This document explains how to configure Authentication, Authorization, and Accounting (AAA) on a Cisco router using Radius or TACACS+ protocols. The goal of this document is not to cover all AAA features, but to explain the main commands and provide some examples and guidelines. Note: Please read the section on General AAA Configuration before proceeding with the Cisco IOS® configuration. Failure to do so may result in misconfiguration and subsequent lockout. For more information on document conventions, see the.
To get an overview of AAA, and for complete details about AAA commands and options, please refer to the. The information in this document is based on Cisco IOS software release 12.1 main line. The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it. To enable AAA, you need to configure the aaa new-model command in global configuration.
ClearBox TACACS+ RADIUS Server In Deep. ClearBox TACACS+ server offers an outstanding flexibility with multiple AAA policies. Each authentication, authorization, or accounting policy may be selected by a user domain, its membership in a domain group, or a requested privilege level or service.
Note: Until this command is enabled, all other AAA commands are hidden. Warning: The aaa new-model command immediately applies local authentication to all lines and interfaces (except console line line con 0). If a telnet session is opened to the router after enabling this command (or if a connection times out and has to reconnect), then the user has to be authenticated using the the local database of the router. To avoid being locked out of the router, we recommend that you define a username and password on the access server before starting the AAA configuration.
Do this a follows: Router(config)# username xxx password yyy Tip: Save your configuration prior to configuring your AAA commands. Only after you have completed all your AAA configuration (and are satisfied that it works correctly) should you save the configuration again. This allows you to recover from unforeseen lockouts (prior to saving the configuration) by reloading the router. In global configuration, define the security protocol used with AAA (Radius, TACACS+).
If you do not want to use either of these two protocols, you can use the local database on the router. If you are using TACACS+, use the tacacs-server host command. If you are using Radius, use the radius-server host command. On the AAA server, configure the following parameters: • The name of the access server. • The IP address the access server uses to communicate with the AAA server. Note: If both devices are on the same Ethernet network then, by default, the access server uses the IP address defined on the Ethernet interface when sending out the AAA packet.
This issue is important when the router has multiple interfaces (and hence multiple addresses). • The exact same key configured in the access server. Note: The key is case-sensitive. • The protocol used by the access server (TACACS+ or Radius). Refer to your AAA server documentation for the exact procedure used to configure the above parameters. If the AAA server is not correctly configured, then AAA requests from the NAS will be ignored by the AAA server and the connection may fail.