified.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, see the appendix “RADIUS Attributes” in the Cisco IOS Security Configuration Guide . For a list of supported TACACS+ accounting AV pairs, see the appendix “TACACS+ Attribute-Value Pairs” in the Cisco IOS Security Configuration Guide .


Note


This command cannot be used with TACACS or extended TACACS.


Cisco Service Selection Gateway Broadcast Accounting

To configure Cisco Service Selection Gateway (SSG) broadcast accounting, use ssg_broadcast_accounting for the list-name argument. For more information about configuring SSG, see the chapter “Configuring Accounting for SSG” in the Cisco IOS Service Selection Gateway Configuration Guide , Release 12.4.

Layer 2 LAN Switch Port

You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.

You must enable AAA before you can enter the aaa accounting command. To enable AAA and 802.1X (port-based authentication), use the following global configuration mode commands:

  • aaa new-model

  • aaa authentication dot1x default group radius

  • dot1x system-auth-control

Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.

Use the aaa accounting system default start-stop group radius command to send “start” and “stop” accounting records after the router reboots. The “start” record is generated while the router is booted and the stop record is generated while the router is reloaded.

The router generates a “start” record to reach the AAA server. If the AAA server is not reachable, the router retries sending the packet four times. The retry mechanism is based on the exponential backoff algorithm. If there is no response from the AAA server, the request will be dropped.

Establishing a Session with a Router if the AAA Server Is Unreachable

The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users may be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than three minutes.

To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first start-stop radius command.


Note


Entering the no aaa accounting system guarantee-first command is not the only condition by which the console or telnet session can be started. For example, if the privileged EXEC session is being authenticated by TACACS and the TACACS server is not reachable, then the session cannot start.


Examples

The following example shows how to define a default command accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:


aaa accounting commands 15 default stop-only group tacacs+

The following example shows how to defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.


aaa new-model
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+

The following example shows how to define a default system accounting method list, where accounting services are provided by RADIUS security server “server1” with a start-stop restriction. The aaa accounting command specifies accounting for vrf “vrf1.”


aaa accounting system default vrf vrf1 start-stop group server1

The following example shows how to define a default IEEE 802.1x accounting method list, where accounting services are provided by a RADIUS server. The aaa accounting command activates IEEE 802.1x accounting.


aaa new model
aaa authentication dot1x default group radius
aaa authorization dot1x default group radius
aaa accounting dot1x default start-stop group radius

The following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)


aaa accounting network tunnel start-stop group radius
aaa accounting network session start-stop group radius

The following example shows how to enable IEEE 802.1x accounting:


aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius

aaa accounting-list

To enable authentication, authorization, and accounting (AAA) accounting when you are using RADIUS for Secure Socket Layer Virtual Private Network (SSL VPN) sessions, use the aaa accounting-list command in global configuration mode. To disable the AAA accounting, use the no form of this command.

aaa accounting-list aaa-list

no aaa accounting-list aaa-list

Syntax Description

aaa-list

Name of the AAA accounting list that has been configured under global configuration.

Command Default

AAA accounting is not enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.4(9)T

This command was introduced.

Usage Guidelines

Before configuring this command, ensure that the AAA accounting list has already been configured under global configuration.

Examples

The following example shows that AAA accounting has been configured for an SSL VPN session:


Router (config)# aaa accounting-list aaalist1

aaa accounting (IKEv2 profile)

To enable AAA accounting for IPsec sessions, use the aaa accounting command in IKEv2 profile configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting {psk | cert | eap} list-name

no aaa accounting {psk | cert | eap} list-name

Syntax Description

psk

Specifies a method list if the authentication method preshared key.

cert

Specifies a method list if the authentication method is certificate based.

eap

Specifies a method list if the authentication method is Extensible Authentication Protocol (EAP).

list-name

Name of the AAA list.

Command Default

AAA accounting is disabled.

Command Modes


IKEv2 profile configuration (config-ikev2-profile)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use the aaa accounting command to enable and specify the method list for AAA accounting for IPsec sessions. The aaa accounting command can be specific to an authentication method or common to all authentication methods, but not both at the same time. If no method list is specified, the list is common across authentication methods.

Examples

The following example defines an AAA accounting configuration common to all authentication methods:


Router(config-ikev2-profile)# aaa accounting common-list1

The following example configures an AAA accounting for each authentication method:


Router(config-ikev2-profile)# aaa accounting psk psk-list1
Router(config-ikev2-profile)# aaa accounting cert cert-list1
Router(config-ikev2-profile)# aaa accounting eap eap-list1

aaa accounting connection h323

To define the accounting method list H.323 using RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command.

aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

Syntax Description

stop-only

Sends a “stop” accounting notice at the end of the requested user process.

start-stop

Sends a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. The “start” accounting record is sent in the background. The requested user process begins regardless of whether the “start” accounting notice was received by the accounting server.

none

Disables accounting services on this line or interface.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group groupname

Specifies the server group to be used for accounting services. The following are valid server group names:

  • string : Character string used to name a server group.

  • radius : Uses list of all RADIUS hosts.

  • tacacs+ : Uses list of all TACACS+ hosts.

Command Default

No accounting method list is defined.

Command Modes


Global configuration

Command History

Release

Modification

11.3(6)NA2

This command was introduced.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.

Examples

The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.


aaa new model
gw-accounting h323
aaa accounting connection h323 start-stop group radius

aaa accounting delay-start

To delay the generation of accounting start records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command.

aaa accounting delay-start [all] [vrf vrf-name] [extended-delay delay-value]

no aaa accounting delay-start [all] [vrf vrf-name] [extended-delay delay-value]

Syntax Description

all

(Optional) Extends the delay of sending accounting start records to all Virtual Route Forwarding (VRF) and non-VRF users.

vrf vrf-name

(Optional) Extends the delay of sending accounting start records to the specified VRF user.

extended-delay delay-value

(Optional) Delays the sending of accounting start records by a configured delay value (in seconds) when the Internet Protocol Control Protocol Version 6 (IPCPv6) address is initialized before the IPCPv4 address is sent to the RADIUS server. The valid values are 1 and 2.

Command Default

Accounting records are not delayed.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.1

This command was introduced.

12.2(1)DX

This command was modified. The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

This command was modified. The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T.

12.3(1)

This command was modified. The all keyword was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

15.2(4)S

This command was modified. The extended-delay keyword and delay-value argument were added.

Usage Guidelines

Use the aaa accounting delay-start command to delay the generation of accounting start records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting start records for individual VPN routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.


Note


The aaa accounting delay-start command applies only to non-VRF users. If you have a mix of VRF and non-VRF users, configure the aaa accounting delay-start (for non-VRF users), aaa accounting delay-start vrf vrf-name (for VRF users), or aaa accounting delay-start all (for all VRF and non-VRF users) command.


Use the aaa accounting delay-start extended-delay delay-value command in the following two scenarios:
  • The user is a dual-stack (IPv4 or IPv6) subscriber.

  • The IP address is from a local pool and not from the RADIUS server.


Note


It is mandatory that you configure the aaa accounting delay-start command before you configure the aaa accounting delay-start extended-delay command.


In both scenarios, the IPCPv6 address is initialized first and the IPCPv4 address is initialized after a few milliseconds. Use the aaa accounting delay-start extended-delay delay-value command to delay the accounting start records for the configured time (in seconds) after the IPCPv6 address is sent to the RADIUS server. During this configured delay time, the IPCPv4 address is sent and the Framed-IP-Address attribute is added to the accounting start record. If the IPCPv4 address is not sent in the configured delay time, the accounting start record is sent without the Framed-IP-Address attribute.

Examples

The following example shows how to delay accounting start records until the IP address of the user is established:


aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop group radius
aaa accounting delay-start
radius-server host 192.0.2.1 non-standard
radius-server key rad123

The following example shows that accounting start records are to be delayed to all VRF and non-VRF users:


aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop group radius
aaa accounting delay-start all
radius-server host 192.0.2.1 non-standard
radius-server key rad123

The following example shows how to delay accounting start records for 2 seconds when the user is a dual-stack subscriber:


aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop group radius
aaa accounting delay-start
aaa accounting delay-start extended-delay 2
radius-server host 192.0.2.1 non-standard
radius-server key rad123

aaa accounting gigawords

To enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.)

aaa accounting gigawords

no aaa accounting gigawords

Syntax Description

This command has no arguments or keywords.

Command Default

If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.2(13.7)T

This command was introduced.

Usage Guidelines

The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state.

If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command , it takes a reload of the router to actually disable the use of the 64-bit counters.


