Configuring AAA Services on Cisco IOS XR Software
How to Configure AAA Services
SC-40
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Configuring Authentication Method Lists
This task configures method lists for authentication.
Authentication Configuration
Authentication is the process by which a user (or a principal) is verified. Authentication configuration
uses method lists to define an order of preference for the source of AAA data, which may be stored in a
variety of data sources. You can configure authentication to define more than one method list and
applications (such as login) can choose one of them. For example, console and aux ports may use one
method list and the vty ports may use another. If a method list is not specified, the application tries to
use a default method list.
Note Applications should explicitly refer to defined method lists for the method lists to be effective.
The authentication can be applied to tty lines through use of the login authentication line configuration
submode command.
Creation of a Series of Authentication Methods
Use the aaa authentication command to create a series of authentication methods, or method list. A
method list is a named list describing the authentication methods to be used (such as RADIUS or
TACACS+), in sequence. The method will be one of the following:
• group radius—Use a server group or RADIUS servers for authentication
• group tacacs+—Use a server group or TACACS+ servers for authentication
• local—Use the local username or password database for authentication
• line—Use the line password or user group for authentication
If the method is RADIUS or TACACS+ servers, rather than server group, the RADIUS or TACACS+
server is chosen from the global pool of configured RADIUS and TACACS+ servers, in the order of
configuration. Servers from this global pool are the servers that can be selectively added to a server
group.
The subsequent methods of authentication are used only if the initial method returns an error, not if the
request is rejected.
Restrictions
The default method list is applied for all the interfaces for authentication, except when a non-default
named method list is explicitly configured, in which case the named method list is applied.
Note The group radius, group tacacs+, and group group-name forms of the aaa authentication command
refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server-host or
tacacs-server host command to configure the host servers. Use the aaa group server radius or aaa
group server tacacs+ command to create a named group of servers.
SUMMARY STEPS
1. configure
2. aaa authentication {login | ppp} {default | list-name | remote} method-list
To Next Page
Loading...
Need help?
General
