Configuring Authentication
Authentication verifies users before they are allowed access to the network and network services. The Cisco IOS software implementation of authentication is divided into two main categories:
•
AAA Authentication Methods Configuration Task List
• Non-AAA Authentication Methods
Authentication, for the most part, is implemented through the AAA security services. Cisco recommends that, whenever possible, AAA be used to implement authentication.
This chapter describes both AAA and non-AAA authentication methods. For authentication configuration examples, refer to the "Authentication Examples" section at the end of this chapter. For a complete description of the AAA commands used in this chapter, refer to the "Authentication, Authorization, and Accounting (AAA)" part of the Cisco IOS Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature, or refer to the software release notes for a specific release. For more information, see the section "Identifying Supported Platforms" in the chapter "Using Cisco IOS Software."
In This Chapter
This chapter contains the following sections:
• Named Method Lists for Authentication
• AAA Authentication Methods Configuration Task List
• Non-AAA Authentication Methods
Named Method Lists for Authentication
To configure AAA authentication, you must first define a named list of authentication methods, and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which is named "default"). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.
A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. Cisco IOS software uses the first listed method to authenticate users. If that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.
It is important to note that the Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted.
This section contains the following subsections:
• Method Lists and Server Groups
• AAA Authentication General Configuration Procedure
Method Lists and Server Groups
A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. Figure 2 shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers and T1 and T2 are TACACS+ servers. R1 and R2 make up the group of RADIUS server. T1 and T2 make up the group of TACACS+ servers.
Figure 2 Typical AAA Network Configuration
Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define R1 and R2 as a server group, and define T1 and T2 as a separate server group. For example, you can specify R1 and T1 in the method list for authentication login, while specifying R2 and T2 in the method list for PPP authentication.
Server groups also can include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order in which they are configured.)
For more information about configuring server groups and about configuring server groups based on Dialed Number Identification Service (DNIS) numbers, refer to the "Configuring RADIUS" or "Configuring TACACS+" chapter.
Method List Examples
Suppose the system administrator has decided on a security solution where all interfaces will use the same authentication methods to authenticate PPP connections. In the RADIUS group, R1 is contacted first for authentication information, then if there is no response, R2 is contacted. If R2 does not respond, T1 in the TACACS+ group is contacted; if T1 does not respond, T2 is contacted. If all designated servers fail to respond, authentication falls to the local username database on the access server itself. To implement this solution, the system administrator would create a default method list by entering the following command:
|
1 |
aaa authentication ppp default group radius group tacacs+ local |
|
1 |
<br /> |
In this example, "default" is the name of the method list. The protocols included in this method list are listed after the name, in the order they are to be queried. The default list is automatically applied to all interfaces.
When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information. This pattern would continue through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated.
It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list.
Suppose the system administrator wants to apply a method list only to a particular interface or set of interfaces. In this case, the system administrator creates a named method list and then applies this named list to the applicable interfaces. The following example shows how the system administrator can implement an authentication method that will be applied only to interface 3:
|
1 |
aaa authentication ppp default group radius group tacacs+ local |
|
1 |
aaa authentication ppp apple group radius group tacacs+ local <font color="#ff6600">none</font> |
|
1 |
<font color="#ff0000">(To specify that the authentication should succeed even if all methods return an error, </font> |
|
1 |
<font color="#ff0000">specify <strong class="cBold">none</strong> as the final method in the command line. )</font> |
|
1 |
interface async 3 |
|
1 |
ppp authentication chap apple |
|
1 |
<br /> |
In this example, "apple" is the name of the method list, and the protocols included in this method list are listed after the name in the order in which they are to be performed. After the method list has been created, it is applied to the appropriate interface. Note that the method list name (apple) in both the AAA and PPP authentication commands must match.
In the following example, the system administrator uses server groups to specify that only R2 and T2 are valid servers for PPP authentication. To do this, the administrator must define specific server groups whose members are R2 (172.16.2.7) and T2 (172.16.2.77), respectively. In this example, the RADIUS server group "rad2only" is defined as follows using the aaa group server command:
|
1 |
aaa group server radius rad2only |
|
1 |
server 172.16.2.7 |
|
1 |
<br /> |
The TACACS+ server group "tac2only" is defined as follows using the aaa group server command:
|
1 |
aaa group server tacacs+ tac2only |
|
1 |
server 172.16.2.77 |
|
1 |
<br /> |
The administrator then applies PPP authentication using the server groups. In this example, the default methods list for PPP authentication follows this order: group rad2only, group tac2only, and local:
|
1 |
aaa authentication ppp default group rad2only group tac2only local |
AAA Authentication General Configuration Procedure
To configure AAA authentication, perform the following tasks:
1. Enable AAA by using the aaa new-model global configuration command. For more information about configuring AAA, refer to the chapter "AAA Overview".
2. Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using a security server. For more information about RADIUS, refer to the chapter "Configuring RADIUS". For more information about TACACS+, refer to the chapter "Configuring TACACS+". For more information about Kerberos, refer to the chapter "Configuring Kerberos".
3. Define the method lists for authentication by using an AAA authentication command.
4. Apply the method lists to a particular interface or line, if required.
AAA Authentication Methods Configuration Task List
This section discusses the following AAA authentication methods:
• Configuring Login Authentication Using AAA
• Configuring PPP Authentication Using AAA
• Configuring AAA Scalability for PPP Requests
• Configuring ARAP Authentication Using AAA
• Configuring NASI Authentication Using AAA
• Specifying the Amount of Time for Login Input
• Enabling Password Protection at the Privileged Level
• Changing the Text Displayed at the Password Prompt
• Configuring Message Banners for AAA Authentication
• Configuring AAA Packet of Disconnect
• Enabling Double Authentication
• Enabling Automated Double Authentication
Note AAA features are not available for use until you enable AAA globally by issuing the aaa new-model command. For more information about enabling AAA, refer to the "AAA Overview" chapter.
For authentication configuration examples using the commands in this chapter, refer to the section "Authentication Examples" at the end of the this chapter.
文章评论