Note


The aaa accounting gigawords command does not show up in the running configuration unless the no form of the command is used in the configuration.


Examples

The following example shows that the AAA 64-bit counters have been disabled:


no aaa accounting gigawords

aaa accounting include auth-profile

To include authorization profile attributes for the AAA accounting records, use the aaa accounting include auth-profile command in global configuration mode. To disable the authorization profile, use the no form of this command.

aaa accounting include auth-profile {delegated-ipv6-prefix | framed-ip-address | framed-ipv6-prefix}

no aaa accounting include auth-profile {delegated-ipv6-prefix | framed-ip-address | framed-ipv6-prefix}

Syntax Description

delegated-ipv6-prefix

Includes the delegated-IPv6-Prefix profile in accounting records.

framed-ip-address

Includes the Framed-IP-Address profile in accounting records.

framed-ipv6-prefix

Includes the Framed-IPv6-Prefix profile in accounting records.

Command Default

authorization profile is included in the aaa accounting records.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced in a release earlier than Cisco IOS Release 15.1(1)T.

Usage Guidelines

The aaa accounting include auth-profile command can also be used for a dual-stack session if the negotiation between IPv4 and IPv6 is successful.

Examples

The following example shows how to include the delegated-IPv6-Prefix profile in the AAA accounting records:


Router(config)# aaa accounting include auth-profile delegated-ipv6-prefix

aaa accounting-list

To enable authentication, authorization, and accounting (AAA) accounting when you are using RADIUS for Secure Socket Layer Virtual Private Network (SSL VPN) sessions, use the aaa accounting-list command in global configuration mode. To disable the AAA accounting, use the no form of this command.

aaa accounting-list aaa-list

no aaa accounting-list aaa-list

Syntax Description

aaa-list

Name of the AAA accounting list that has been configured under global configuration.

Command Default

AAA accounting is not enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.4(9)T

This command was introduced.

Usage Guidelines

Before configuring this command, ensure that the AAA accounting list has already been configured under global configuration.

Examples

The following example shows that AAA accounting has been configured for an SSL VPN session:


Router (config)# aaa accounting-list aaalist1

aaa accounting jitter maximum

To provide an interval of time between records so that the AAA server does not get overwhelmed by a constant stream of records, use the aaa accounting jitter maximum command in global configuration mode. To return to the default interval, use the no form of this command.

aaa accounting jitter maximum max-value

no aaa accounting jitter

Syntax Description

jitter-value

Allows the maximum jitter value from 0 to 2147483 seconds to be set in periodic accounting. The value 0 turns off jitter.

Command Default

Jitter is set to 300 seconds (5 minutes) by default.

Command Modes


Global configuration

Command History

Release

Modification

12.4(20)T

This command was introduced.

Usage Guidelines

If certain applications require that periodic records be sent at exact intervals, disable jitter by setting it to 0.

Examples

The following example sets the maximum jitter value to 20 seconds:


aaa accounting jitter maximum 20

aaa accounting nested

To specify that NETWORK records be generated, or nested, within EXEC “start” and “stop” records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. To allow the sending of records for users with a NULL username, use the no form of this command.

aaa accounting nested [suppress stop]

no aaa accounting nested [suppress stop]

Syntax Description

suppress stop

(Optional) Prevents sending a multiple set of records (one from EXEC and one from PPP) for the same client.

Command Default

Disabled

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

The suppress and stop keywords were added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa accounting nested command when you want to specify that NETWORK records be nested within EXEC “start” and “stop” records, such as for PPP users who start EXEC terminal sessions. In some cases, such as billing customers for specific services, it can be desirable to keep NETWORK “start” and “stop” records together, essentially nesting them within the framework of the EXEC “start” and “stop” messages. For example, if you dial in using PPP, you can create the following records: EXEC-start, NETWORK-start, EXEC-stop, and NETWORK-stop. By using the aaa accounting nested command to generate accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop, EXEC-stop.

Use the aaa accounting nested suppress stop command to suppress the sending of EXEC-stop accounting records and to send only PPP accounting records.

Examples

The following example enables nesting of NETWORK accounting records for user sessions:


Router(config)# aaa accounting nested

The following example disables nesting of EXEC accounting records for user sessions:


Router(config)# aaa accounting nested suppress stop

aaa accounting redundancy

To set the Accounting, Authorization, and Authentication (AAA) platform redundancy accounting behavior, use the aaa accounting redundancy command in global configuration mode. To disable the accounting behavior, use the no form of this command.

aaa accounting redundancy {best-effort-reuse [send-interim] | new-session | suppress system-records}

no aaa accounting redundancy {best-effort-reuse [send-interim] | new-session | suppress system-records}

Syntax Description

best-effort-reuse

Tracks redundant accounting sessions as existing sessions after switchover.

send-interim

(Optional) Sends an interim accounting update after switchover.

new-session

Tracks redundant accounting sessions as new sessions after switchover.

suppress

Suppresses specific records upon switchover.

system-records

Suppresses system records upon switchover.

Command Default

A redundant session is set as a new session upon switchover.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6.

Cisco IOS XE Release 3.5S

This command was modified. The send-interim keyword was added.

Usage Guidelines

Use the aaa accounting redundancy command to specify the AAA platform redundancy accounting behavior. This command also enables you to track the redundant sessions or existing sessions upon switchover.

Use the send-interim keyword to send the interim accounting record first after a switchover. The router sends the interim update for all sessions that survived the switchover as soon as the standby processor becomes active.

Examples

The following example shows how to set the AAA platform redundancy accounting behavior to track redundant sessions as existing sessions upon switchover:


Router(config)# aaa accounting redundancy best-effort-reuse

The following example shows how to enable the router to send the interim accounting record first after a switchover:


Router(config)# aaa accounting redundancy best-effort-reuse send-interim

aaa accounting resource start-stop group

To enable full r esource accounting, which will generate both a “start” record at call setup and a “stop” record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command.

aaa accounting resource method-list start-stop [broadcast] group groupname

no aaa accounting resource method-list start-stop [broadcast] group groupname

Syntax Description

method-list

Method used for accounting services. Use one of the following options:

  • default : Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

  • string : Character string used to name the list of accounting methods.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

groupname

Specifies the server group to be used for accounting services. The following are valid server group names:

  • string : Character string used to name a server group.

  • radius : Uses list of all RADIUS hosts.

  • tacacs+ : Uses list of all TACACS+ hosts.

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

12.1(3)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa accounting resource start-stop group command to send a “start” record at each call setup followed with a corresponding “stop” record at the call disconnect. There is a separate “call setup-call disconnect “start-stop” accounting record tracking the progress of the resource connection to the device, and a separate “user authentication start-stop accounting” record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call.

You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records.


Note


Sending “start-stop” records for resource allocation along with user “start-stop” records during user authentication can lead to serious performance issues and is discouraged unless absolutely required.


All existing AAA accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure resource accounting for “start-stop” records:


aaa new-model
aaa authentication login AOL group radius local
aaa authentication ppp default group radius local
aaa authorization exec AOL group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting resource default start-stop group radius

aaa accounting resource stop-failure group

To enable re source failure stop accounting support, which will generate a “stop” record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.

aaa accounting resource method-list stop-failure [broadcast] group groupname

no aaa accounting resource method-list stop-failure [broadcast] group groupname

Syntax Description

method-list

Method used for accounting services. Use one of the following options:

  • default : Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

  • string : Character string used to name the list of accounting methods.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

groupname

Group to be used for accounting services. Use one of the following options:

  • string : Character string used to name a server group.

  • radius : Uses list of all RADIUS hosts.

  • tacacs+ : Uses list of all TACACS+ hosts.

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

12.1(3)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa accounting resource stop-failure group command to generate a “stop” record for any calls that do not reach user authentication; this function creates “stop” accounting records for the moment of call setup. All calls that pass user authentication will behave as before; that is, no additional accounting records will be seen.

All existing authentication, authorization, and accounting (AAA) accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure “stop” accounting records from the moment of call setup:


aaa new-model
aaa authentication login AOL group radius local
aaa authentication ppp default group radius local
aaa authorization exec AOL group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting resource default stop-failure group radius

aaa accounting send counters ipv6

To send IPv6 counters in the stop record to the accounting server, use the aaa accounting send counters ipv6 command in global configuration mode. To stop sending IPv6 counters, use the no form of this command.

aaa accounting send counters ipv6

no aaa accounting send counters ipv6

Syntax Description

This command has no arguments or keywords.

Command Default

IPv6 counters in the stop records are not sent to the accounting server.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.6

This command was introduced.

