Chapter 4 Configuring AAA

I. Configuring AAA Using the Local User Database
1. Authentication, Authorization, and Accounting
1. Modular architecture that is composed of three functional components
1. Authentication – Authentication is the process by which users prove who they
say they are using mechanisms such as username and password, token cards, and
challenge and response.
2. Authorization – After the user or administrator has been authentication,
authorization services are used to decide which resources he is allowed to access,
as well as which operations he may perform.
3. Accounting and auditing – After being authenticated and authorized, the user
or administrator begins to access the network. It is the role of accounting and
auditing to record what the user or administrator actually did with this access,
what he accessed, and how long he accessed it.
2. AAA for Cisco Routers
1. 3 ways to implement AAA on Cisco routers
1. Cisco Secure ACS Solution Engine – In this implementation, AAA services on
either the router or network access server (NAS), which acts as a gateway to
guard access to protected resources, contact an external Cisco Secure ACS
Solution Engine for both user and administrator authentication. The Cisco
Secure ACS SE is an appliance that contains CSA. This can be an easier
approach for some organizations, rather than purchasing hardware, an OS
license, CSA license, and ACS license. In this more complex configuration, the
administrator would also have to take steps to lock down the server, whereas the
ACS SE is already secure.
2. Cisco Secure Access Control Server (ACS) for Windows Server – This
software package may be used for user and administrator authentication. AAA
services on the router or NAS contact an external Cisco Secure ACS for
Microsoft Windows systems. You need a separate license for CSA if this is what
you want.
3. Self-contained AAA – AAA services are self-contained in either a router or
NAS. Implemented in this fashion, this form of authentication is also known as
local authentication.

exec. Configure AAA authorization for use after the user has passed authentication 5. Configure the AAA accounting options 6. group-async. Minimum commands to configure AAA local authentication Router(config)# aaa new-model Router(config)# username username password password Router)config)# aaa authentication login default local 2. auxiliary. and Login. Verify the configuration 4. and enable mode) console commands Remote network access Packet (interface mode) Async. Use the aaa new-model command to enable AAA globally on the perimeter router. Configure AAA authentication lists 4.3. Router Access Authentication AAA Commands to Secure Administrative and Remote LAN access Access Type Mode Mode Network Access Server AAA Command Ports Element Remote administrative access Character (line or EXEC TTY. 3. BRI. vty. Six steps to configure a Cisco router for local authentication 1. Using AAA to Configure Local User Database Authentication 1. Other AAA commands aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication user-prompt . and PRI Ppp and network commands 1. Secure access to privileged EXEC mode 2.

Most important command to learn 1. aaa authentication local-override This command is used to configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. The no form of this command may be used to disable this authorization method. aaa authentication password-prompt Use the aaa authentication password-prompt global configuration command to change the text displayed when users are prompted for a password. The aaa authentication enable default command . The no form of this command is used to return to the default username prompt text. aaa authentication fail-message This command creates a message that is displayed when a user login fails. The no form of this command may be used to disable the override aaa authentication login Use the aaa authentication login global configuration command to set AAA authentication at login. The no form of this command is used to disable AAA authentication aaa authentication nasi To specify AAA authentication for NetWare Access Server Interface (NASI) clients who connect using the access server. The no form of this command is used to disable authentication aaa authentication username-prompt Use the aaa authentication username-prompt global configuration command to change the text displayed when users are prompted to enter a username. aaa authentication ppp Use the aaa authentication ppp global configuration command to specify one or more AAA authentication methods for use on Serial interfaces running PPP. use the aaa authentication nasi global configuration command. The no form of this command is used to disable this authentication aaa authentication banner Use this command to create a personalized login banner aaa authentication enable default Use the aaa authentication enable default global configuration command to enable AAA authentication to determine if a user can access the privileged command level. The aaa authentication login command 2. 3. The aaa authentication ppp command 3.AAA Authentication Commands Command Description aaa authentication arap AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+ use the aaa authentication arap global configuration command to enable an AAA authentication method. The no form of this command is used to disable authentication for NASI clients. The no form of this command is used to return to the default password prompt text.

