Search

Cisco Router/Switch AAA Login Authentication configuration using TACACS+ and RADIUS Protocols through IOS Commands

 

Lab Topology

AAA Lab Topology

After creating users and network devices (Routers or Switches) accounts in Cisco Secure Access Control Server, you can start configuring the network devices (Routers or Switches) for AAA login authentication. To configure AAA login authentication in a Cisco Router or Switch using TACACS+ and RADIUS, use the following Cisco IOS CLI commands.

• Enable AAA in Cisco Router or Cisco Switch. Before start using AAA, we must enable AAA globally in a Cisco Router or switch. To enable AAA in a Cisco Router or Switch, use the "aaa new-model" Cisco IOS CLI command, as shown below.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa new-model
OmniSecuR1(config)#exit
OmniSecuR1#a

• Configure the Cisco Router or Switch with the IP address of Secure ACS, which provides the AAA authentication services and the shared key for encryption, using Cisco IOS CLI commands as shown below. The Shared Key must be same as the Shared Secret which we configured for the device OmniSecuR1, in Cisco ACS.

You can use either TACACS+ or RADIUS as the AAA authentication protocol.

Below Cisco IOS CLI commands show how to configure a TACACS+ server IP address and Shared Key.

OmniSecuR1#configure terminal
OmniSecuR1(config)#tacacs-server host 192.168.10.50
OmniSecuR1(config)#tacacs-server key OmniSecu123
OmniSecuR1(config)#exit
OmniSecuR1# 

Below Cisco IOS CLI commands show how to configure a RADIUS server IP address and Shared Key.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa new-model
OmniSecuR1(config)#radius-server host 192.168.10.50
OmniSecuR1(config)#radius-server key OmniSecu123
OmniSecuR1(config)#exit
OmniSecuR1#

• Configure AAA Login Authentication on Cisco Routers or Switches using a AAA Authentication Method List. Cisco IOS command syntax for creating a AAA Authentication Method List is shown below.

aaa authentication login {default | list-name} group {group-name | radius | tacacs+} [methods]

Use the following Cisco IOS CLI commands to create a default AAA Authentication Method List. The following default method list specifies TACACS+ as the first authentication method option. If TACACS+ authentication failed, local user database will be used.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa authentication login default group tacacs+ local
OmniSecuR1(config)#exit
OmniSecuR1#

Default AAA authentication method list will be applied to all lines and interfaces by default. You can override the default method list by defining another AAA Method List with a "list-name" and it applying to a line.

Below Cisco IOS CLI examples show how to define an AAA authentication method list with no authentication required and applying it to line console.

• To define a AAA authentication method list "NOAUTH" with no authentication required, use below IOS CLI commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa authentication login NOAUTH none
OmniSecuR1(config)#exit

• To apply the AAA authentication method list "NOAUTH" to line console, use below IOS CLI commands.

OmniSecuR1#configure terminal
OmniSecuR1(config)#line console 0
OmniSecuR1(config-line)#login authentication NOAUTH
OmniSecuR1(config-line)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

 

Related Tutorials