Usage Guidelines

The aaa accounting send counters ipv6 command sends IPv6 counters in the stop record to the accounting server.

Examples

The following example shows how enable the router to send IPv6 counters in the stop record to the accounting server:


Router(config)# aaa accounting send counters ipv6

aaa accounting send stop-record always

To send a stop record whether or not a start record was sent, use the aaa accounting send stop-record always command in global configuration mode. To disable sending a stop record, use the no form of this command.

aaa accounting send stop-record always

no aaa accounting send stop-record always

Syntax Description

This command has no arguments or keywords.

Command Default

A stop record is not sent.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 3.2S

This command was introduced.

Usage Guidelines

When the aaa accounting send stop-record always command is enabled, accounting stop records are sent, even if their corresponding accounting starts were not sent out previously. This command enables stop records to be sent whether local authentication, or other authentication, is configured.

When a session is terminated on a Network Control Protocol (NCP) timeout, a stop record needs to be sent, even if a start record was not sent.

Examples

The following example shows how to enable stop records to be sent always when an NCP timeout occurs, whether or not a start record was sent:


Router(config)# aaa accounting send stop-record always

aaa accounting send stop-record authentication

To refine generation of authentication, authorization, and accounting (AAA) accounting “stop” records, use the aaa accounting send stop-record authentication command in global configuration mode. To end generation of accounting stop records, use the no form of this command that is appropriate.

aaa accounting send stop-record authentication {failure | success remote-server} [vrf vrf-name]

Failed Calls: End Accounting Stop Record Generation

no aaa accounting send stop-record authentication failure [vrf vrf-name]

Successful Calls: End Accounting Stop Record Generation

no aaa accounting send stop-record authentication success remote-server [vrf vrf-name]

Syntax Description

failure

Used to generate accounting “stop” records for calls that fail to authenticate at login or during session negotiation.

success

  • Used to generate accounting “stop” records for calls that have been authenticated by the remote AAA server. A “stop” record will be sent after the call is terminated.

  • Used to generate accounting "stop" records for calls that have not been authenticated by the remote AAA server. A“stop” record will be sent if one of the following states is true:
    • The start record has been sent.
    • The call is successfully established and is terminated with the “stop-only” configuration.

remote-server

Used to specify that the remote server is to be used.

vrf vrf-name

(Optional) Used to enable this feature for a particular Virtual Private Network (VPN) routing and forwarding configuration.

Command Default

Accounting “stop” records are sent only if one of the following is true:

  • A start record has been sent.

  • The call is successfully established with the “stop-only” configuration and is terminated.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

The vrf keyword and vrf-name argument were added.

12.4(2)T

The success and remote-server keywords were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6.

Usage Guidelines

When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason. The aaa accounting command can be configured to sent a “stop” record using either the start-stop keyword or the stop-only keyword.

When the aaa accounting command is issued with either the start-stop keyword or the stop-only keyword, the “stop” records can be further configured with the aaa accounting send stop-record authentication command. The failure and success keywords are mutually exclusive. If you have the aaa accounting send stop-record authentication command enabled with the failure keyword and then enable the same command with the success keyword, accounting stop records will no longer be generated for failed calls. Accounting stop records are sent for successful calls only until you issue either of the following commands:

  • no aaa accounting send stop-record authentication success remote-server

  • aaa accounting send stop-record authentication failure

When using the failure keyword, a “stop” record will be sent for calls that are rejected during authentication.

When using the success keyword, a “stop” record will be sent for calls that meet one of the following criteria:

  • Calls that are authenticated by a remote AAA server when the call is terminated.

  • Calls that are not authenticated by a remote AAA server and the start record has been sent.

  • Calls that are successfully established and then terminated with the “stop-only” aaa accounting configuration.

Use the vrf vrf-name keyword and argument to generate accounting “stop” records per VPN routing and forwarding configuration.


Note


The success and remote-server keywords are not available in Cisco IOS Release 12.2SX.


Examples

The following example shows how to generate “stop” records for users who fail to authenticate at login or during session negotiation:


        
          aaa accounting send stop-record authentication failure 
      

The following example shows “start” and “stop” records being sent for a successful call when the aaa accounting send stop-record authentication command is issued with the failure keyword:


Router# show running-config | include aaa
 
.
.
.
aaa new-model 
aaa authentication ppp default group radius 
aaa authorization network default local 
aaa accounting send stop-record authentication failure 
aaa accounting network default start-stop group radius 
.
.
.
*Jul  7 03:28:31.543: AAA/BIND(00000018): Bind i/f Virtual-Template2 
*Jul  7 03:28:31.547: ppp14 AAA/AUTHOR/LCP: Authorization succeeds trivially 
*Jul  7 03:28:33.555: AAA/AUTHOR (0x18): Pick method list 'default'
*Jul  7 03:28:33.555: AAA/BIND(00000019): Bind i/f  
*Jul  7 03:28:33.555:  Tnl 5192 L2TP: O SCCRQ 
*Jul  7 03:28:33.555:  Tnl 5192 L2TP: O SCCRQ, flg TLS, ver 2, len 141, tnl 0, 
ns 0, nr 0
         C8 02 00 8D 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00
         00 06 11 30 80 10 00 00 00 07 4C 41 43 2D 74 75
         6E 6E 65 6C 00 19 00 00 00 08 43 69 73 63 6F 20
         53 79 73 74 65 6D 73 ...
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse SCCRP
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 2, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Protocol Ver 256
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 3, len 10, flag 0x8000 (M)
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Framing Cap 0x0
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 4, len 10, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Bearer Cap 0x0
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 6, len 8, flag 0x0 
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Firmware Ver 0x1120
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 7, len 16, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Hostname LNS-tunnel
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 8, len 25, flag 0x0 
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Vendor Name Cisco Systems, Inc.
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 9, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Assigned Tunnel ID 6897
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 10, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Rx Window Size 20050
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 11, len 22, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Chlng  
         81 13 03 F6 A8 E4 1D DD 25 18 25 6E 67 8C 7C 39
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 13, len 22, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Chlng Resp  
         4D 52 91 DC 1A 43 B3 31 B4 F5 B8 E1 88 22 4F 41
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: No missing AVPs in SCCRP
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: I SCCRP, flg TLS, ver 2, len 157, tnl 
5192, ns 0, nr 1
contiguous pak, size 157
         C8 02 00 9D 14 48 00 00 00 00 00 01 80 08 00 00
         00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00
         00 03 00 00 00 00 80 0A 00 00 00 04 00 00 00 00
         00 08 00 00 00 06 11 20 80 10 00 00 00 07 4C 4E
         53 2D 74 75 6E 6E 65 6C ...
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: I SCCRP from LNS-tunnel
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: O SCCCN  to LNS-tunnel tnlid 6897
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: O SCCCN, flg TLS, ver 2, len 42, tnl 
6897, ns 1, nr 1
         C8 02 00 2A 1A F1 00 00 00 01 00 01 80 08 00 00
         00 00 00 03 80 16 00 00 00 0D 32 24 17 BC 6A 19
         B1 79 F3 F9 A9 D4 67 7D 9A DB
*Jul  7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ to LNS-tunnel 6897/0
*Jul  7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ, flg TLS, ver 2, len 
63, tnl 6897, lsid 11, rsid 0, ns 2, nr 1
         C8 02 00 3F 1A F1 00 00 00 02 00 01 80 08 00 00
         00 00 00 0A 80 0A 00 00 00 0F C8 14 B4 03 80 08
         00 00 00 0E 00 0B 80 0A 00 00 00 12 00 00 00 00
         00 0F 00 09 00 64 0F 10 09 02 02 00 1B 00 00
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse  AVP 0, len 8, flag 
0x8000 (M)
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse ICRP
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse  AVP 14, len 8, flag 
0x8000 (M)
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Assigned Call ID 5
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: No missing AVPs in ICRP
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: I ICRP, flg TLS, ver 2, len 
28, tnl 5192, lsid 11, rsid 0, ns 1, nr 3
contiguous pak, size 28
         C8 02 00 1C 14 48 00 0B 00 01 00 03 80 08 00 00
         00 00 00 0B 80 08 00 00 00 0E 00 05
*Jul  7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN to LNS-tunnel 6897/5
*Jul  7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN, flg TLS, ver 2, len 
167, tnl 6897, lsid 11, rsid 5, ns 3, nr 2
         C8 02 00 A7 1A F1 00 05 00 03 00 02 80 08 00 00
         00 00 00 0C 80 0A 00 00 00 18 06 1A 80 00 00 0A
         00 00 00 26 06 1A 80 00 80 0A 00 00 00 13 00 00
         00 01 00 15 00 00 00 1B 01 04 05 D4 03 05 C2 23
         05 05 06 0A 0B E2 7A ...
*Jul  7 03:28:33.579: RADIUS/ENCODE(00000018):Orig. component type = PPoE
*Jul  7 03:28:33.579: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Jul  7 03:28:33.579: RADIUS(00000018): sending
*Jul  7 03:28:33.579: RADIUS/ENCODE: Best Local IP-Address 192.168.202.169 for 
Radius-Server 192.168.202.169
*Jul  7 03:28:33.579: RADIUS(00000018): Send Accounting-Request to 
172.19.192.238:2196 id 1646/23, len 176
*Jul  7 03:28:33.579: RADIUS:  authenticator 3C 81 D6 C5 2B 6D 21 8E - 19 FF 
43 B5 41 86 A8 A5
*Jul  7 03:28:33.579: RADIUS:  Acct-Session-Id     [44]  10  "00000023"
*Jul  7 03:28:33.579: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:28:33.579: RADIUS:  Tunnel-Medium-Type  [65]  6   
00:IPv4                   [1]
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Client-Endpoi[66]  10  "192.168.202.169"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Server-Endpoi[67]  10  "192.168.202.169"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Assignment-Id[82]  5   "lac"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Type         [64]  6   
00:L2TP                   [3]
*Jul  7 03:28:33.583: RADIUS:  Acct-Tunnel-Connecti[68]  12  "3356800003"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Client-Auth-I[90]  12  "LAC-tunnel"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Server-Auth-I[91]  12  "LNS-tunnel"
*Jul  7 03:28:33.583: RADIUS:  User-Name           [1]   16  "user@domain.com"
*Jul  7 03:28:33.583: RADIUS:  Acct-Authentic      [45]  6   
Local                     [2]
*Jul  7 03:28:33.583: RADIUS:  Acct-Status-Type    [40]  6   
Start                     [1]
*Jul  7 03:28:33.583: RADIUS:  NAS-Port-Type       [61]  6   
Virtual                   [5]
*Jul  7 03:28:33.583: RADIUS:  NAS-Port            [5]   6   
0                         
*Jul  7 03:28:33.583: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Jul  7 03:28:33.583: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:28:33.583: RADIUS:  NAS-IP-Address      [4]   6   
192.168.202.169 
*Jul  7 03:28:33.583: RADIUS:  Acct-Delay-Time     [41]  6   
0                         
*Jul  7 03:28:33.683: RADIUS: Received from id 1646/23 192.168.202.169:2196, 
Accounting-response, len 20
*Jul  7 03:28:33.683: RADIUS:  authenticator 1C E9 53 42 A2 8A 58 9A - C3 CC 
1D 79 9F A4 6F 3A