or enable authentication). Serial Line Interface Protocol (SLIP). auxiliary. the default method list applies 3. and virtual configured for PPP. In global configuration mode. is an AAA server down? Up to four methods may be specified. or the console port for login and asynchronous lines (in most cases) for ARAP 2. or ARAP 3. The aaa authentication login command is issued to set AAA authentication for login to a router's administration port. group RADIUS. console. Defining a Method List 1. . Setting AAA Authentication for Login 1. Either use the default method list name or specify a method list name.2. Indicate the service (PPP. Method lists are sequential lists that describe the authentication methods that should be queried when authenticating a user. Apply the authentication method lists to each of the following 1. For instance. 1. aaa authentication login tty-in – is used to specify a login authentication list named tty-in using the line password configured on the router. 4. If this is not applied. group TACACS+. vty. async. line. Lines – TTY. Specify the authentication method (local. 2. You may configure multiple strings on the router. allowing for a backup system for authentication should the initial method have an error or not be reachable. aaa authentication login console-in local – specifies the login authentication method list named console-in using the local username-password database on the router. Interfaces – Interfaces sync. 2. Be aware that a defined method list overrides the default method list after it is applied to an interface. 3. These allow an administrator to designate one or more security protocols to be used for authentication. 3. and so on) or login authentication 2. NASI. aaa authentication login default enable – is used to specify a default login authentication method list using the enable password. and how the router should handle requests when a method is not operating. 1. A list name may be any alphanumeric string you want to use. use the aaa authentication command to configure an AAA authentication method list. dot1x. and async lines. but each must have a unique name.

aaa authentication ppp default local – This command is used to specify a default PPP authentication method list using the local username-password database on the router. Line: The line password is used for authentication local: The local username database is used for authentication local-case: Provides case-sensitive local username authentication none: No authentication is used group radius: The list of all RADIUS servers is used for authentication group tacacs+: The list of all TACACS+ servers is used for authentication. Syntax example 1. It should be used on the initial login attempt. aaa authentication login {default | list-name} method1 [method2. If the local username is not defined.. Group group-name: Uses either a subnet of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. using the local username-password database on the router. various authentication methods for serial interfaces running PPP. Configuring AAA Authentication on Serial Interfaces Running PPP 1. To use the local user database. aaa authentication ppp dial-in local none – This command is used to specify a PPP authentication method list named dial-in. use the local keyword enable: The enable password is used for authentication krb5: Kerberos 5 is used for authentication krb5-telnet: Kerberos 5 Telnet authentication protocol is used when using Telnet to connect to the router. 1. no authentication is used.] aaa authentication login Command Elements Command Element Description Default Specifies the default list of methods to be used when a user logs in based on the methods that follow this argument list-name Used to name the list of authentication methods activated when a user logs in Method One keyword must be specified. 4. 2..2. .

.. Applying Authentication Commands to Router Lines and Interfaces router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in 1. ppp authentication chap dial-in – specifies an authentication method list named dial-in for use with PPP CHAP authentication on interface s3/0 . int s3/0 – is issued to enter interface configuration mode on port 0 of serial interface slot number 3 4.5. login authentication console-in – specifies an authentication list named console-in for login authentication on console port 0. line console 0 – is issued to enter line console configuration mode 2.] 2. use the aaa authentication enable default command to determine if a user can access the privileged command level 1. 3. aaa authentication enable default method1 [method2. Using the aaa authentication enable default command 1.

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2.6. PPP Network Control Protocol (NCP). If-authenticated: The user is permitted to access the requested function if he or she has been validly authenticated krb5-instance: Used in conjunction with the Kerberos instance map command to specify the instance to be used local: Specifies the use of the local user database for authorization none: Authorization is not performed. such as reverse Telnet Configuration Used to download the configuration from the AAA server Default Used to list the authentication methods.. such as SLIP. Commands Used to implement authorization for all commands for a specific privilege level Level Used to specify the command level that should be authorized. and ARAP Exec Used to implement authorization to determine if the user is allowed to run an EXEC shell. restrict administrative EXEC access to the routers or user access to the network 1.] aaa authorization Command Elements Command Description Element Network Used to implement authorization for all network-related service requests.. as the default list of methods for authorization List-name Provides a character string used to name the list of authorization methods Method Specifies the method to be used for authentication using one of the following keywords: group group-name: Specifies a subset of RADIUS or TACACS+ servers to be used for authentication. . These are defined with the aaa group server RADIUS or aaa group server tacacs+ commands. Implementing the aaa authorization Command 1. reverse-access Used to implement authorization for reverse access connections. Values may range from 0 to 15. list-name and method.

Up to four failover methods may be chosen 3. aaa authorization commands 15 goofy local – The local user database is used to authorize the use of all level 15 commands for the goofy method list 4. examples of aaa authorization commands: router(config)# aaa authorization commands 15 default local router(config)# aaa authorization commands 1 mickey local router(config)# aaa authorization commands 15 goofy local router(config)# aaa authorization exec donald if-authenticated 4. such as SLIP. aaa authorization commands 15 default local – The local user database is used to authorize the use of all level 15 commands for the default method list. this command does not perform authorization. . for the method list named Pluto.2. 5. and the user can use all network services. aaa authorization network pluto local none – The local user database is used to authorize the use of all network services. aaa authorization commands 1 mickey local – The local username database is used to authorize all level 1 commands for the mickey method list. 2. If no local username is defined. 3. Above commands explained: 1. aaa authorization exec donald if-authenticated – If the user has already been authenticated. this command allows the user to run the EXEC process. PPP. and ARAP.

