Configuring AAA Authentication Lists

Real World Application and Core Knowledge

It’s quite simple, companies with several Cisco devices commonly use RADIUS or TACACS+ for user authentication and authorization. Local authentication is also used but only as a backup method when communication to the AAA server fails. AAA servers, rather they be TACACS+ (pronounced “tack axe plus”) or RADIUS provide a centralized management point to control authentication and authorization to Cisco devices or other vendor devices for not only management purposes of the device but for other authentication methods as well such as remote VPN authentication, SSL VPN, 802.1x and proxy authentication.

Please note that the objective of this lab is not part of the CCNA (640-802) Exam objectives, however this material can be found on the new CCNA Security certification; (Exam: 840-553 – IINS). This lab was created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.

When configuring AAA New-model, authorization is not configured by default on newer IOS images therefore when logging into a Cisco Router and/or Switch with a user account that has level 15 privileges you will not automatically be placed into privileged mode as you were in the older non-aaa login local authentication method. To fix this you’ll need to add a AAA statement to specify console authorization. This is done by executing the aaa authorization console command in global configuration.

The same concepts apply to authorization via VTY lines, you will need to configure a the default authorization list to authorize commands via local database privilege level, this is done by executing the command aaa authorization exec default local in global configuration. If you also use a TACACS+ or RADIUS server, the authorization list will authenticate to the server group following the local database in the event of an authentication server failure.

Note that when enabling AAA New-Model, if you save the configuration without a username and/or a default authentication list you WILL be locked out of the device and will have to perform a password recovery.

Lab Prerequisites

Lab Objectives

Lab Instruction

Step 1. – Enable AAA by executing the command aaa new-model in global configuration mode. This enables the new authentication methods and disables the old authentication methods such as line passwords.

Router con0 is now available



Press RETURN to get started.



Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#aaa new-model

Step 2. – Configure a AAA login authentication list named CONSOLE_AUTH and authenticate to the local database only.

The syntax for configuring a AAA login authentication list is; aaa authentication login LISTNAME AUTHTYPE

In this objective the list name is CONSOLE_AUTH and the authentication type is LOCAL as shown below;

Router(config)#aaa authentication login CONSOLE_AUTH local

Step 3. – Now you’re ready to configure configure the console line to authenticate users attempting an exec session to the AAA login authentication list you just created. This is a single command executed in line configuration mode; login authentication listname

Router(config)#line con 0
Router(config-line)#login authentication CONSOLE_AUTH

Step 4. – Verify your configuration by logging completely out of the router and logging back in via the console. If configured properly you should be prompted for a username and password now as shown below;

Router(config-line)#end
Router#exit



Router con0 is now available



Press RETURN to get started.



User Access Verification

Username: john
Password: 

Router>