The following example shows the “stop” record being sent when the call is rejected during authentication when the aaa accounting send stop-record authentication command is issued with the success keyword.


Router# show running-config | include aaa
,
,
,
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default local 
aaa accounting send stop-record authentication success remote-server 
aaa accounting network default start-stop group radius
Router#
*Jul  7 03:39:40.199: AAA/BIND(00000026): Bind i/f Virtual-Template2 
*Jul  7 03:39:40.199: ppp21 AAA/AUTHOR/LCP: Authorization succeeds trivially 
*Jul  7 03:39:42.199: RADIUS/ENCODE(00000026):Orig. component type = PPoE
*Jul  7 03:39:42.199: RADIUS:  AAA Unsupported     [156] 7   
*Jul  7 03:39:42.199: RADIUS:   30 2F 30 2F 
30                                   [0/0/0]
*Jul  7 03:39:42.199: RADIUS(00000026): Config NAS IP: 0.0.0.0
*Jul  7 03:39:42.199: RADIUS/ENCODE(00000026): acct_session_id: 55
*Jul  7 03:39:42.199: RADIUS(00000026): sending
*Jul  7 03:39:42.199: RADIUS/ENCODE: Best Local IP-Address 192.168.202.169 for 
Radius-Server 192.168.202.169
*Jul  7 03:39:42.199: RADIUS(00000026): Send Access-Request to 
172.19.192.238:2195 id 1645/14, len 94
*Jul  7 03:39:42.199: RADIUS:  authenticator A6 D1 6B A4 76 9D 52 CF - 33 5D 
16 BE AC 7E 5F A6
*Jul  7 03:39:42.199: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:42.199: RADIUS:  User-Name           [1]   16  "user@domain.com"
*Jul  7 03:39:42.199: RADIUS:  CHAP-Password       [3]   19  *
*Jul  7 03:39:42.199: RADIUS:  NAS-Port-Type       [61]  6   
Virtual                   [5]
*Jul  7 03:39:42.199: RADIUS:  NAS-Port            [5]   6   
0                         
*Jul  7 03:39:42.199: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Jul  7 03:39:42.199: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:42.199: RADIUS:  NAS-IP-Address      [4]   6   
192.168.202.169 
*Jul  7 03:39:42.271: RADIUS: Received from id 1645/14 192.168.202.169:2195, 
Access-Accept, len 194
*Jul  7 03:39:42.271: RADIUS:  authenticator 30 AD FF 8E 59 0C E4 6C - BA 11 
23 63 81 DE 6F D7
*Jul  7 03:39:42.271: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:42.275: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  26  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   20  "vpdn:tunnel-
id=lac"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  29  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   23  "vpdn:tunnel-
type=l2tp"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  30  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   24  "vpdn:gw-
password=cisco"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  31  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   25  "vpdn:nas-
password=cisco"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  34  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   28  "vpdn:ip-
addresses=192.168.202.169"
*Jul  7 03:39:42.275: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:42.275: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:42.275: RADIUS(00000026): Received from id 1645/14
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-id
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-type
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: gw-password
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: nas-password
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: ip-addresses
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol
*Jul  7 03:39:42.279: AAA/BIND(00000027): Bind i/f  
*Jul  7 03:39:42.279:  Tnl 21407 L2TP: O SCCRQ 
*Jul  7 03:39:42.279:  Tnl 21407 L2TP: O SCCRQ, flg TLS, ver 2, len 134, tnl 
0, ns 0, nr 0
         C8 02 00 86 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00
         00 06 11 30 80 09 00 00 00 07 6C 61 63 00 19 00
         00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 73
         2C 20 49 6E 63 2E 80 ...
*Jul  7 03:39:49.279:  Tnl 21407 L2TP: O StopCCN 
*Jul  7 03:39:49.279:  Tnl 21407 L2TP: O StopCCN, flg TLS, ver 2, len 66, tnl 
0, ns 1, nr 0
         C8 02 00 42 00 00 00 00 00 01 00 00 80 08 00 00
         00 00 00 04 80 1E 00 00 00 01 00 02 00 06 54 6F
         6F 20 6D 61 6E 79 20 72 65 74 72 61 6E 73 6D 69
         74 73 00 08 00 09 00 69 00 01 80 08 00 00 00 09
         53 9F
*Jul  7 03:39:49.279: RADIUS/ENCODE(00000026):Orig. component type = PPoE
*Jul  7 03:39:49.279: RADIUS(00000026): Config NAS IP: 0.0.0.0
*Jul  7 03:39:49.279: RADIUS(00000026): sending
*Jul  7 03:39:49.279: RADIUS/ENCODE: Best Local IP-Address 192.168.202.169 for 
Radius-Server 192.168.202.169
*Jul  7 03:39:49.279: RADIUS(00000026): Send Accounting-Request to 
192.168.202.169:2196 id 1646/32, len 179
*Jul  7 03:39:49.279: RADIUS:  authenticator 0A 85 2F F0 65 6F 25 E1 - 97 54 
CC BF EA F7 62 89
*Jul  7 03:39:49.279: RADIUS:  Acct-Session-Id     [44]  10  "00000037"
*Jul  7 03:39:49.279: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:49.279: RADIUS:  Tunnel-Medium-Type  [65]  6   
00:IPv4                   [1]
*Jul  7 03:39:49.279: RADIUS:  Tunnel-Client-Endpoi[66]  10  "192.168.202.169"
*Jul  7 03:39:49.279: RADIUS:  Tunnel-Server-Endpoi[67]  10  "192.168.202.169"
*Jul  7 03:39:49.283: RADIUS:  Tunnel-Type         [64]  6   
00:L2TP                   [3]
*Jul  7 03:39:49.283: RADIUS:  Acct-Tunnel-Connecti[68]  3   "0"
*Jul  7 03:39:49.283: RADIUS:  Tunnel-Client-Auth-I[90]  5   "lac"
*Jul  7 03:39:49.283: RADIUS:  User-Name           [1]   16  "user@domain.com"
*Jul  7 03:39:49.283: RADIUS:  Acct-Authentic      [45]  6   
RADIUS                    [1]
*Jul  7 03:39:49.283: RADIUS:  Acct-Session-Time   [46]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Input-Octets   [42]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Output-Octets  [43]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Input-Packets  [47]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Output-Packets [48]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Terminate-Cause[49]  6   nas-
error                 [9]
*Jul  7 03:39:49.283: RADIUS:  Acct-Status-Type    [40]  6   
Stop                      [2]
*Jul  7 03:39:49.283: RADIUS:  NAS-Port-Type       [61]  6   
Virtual                   [5]
*Jul  7 03:39:49.283: RADIUS:  NAS-Port            [5]   6   
0                         
*Jul  7 03:39:49.283: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Jul  7 03:39:49.283: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:49.283: RADIUS:  NAS-IP-Address      [4]   6   
192.168.202.169 
*Jul  7 03:39:49.283: RADIUS:  Acct-Delay-Time     [41]  6   
0                         
*Jul  7 03:39:49.335: RADIUS: Received from id 1646/32 192.168.202.169:2196, 
Accounting-response, len 20
*Jul  7 03:39:49.335: RADIUS:  authenticator C8 C4 61 AF 4D 9F 78 07 - 94 2B 
44 44 17 56 EC 03

aaa accounting session-duration ntp-adjusted

To calculate RADIUS attribute 46, Acct-Sess-Time, on the basis of the Network Time Protocol (NTP) clock time, use the aaa accounting session-duration ntp-adjusted command in global configuration mode. To disable the calculation that was configured on the basis of the NTP clock time, use the no form of this command.

aaa accounting session-duration ntp-adjusted

no aaa accounting session-duration ntp-adjusted

Syntax Description

This command has no arguments or keywords.

Command Default

If this command is not configured, RADIUS attribute 46 is calculated on the basis of the 64-bit monotonically increasing counter, which is not NTP adjusted.

Command Modes


Global configuration

Command History

Release

Modification

12.2(4)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

If this command is not configured, RADIUS attribute 46 can skew the session time by as much as 5 to 7 seconds for calls that have a duration of more than 24 hours. However, you may not want to configure the command for short-lived calls or if your device is up for only a short time because of the convergence time required if the session time is configured on the basis of the NTP clock time.

For RADIUS attribute 46 to reflect the NTP-adjusted time, you must configure the ntp server command as well as the aaa accounting session-duration ntp-adjusted command.

Examples

The following example shows that the attribute 46 session time is to be calculated on the basis of the NTP clock time:


aaa new-model
aaa authentication ppp default group radius
aaa accounting session-time ntp-adjusted
aaa accounting network default start-stop group radius

aaa accounting suppress null-username

To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username command in global configuration mode. To allow sending records for users with a NULL username, use the no form of this command.

aaa accounting suppress null-username

no aaa accounting suppress null-username

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes


Global configuration

Command History

Release

Modification

11.2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. This command prevents accounting records from being generated for those users who do not have usernames associated with them.

Examples

The following example suppresses accounting records for users who do not have usernames associated with them:


aaa accounting suppress null-username

aaa accounting update

To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.

aaa accounting update [newinfo] [periodic number [jitter maximum max-value]]

no aaa accounting update

Syntax Description

newinfo

(Optional) An interim accounting record is sent to the accounting server whenever there is new accounting information to report relating to the user in question.

periodic

(Optional) An interim accounting record is sent to the accounting server periodically, as defined by the number .

number

(Optional) Integer specifying number of minutes.

jitter

(Optional) Allows you to set the maximum jitter value in periodic accounting.

maximum max-value

The number of seconds to set for maximum jitter in periodic accounting. The value 0 turns off jitter. Jitter is set to 300 seconds (5 minutes) by default.

Command Default

Disabled

Command Modes


Global configuration

Command History

Release

Modification

11.3

This command was introduced.

12.2(13)T

Introduced support for generation of an additional updated interim accounting record that contains all available attributes when a call leg is connected.

12.2(15)T11

The jitter keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

  • When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the newinfo keyword is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.

  • When the gw-accounting aaa command and the aaa accounting update newinfo command and keyword are activated, Cisco IOS software generates and sends an additional updated interim accounting record to the accounting server when a call leg is connected. All attributes (for example, h323-connect-time and backward-call-indicators (BCI)) available at the time of call connection are sent through this interim updated accounting record.

  • When used with the periodic keyword, interim accounting records are sent periodically as defined by the number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.

  • When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the number. For example, if you configure the aaa accounting update newinfo periodic number command, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.

  • Vendor-specific attributes (VSAs) such as h323-connect-time and backward-call-indicator (BCI) are transmitted in the interim update RADIUS message when the aaa accounting update newinfo command and keyword are enabled.

  • Jitter is used to provide an interval of time between records so that the AAA server does not get overwhelmed by a constant stream of records. If certain applications require that periodic records be sent a exact intervals, you should disable jitter by setting it to 0.


Caution


Using the aaa accounting update periodic command and keyword can cause heavy congestion when many users are logged into the network.


Examples

The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30-minute intervals.


aaa accounting network default start-stop group radius
aaa accounting update newinfo periodic 30

The following example sends periodic interim accounting records to the RADIUS server at 30-minute intervals and disables jitter:


aaa accounting update newinfo periodic 30 jitter maximum 0

aaa attribute

To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile, use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command.

aaa attribute {clid | dnis} attribute-value

no aaa attribute {clid | dnis} attribute-value

Syntax Description

clid

Adds CLID attribute values to the user profile.

dnis

Adds DNIS attribute values to the user profile.

attribute-value

Specifies a name for CLID or DNIS attribute values.

Command Default

If this command is not enabled, you will have an empty user profile.

Command Modes


AAA-user configuration

Command History

Release

Modification

12.2(4)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRC

This command was integrated into Cisco IOS Release 12.2(33)SRC.

Usage Guidelines

Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record.

Examples

The following example shows how to add CLID and DNIS attribute values to the user profile “cat”:


aaa user profile cat
 aaa attribute clid clidval
 aaa attribute dnis dnisval

aaa attribute list

To define an authentication, authorization, and accounting (AAA) attribute list locally on a router, use the aaa attribute list command in global configuration mode or IKEv2 authorization policy configuration mode. To remove the AAA attribute list, use the no form of this command.

aaa attribute list list-name

no aaa attribute list list-name

Syntax Description

list-name

Name of the aaa attribute list.

Command Default

A local attribute list is not defined.

Command Modes


Global configuration (config)

IKEv2 authorization policy configuration (config-ikev2-author-policy)

Command History

Release

Modification

12.3(7)XI1

This command was introduced.

12.3(14)T

This command was integrated into Cisco IOS Release 12.3(14)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

There is no limit to the number of lists that can be defined (except for NVRAM storage limits).

Use this command to refer to a AAA attribute list. This list must be defined in global configuration mode. Among the AAA attributes, the list can have 'interface-config attribute that is used to apply interface configuration mode commands on the virtual access interface associated with the session.

Examples

The following example shows that the attribute list named “TEST” is to be added to the subscriber profile “cisco.com”:


aaa authentication ppp template1 local
aaa authorization network template1 local
!
aaa attribute list TEST
   attribute type interface-config "ip unnumbered FastEthernet0" service ppp protocol lcp
   attribute type interface-config "ip vrf forwarding blue" service ppp protocol lcp
!
ip vrf blue
 description vrf blue template1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
subscriber authorization enable
!
subscriber profile cisco.com
 service local
 aaa attribute list TEST
!
bba-group pppoe grp1
 virtual-template 1
 service profile cisco.com
!
interface Virtual-Template1
 no ip address
 no snmp trap link-status
 no peer default ip address
 no keepalive
 ppp authentication pap template1
 ppp authorization template1
!

The following examples shows how to configure an AAA attribute list 'attr-list1' which is referred from IKEv2 authorization policy. The AAA attribute list has 'interface-config' attributes.

!
aaa attribute list attr-list1
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
!
!
crypto ikev2 authorization policy pol1
 aaa attribute list attr-list1
!

aaa authentication (IKEv2 profile)

To specify the AAA authentication list for Extensible Authentication Protocol (EAP) authentication, use the aaa authentication command in IKEv2 profile configuration mode. To remove the AAA authentication for EAP, use the no form of this command.

aaa authentication eap list-name

no aaa authentication eap

Syntax Description

eap

Specifies the external EAP server for the authentication list.

list-name

Name of the AAA authentication list.

Command Default

AAA authentication for EAP is not specified.

Command Modes


IKEv2 profile configuration (config-ikev2-profile)

Command History

Release

Modification

15.1(3)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

Use this command to specify the AAA authentication list for EAP authentication. The crypto ikev2 profile command must be enabled before this command is executed.

Examples

The following example shows how to configure the remote access server using the remote EAP authentication method with an external EAP server:


Router(config)# aaa new-model
Router(config)# aaa authentication login aaa-eap-list default group radius
Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# authentication remote eap
Router(config-ikev2-profile)# aaa authentication eap aaa-eap-list

The following example shows how to configure the remote access server using the remote EAP authentication method with a local and external EAP server:


Router(config)# aaa new-model
Router(config)# aaa authentication login aaa-eap-list default group radius
Router(config)# aaa authentication login aaa-eap-local-list default group tacacs
Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# authentication remote eap
Router(config-ikev2-profile)# authentication remote eap-local
Router(config-ikev2-profile)# aaa authentication eap aaa-eap-list
Router(config-ikev2-profile)# aaa authentication eap-local aaa-eap-local-list

aaa authentication (WebVPN)

To configure authentication, authorization, and accounting (AAA) authentication for SSL VPN sessions, use the aaa authentication command in webvpn context configuration mode. To remove the AAA configuration from the SSL VPN context configuration, use the no form of this command.

aaa authentication {domain name | list name}

no aaa authentication {domain | list}

Syntax Description

domain name

Configures authentication using the specified domain name.

list name

Configures authentication using the specified list name.

Command Default

If this command is not configured or if the no form of this command is entered, the SSL VPN gateway will use global AAA parameters (if configured).

Command Modes


Webvpn context configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Usage Guidelines

The aaa authentication command is entered to specify an authentication list or server group under a SSL VPN context configuration. If this command is not configured and AAA is configured globally on the router, global authentication will be applied to the context configuration.

The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, or the database can be accessed through any RADIUS or TACACS+ AAA server.

We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions.

Examples

Examples

The following example configures local AAA for remote-user connections. Notice that the aaa authentication command is not configured in a context configuration.


Router (config)# aaa new-model
Router (config)# username USER1 secret 0 PsW2143
Router (config)# aaa authentication login default local

Examples

The following example configures a RADIUS server group and associates the AAA configuration under the SSL VPN context configuration.


Router (config)# aaa new-model
Router (config)# aaa group server radius myServer
Router (config-sg-radius)# server 10.1.1.20 auth-port 1645 acct-port 1646
Router (config-sg-radius)# exit
Router (config)# aaa authentication login default local group myServer
Router (config)# radius-server host 10.1.1.0 auth-port 1645 acct-port 1646
Router (config)# webvpn context context1
Router (config-webvpn-context)# aaa authentication list myServer
Router (config-webvpn-context)# exit

aaa authentication arap

To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To disable this authentication, use the no form of this command.

aaa authentication arap {default | list-name} method1 [method2 . . . ]

no aaa authentication arap {default | list-name} method1 [method2 . . . ]

Syntax Description

default

Uses the listed methods that follow this argument as the default list of methods when a user logs in.

list-name

Character string used to name the following list of authentication methods tried when a user logs in.

method1 [method2... ]

At least one of the keywords described in the table below.

Command Default

If the default list is not set, only the local user database is checked. This has the same effect as the following command:


aaa authentication arap default local

Command Modes


Global configuration

Command History

Release

Modification

10.3

This command was introduced.

12.0(5)T

Group server and local-case support were added as method keywords for this command.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed in the table below. You can only use one of these methods; they are mutually exclusive.

Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access ). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. See the table below for descriptions of method keywords.

To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails.

Use the more system:running-config command to view currently configured lists of authentication methods.


Note


In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.


Table 2. aaa authentication arap Methods

Keyword

Description

guest

Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.

auth-guest

Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Examples

The following example creates a list called MIS-access , which first tries TACACS+ authentication and then none:


aaa authentication arap MIS-access group tacacs+ none

The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:


aaa authentication arap default group tacacs+ none

aaa authentication attempts login

To set the maximum number of login attempts that will be permitted before a session is dropped, use the aaa authentication attempts login command in global configuration mode. To reset the number of attempts to the default, use the no form of this command.

aaa authentication attempts login number-of-attempts

no aaa authentication attempts login

Syntax Description

number-of-attempts

Number of login attempts. Range is from 1 to 25. Default is 3.

Command Default

3 attempts

Command Modes


Global configuration

Command History

Release

Modification

12.2 T

This command was introduced.

Usage Guidelines

The aaa authentication attempts login command configures the number of times a router will prompt for username and password before a session is dropped.

The aaa authentication attempts login command can be used only if the aaa new-model command is configured.

Examples

The following example configures a maximum of 5 attempts at authentication for login:


aaa authentication attempts login 5

aaa authentication auto (WebVPN)

To allow automatic authentication for Secure Socket Layer virtual private network (SSL VPN) users, use the aaa authentication auto command in webvpn context configuration mode. To disable automatic authentication, use the no form of this command.

aaa authentication auto

no aaa authentication auto

Syntax Description

This command has no arguments or keywords.

Command Default

Automatic authentication is not allowed.

Command Modes


Webvpn context (config-webvpn-context)

Command History

Release

Modification

12.4(20)T

This command was introduced.

Usage Guidelines

Configuring this command allows users to provide their usernames and passwords via the gateway page URL. They do not have to enter the usernames and passwords again from the login page.

A user can embed his or her username and password in the URL using the following format:


http://<gateway-address>/<vw_context>/webvpnauth?username:password

Examples

The following example shows that automatic authentication has been configured for users:


Router (config)# webvpn context
Router (config-webvpn-context)# aaa authentication auto

aaa authentication banner

To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode.

aaa authentication banner dstringd

no aaa authentication banner

Syntax Description

d

Any delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Command Default

Not enabled

Command Modes


Global configuration

Command History

Release

Modification

11.3(4)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.

To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.


Note


The AAA authentication banner message is not displayed if TACACS+ is the first method in the method list. With CSCum15057, the AAA authentication banner message is always printed if the user logs into the system using the Secure Shell (SSH) server.


Examples

The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)


aaa new-model
aaa authentication login default group radius

This configuration produces the following standard output:


User Verification Access
Username:
Password:

The following example configures a login banner (in this case, the phrase “Unauthorized use is prohibited.”) that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)


aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication login default group radius

This configuration produces the following login banner:


Unauthorized use is prohibited.
Username:

aaa authentication dot1x

To specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1X, use the aaa authentication dot1x command in global configuration mode. To disable authentication, use the no form of this command

aaa authentication dot1x {default | listname} method1 [method2 . . . ]

no aaa authentication dot1x {default | listname} method1 [method2 . . . ]

Syntax Description

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

listname

Character string used to name the list of authentication methods tried when a user logs in.

method1 [method2... ]

At least one of these keywords:

  • enable --Uses the enable password for authentication.

  • group radius --Uses the list of all RADIUS servers for authentication.

  • line --Uses the line password for authentication.

  • local --Uses the local username database for authentication.

  • local-case --Uses the case-sensitive local username database for authentication.

  • none --Uses no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.

Command Default

No authentication is performed.

Global configuration

Command History

Release

Modification

12.1(6)EA2

This command was introduced for the Cisco Ethernet switch network module.

12.2(15)ZJ

This command was implemented on the following platforms for the Cisco Ethernet Switch Module: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.

12.3(2)XA

This command was introduced on the following Cisco router platforms: Cisco 806, Cisco 831, Cisco 836, Cisco 837, Cisco 1701, Cisco 1710, Cisco 1721, Cisco 1751-V, and Cisco 1760.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T. Router support was added for the following platforms: Cisco 1751, Cisco 2610XM - Cisco 2611XM, Cisco 2620XM - Cisco 2621XM, Cisco 2650XM - Cisco 2651XM, Cisco 2691, Cisco 3640, Cisco 3640A, and Cisco 3660.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The method argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly 802.1X-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the Cisco IOS configuration file. The enable and line methods use the enable and line passwords for authentication.

If you specify group radius , you must configure the RADIUS server by entering the radius-server host global configuration command. If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the clients with a password to provide access to the switch.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples

The following example shows how to enable AAA and how to create an authentication list for 802.1X. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication:


Router(config)# aaa new model
Router(config)# aaa authentication dot1x default group radius none

aaa authentication enable default

To enable authentication, authorization, and accounting (AAA) authentication to determine whether a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode. To disable this authorization method, use the no form of this command.

aaa authentication enable default method1 [method2 . . . ]

no aaa authentication enable default method1 [method2 . . . ]

Syntax Description

method1 [method2... ]

At least one of the keywords described in the table below.

Command Default

If the default list is not set, only the enable password is checked. This has the same effect as the following command:


aaa authentication enable default enable

On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.3

This command was introduced.

12.0(5)T

Group server support was added as various method keywords for this command.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in the table below. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

All aaa authentication enable default requests sent by the router to a RADIUS server include the username “$enab15$.”


Note


An enable authentication request for $enab{x }$ is sent only for RADIUS servers.


If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the more system:running-config command to view currently configured lists of authentication methods.


Note


In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.


Table 3. aaa authentication enable default Methods

Keyword

Description

enable

Uses the enable password for authentication.

Note

 

An authentication request fails over to the next authentication method only if no enable password is configured on the router.

line

Uses the line password for authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

Note

 

The RADIUS method does not work on a per-username basis.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Examples

The following example shows how to create an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.


aaa authentication enable default group tacacs+ enable none

aaa authentication eou default enable group radius

To set authentication lists for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the aaa authentication eou default enable group radius command in global configuration mode. To remove the authentication lists, use the no form of this command.

aaa authentication eou default enable group radius

no aaa authentication eou default enable group radius

Syntax Description

This command has no arguments or keywords.

Command Default

Authentication lists for EAPoUDP are not set.

Command Modes


Global configuration

Command History

Release

Modification

12.3(8)T

This command was introduced.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Examples

The following example shows that authentication lists have been set for EAPoUDP:


Router (config)# aaa new-model
Router (config)# aaa authentication eou default enable group radius

aaa authentication fail-message

To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command.

aaa authentication fail-message dstringd

no aaa authentication fail-message

Syntax Description

d

The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Command Default

Not enabled

Command Modes


Global configuration

Command History

Release

Modification

11.3(4)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.

To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Examples

The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)


aaa new-model
aaa authentication login default group radius

This configuration produces the following standard output:


User Verification Access
Username:
Password:
% Authentication failed.

The following example configures both a login banner (“Unauthorized use is prohibited.”) and a login-fail message (“Failed login. Try again.”). The login message will be displayed when a user logs in to the system. The failed-login message will display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.


aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication fail-message *Failed login. Try again.*
aaa authentication login default group radius

This configuration produces the following login and failed login banner:


Unauthorized use is prohibited.
Username: 
Password: 
Failed login. Try again.

aaa authentication login

To set authentication, authorization, and accounting (AAA) authentication at login, use the aaa authentication login command in global configuration mode. To disable AAA authentication, use the no form of this command.

aaa authentication login {default | list-name} method1 [method2 . . . ]

no aaa authentication login {default | list-name} method1 [method2 . . . ]

Syntax Description

default

Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in.

list-name

Character string used to name the list of authentication methods activated when a user logs in. See the “Usage Guidelines” section for more information.

method1 [method2... ]

The list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods. Method keywords are described in the table below.

Command Default

AAA authentication at login is disabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.3

This command was introduced.

12.0(5)T

This command was modified. The group radius , group tacacs+ , and local-case keywords were added as methods for authentication.

12.4(6)T

This command was modified. The password-expiry keyword was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB. The cache group-name keyword and argument were added as a method for authentication.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.0(1)M

This command was integrated into Cisco IOS Release 15.0(1)M.

15.1(1)T

This command was modified. The group ldap keyword was added.

Cisco IOS XE Release 3.1S

This command was integrated into Cisco IOS XE Release 3.1S and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

15.0(1)S

This command was integrated into Cisco IOS Release 15.0(1)S.

Usage Guidelines

If the default keyword is not set, only the local user database is checked. This has the same effect as the following command:


aaa authentication login default local

Note


On the console, login will succeed without any authentication checks if default keyword is not set.


The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.

Create a list by entering the aaa authentication login list-name method command for a particular protocol. The list-name argument is the character string used to name the list of authentication methods activated when a user logs in. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. The “Authentication Methods That Cannot be used for the list-name Argument” section lists authentication methods that cannot be used for the list-name argument and the table below describes the method keywords.

To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.

The password is prompted only once to authenticate the user credentials and in case of errors due to connectivity issues, multiple retries are possible through the additional methods of authentication. However, the switchover to the next authentication method happens only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.

Authentication Methods That Cannot Be Used for the list-name Argument

The authentication methods that cannot be used for the list-name argument are as follows:

  • auth-guest

  • enable

  • guest

  • if-authenticated

  • if-needed

  • krb5

  • krb-instance

  • krb-telnet

  • line

  • local

  • none

  • radius

  • rcmd

  • tacacs

  • tacacsplus


Note


In the table below, the group radius , group tacacs + , group ldap , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius , aaa group server ldap , and aaa group server tacacs+ commands to create a named group of servers.


The table below describes the method keywords.

Table 4. aaa authentication login Methods Keywords

Keyword

Description

cache group-name

Uses a cache server group for authentication.

enable

Uses the enable password for authentication. This keyword cannot be used.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

group ldap

Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

krb5

Uses Kerberos 5 for authentication.

krb5-telnet

Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

passwd-expiry

Enables password aging on a local authentication list.

Note

 

The radius-server vsa send authentication command is required to make the passwd-expiry keyword work.

Examples

The following example shows how to create an AAA authentication list called MIS-access . This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.


aaa authentication login MIS-access group tacacs+ enable none

The following example shows how to create the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:


aaa authentication login default group tacacs+ enable none

The following example shows how to set authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:


aaa authentication login default krb5

The following example shows how to configure password aging by using AAA with a crypto client:


aaa authentication login userauthen passwd-expiry group radius

aaa authentication nasi

To specify authentication, authorization, and accounting (AAA) authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi command in global configuration mode. To disable authentication for NASI clients, use the no form of this command.

aaa authentication nasi {default | list-name} method1 [method2 . . . ]

no aaa authentication nasi {default | list-name} method1 [method2 . . . ]

Syntax Description

default

Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.

list-name

Character string used to name the list of authentication methods activated when a user logs in.

method1 [method2... ]

At least one of the methods described in the table below.

Command Default

If the default list is not set, only the local user database is selected. This has the same effect as the following command:


aaa authentication nasi default local

Command Modes


Global configuration

Command History

Release

Modification

11.1

This command was introduced.

12.0(5)T

Group server support and local-case were added as method keywords for this command.

12.2(13)T

This command is no longer supported in Cisco IOS Mainline releases or in Technology-based (T-train) releases. It might continue to appear in 12.2S-family releases.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command.

Create a list by entering the aaa authentication nasi command, where list-name is any character string that names the list (such as MIS-access ). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described in the table below.

To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations.

The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.


Note


In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.


Table 5. aaa authentication nasi Methods

Keyword

Description

enable

Uses the enable password for authentication.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Examples

The following example creates an AAA authentication list called list1 . This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.


aaa authentication nasi list1 group tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified:


aaa authentication nasi default group tacacs+ enable none

aaa authentication password-prompt

To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt command in global configuration mode. To return to the default password prompt text, use the no form of this command.

aaa authentication password-prompt text-string

no aaa authentication password-prompt text-string

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, “Enter your password:”).

Command Default

There is no user-defined text-string , and the password prompt appears as “Password.”

Command Modes


Global configuration

Command History

Release

Modification

11.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:


Password:

The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ server.

The aaa authentication password-prompt command works when RADIUS is used as the login method. The password prompt that is defined in the command will be shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the network access server (NAS) with the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt that is defined in the aaa authentication password-prompt command may be used.

Examples

The following example changes the text for the password prompt:


aaa authentication password-prompt “Enter your password now:”

aaa authentication ppp

To specify one or more authentication, authorization, and accounting (AAA) methods for use on serial interfaces that are running PPP, use the aaa authentication ppp command in global configuration mode. To disable authentication, use the no form of this command.

aaa authentication ppp {default | list-name} method1 [method2 . . . ]

no aaa authentication ppp {default | list-name} method1 [method2 . . . ]

Syntax Description

default

Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in.

list-name

Character string used to name the list of authentication methods tried when a user logs in.

method1 method2...

Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods. Method keywords are described in the table below.

Command Default

AAA authentication methods on serial interfaces running PPP are not enabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.3

This command was introduced.

12.0(5)T

Group server support and local-case were added as method keywords.

12.2(31)SB

This command was integrated into Cisco IOS Release 12.2(31)SB.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SRC

This command was integrated into Cisco IOS Release 12.2(33)SRC.

15.0(1)M

This command was integrated into Cisco IOS Release 15.0(1)M.

Cisco IOS XE Release 2.5

This command was integrated into Cisco IOS XE Release 2.5.

Usage Guidelines

If the default list is not set, only the local user database is checked. This has the same effect as that created by the following command:

aaa authentication ppp default local

The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.

Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list MIS-access. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in the table below.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.

If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.


Note


In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.


Table 6. aaa authentication ppp Methods

Keyword

Description

cache group-name

Uses a cache server group for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

if-needed

Does not authenticate if the user has already been authenticated on a tty line.

krb5

Uses Kerberos 5 for authentication (can be used only for Password Authentication Protocol [PAP] authentication).

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

Cisco 10000 Series Router

The Cisco 10000 series router supports a maximum of 2,000 AAA method lists. If you configure more than 2,000 AAA method lists, traceback messages appear on the console.

Examples

The following example shows how to create a AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.


aaa authentication ppp MIS-access group tacacs+ none

aaa authentication sgbp

To specify one or more authentication, authorization, and accounting (AAA) authentication methods for Stack Group Bidding Protocol (SGBP), use the aaa authentication sgbp command in global configuration mode. To disable SGBP authentication and return to the default, use the no form of this command.

aaa authentication sgbp {default | list-name} method1 [method2 . . . ]

no aaa authentication sgbp {default | list-name} method1 [method2 . . . ]

Syntax Description

default

Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in.

list-name

Character string used to name the list of authentication methods tried when a user logs in.

method1 [method2... ]

Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods. Method keywords are described in

Command Default

The aaa authentication ppp default command. If the aaa authentication ppp default command is not enabled, local authentication will be the default functionality.

Command Modes


Global configuration

Command History

Release

Modification

12.3(2)T

This command introduced.

Usage Guidelines

The lists that you create with the aaa authentication sgbp command are used with the sgbp aaa authentication command.

Create a list by entering the aaa authentication sgbp p list-name method command, where the list-name argument is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in the table below.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.

Use the more system:running-config command to display currently configured lists of authentication methods.

Table 7. aaa authentication sgbp Methods

Keyword

Description

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Examples

The following example shows how to create a AAA authentication list called SGBP. The user first tries to contact a RADIUS server for authentication. If this action returns an error, the user will try to access the local database.


Router(config)# aaa authentication sgbp SGBP group radius local

aaa authentication suppress null-username

To configure Cisco IOS software to prevent an Access Request with a blank username from being sent to the RADIUS server, use the aaa authentication suppress null-username command in global configuration mode.

To configure Cisco IOS software to allow an Access Request with a blank username to be sent to the RADIUS server, use the no form of this command:

aaa authentication suppress null-username

no aaa authentication suppress null-username

Syntax Description

Enables the prevention of an Access Request with a blank username from being sent to the RADIUS server.

Command Default

The command-level defaul t is not enabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS Release 12.2(33)SRD

This command was introduced.

Cisco IOS XE Release 2.4

This command was integrated into Cisco IOS XE Release 2.4

Usage Guidelines

This command ensures that unnecessary RADIUS server interaction is avoided, and RADIUS logs are kept short.

Examples

The following example shows how the aaa authentication suppress null-username is configured:


enable
configure terminal
aaa new-model
aaa authentication suppress null-username

aaa authentication token key

To create a token authentication key to provide temporary access to the network, use the aaa authentication token key command in global configuration mode. To remove the token authentication key, use the no form of this command.

aaa authentication token key string

no aaa authentication token key string

Syntax Description

string

Token authentication key in hexadecimal characters. The maximum number of hexadecimal characters is 16.

Command Default

Token authentication key is not configured.

Command Modes


Global configuration (config)

Command History

Release Modification

15.4(1)T

This command was introduced.

Usage Guidelines

The aaa authentication token key command can be used only if the aaa new-model command is configured. You must configure the user account with the token keyword before configuring the token authentication.

Examples

The following example shows how to create a token authentication key “abcdefghcisco123” to provide temporary access to the network:


Device> enable
Device# configure terminal
Device(config)# username user1 privilege 1 token password 0 cisco123
Device(config)# aaa new-model
Device(config)# aaa authentication login default local
Device(config)# aaa authentication token key abcdefghcisco123

aaa authentication username-prompt

To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt command in global configuration mode. To return to the default username prompt text, use the no form of this command.

aaa authentication username-prompt text-string

no aaa authentication username-prompt text-string

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, “Enter your name:”).

Command Default

There is no user-defined text-string , and the username prompt appears as “Username.”

Command Modes


Global configuration

Command History

Release

Modification

11.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:


Username:

Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.


Note


The aaa authentication username-prompt command does not change any dialog that is supplied by a remote TACACS+ server.


Examples

The following example changes the text for the username prompt:


aaa authentication username-prompt “Enter your name here:”

aaa authorization

To set the parameters that restrict user access to a network, use the aaa authorization command in global configuration mode. To remove the parameters, use the no form of this command.

aaa authorization {auth-proxy | cache | commands level | config-commands | configuration | console | exec | ipmobile | multicast | network | policy-if | prepaid | radius-proxy | reverse-access | subscriber-service | template} {default | list-name} [method1 [method2 . . . ]]

no aaa authorization {auth-proxy | cache | commands level | config-commands | configuration | console | exec | ipmobile | multicast | network | policy-if | prepaid | radius-proxy | reverse-access | subscriber-service | template} {default | list-name} [method1 [method2 . . . ]]

Syntax Description

auth-proxy

Runs authorization for authentication proxy services.

cache

Configures the authentication, authorization, and accounting (AAA) server.

commands

Runs authorization for all commands at the specified privilege level.

level

Specific command level that should be authorized. Valid entries are 0 through 15.

config-commands

Runs authorization to determine whether commands entered in configuration mode are authorized.

configuration

Downloads the configuration from the AAA server.

console

Enables the console authorization for the AAA server.

exec

Runs authorization to determine if the user is allowed to run an EXEC shell. This facility returns user profile information such as the autocommand information.

ipmobile

Runs authorization for mobile IP services.

multicast

Downloads the multicast configuration from the AAA server.

network

Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).

policy-if

Runs authorization for the diameter policy interface application.

prepaid

Runs authorization for diameter prepaid services.

radius-proxy

Runs authorization for proxy services.

reverse-access

Runs authorization for reverse access connections, such as reverse Telnet.

subscriber-service

Runs authorization for iEdge subscriber services such as virtual private dialup network (VPDN).

template

Enables template authorization for the AAA server.

default

Uses the listed authorization methods that follow this keyword as the default list of methods for authorization.

list-name

Character string used to name the list of authorization methods.

method1 [method2... ]

(Optional) Identifies an authorization method or multiple authorization methods to be used for authorization. A method may be any one of the keywords listed in the table below.

Command Default

Authorization is disabled for all actions (equivalent to the method keyword none ).

Command Modes


Global configuration (config)

Command History

Release

Modification

10.0

This command was introduced.

12.0(5)T

This command was modified. The group radius and group tacacs+ keywords were added as methods for authorization.

12.2(28)SB

This command was modified. The cache group-name keyword and argument were added as a method for authorization.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.0(1)M

This command was integrated into Cisco IOS Release 15.0(1)M.

15.1(1)T

This command was modified. The group ldap keyword was added.

Cisco IOS XE Fuji 16.8.1

Increased supported number of method lists from 8 to 13.

Usage Guidelines

Use the aaa authorization command to enable authorization and to create named methods lists, which define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways in which authorization will be performed and the sequence in which these methods will be performed. A method list is a named list that describes the authorization methods (such as RADIUS or TACACS+) that must be used in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all the defined methods are exhausted.


Note


The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle--meaning that the security server or the local username database responds by denying the user services--the authorization process stops and no other authorization methods are attempted.


If the aaa authorization command for a particular authorization type is issued without a specified named method list, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place. The default authorization method list must be used to perform outbound authorization, such as authorizing the download of IP pools from the RADIUS server.

Use the aaa authorization command to create a list by entering the values for the list-name and the method arguments, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization methods tried in the given sequence.

The aaa authorization command supports 13 separate method lists. For example:

aaa authorization configuration methodlist1 group radius
aaa authorization configuration methodlist2 group radius
...
aaa authorization configuration methodlist13 group radius


Note


In the table below, the group group-name, group ldap, group radius , and group tacacs + methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius , aaa group server ldap , and aaa group server tacacs+ commands to create a named group of servers.


The table below describes the method keywords.

Table 8. aaa authorization Methods

Keyword

Description