7. The start accounting record is sent in the background. 2. start-stop Sends "start" accounting notice at the beginning of a process and "stop" accounting notice at the end of a process. and ARAP exec Provides accounting for EXEC shell sessions connection Provides information about all outbound connections made from the NAS commands level Runs accounting for all commands at the specified privilege level. router(config)# aaa accounting auth-proxy default start-stop group tacacs+ . the requested user process begins. Regardless of whether the start accounting notice was received by the accounting server. broadcast This optional command element allows the sending of accounting records to multiple AAA servers. vrf vrf-name This optional command element. Accounting records are simultaneously sent to the first server in each group. router(config)# aaa accounting commands 15 default stop-only group tacacs+ 2. Should the first server be unavailable. Working with the aaa accounting Command 1. Examples 1. PPP NCP. group groupname Defines the character string used to name the group of accounting methods. including SLIP. may be used to specify a VPN routing and forwarding (VRF) configuration. aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name aaa accounting Command Elements Command Description Element auth-proxy Provides information about all authenticated proxy user events system Performs accounting for all system-level events that are not associated with users network Runs accounting for all network-related service requests. PPP. none Disables accounting services on this line or interface. list-name The list of at least one of the accounting methods. Privilege level entries are integers and may range from 0 to 15 default Sets the default list of methods for accounting services based on the listed accounting methods specified by list-name. used only with system accounting. failover occurs using the backup servers defined within that group. stop-only Sends a stop accounting notice at the end of the requested user process.

acts as policy decision point. Network access restrictions 10. Secures ACS provides RADIUS and TACACS+ security server. such as OS patch level and anti virus digital audio tape (DAT) file version. Automatic service monitoring. Overview of Cisco Secure ACS for Windows 1. 1. NAC solution as the centralized control point for managing network users. Additional Features of Cisco Secure ACS 4. User and device group profiles 8. Wired and wireless LAN switches and access points 2. Supports Network Access Devices: 1. Access control lists (ACL) that may be downloaded for any Layer 3 device. This evaluation of the host credentials can enforce many specific policies. Configuring AAA Using Cisco Secure ACS 1. and importing of tools for large-scale deployments 5. Cisco . Cisco NAC support . and Cisco VPNs 4. Combines AAA with policy control to extend network access security. or a private VLAN assignment. Cisco Secure ACS manages and administers user access for cisco network devices using IEEE 802. Cisco PIX Firewalls. VoIP 6. Cisco Secure ACS also records the results of this policy evaluation for use with monitoring systems. For hosts without the appropriate agent technology. Firewalls 7. Edge and core routers 3. a policy-based ACL. Device command set authorization 6.In NAC deployments. Dynamic quota generation 7.1x authentication type support 3.1x access control. Using Cisco SDM to Configure AAA page 127 II. 3. With these it also determines the state of the host and sends a per-user authorization to the NAD: ACLs.0 for Windows 1. including Cisco routers. User and administrative access reporting 9. 802. administrators. and network infrastructure resources. debug aaa authorization 3. debug aaa accounting 6. debug aaa authentication 2. Lightweight Directory Access Protocol (LDAP) and Open Database Connectivity (ODBC) user authentication support 2. Dialup and broadband terminators 4. Restrictions such as time of day and day of week 2. configurable policies that it uses to evaluate and validate the credentials received from the Cisco Trust Agent (posture). database synchronization.5. Using the CLI to Troubleshoot AAA for Cisco Routers 1. Content and storage devices 5. VPNs 2. Use the following to troubleshoot AAA 1.

1x EAP type that has the following characteristics: 1. Shared-profile components 8. 4. including significant performance increases in the number of transactions per second across the full protocol portfolio supported by Cisco Secure ACS. Extended replication components . This new . you may use IP address ranges and wildcards. or you may choose to deny network access. 3. give administrators a flexible way to apply network access restrictions and downloadable ACLs on network device names.1x EAP type to support customers who cannot enforce a strong password policy. When NAFs are applied by IP addresses.Cisco has developed EAP-FAST as a publicly accessible IEEE 802. or other RADIUS attribute values sent by the NAD used by the user to connect. Additional logging attributes EAP-FAST enhanced support . for instance. administrators may classify access requests based on network location. External database configuration 4. Versatile supports for user and password database types 3. 6.Through the improved replication provided by Cisco Secure ACS 4. Improvements have also been made in performance. Network Access Profiles (NAP) . NAFs . membership in a network device group (NDG). users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify. No digital certificate is required 2. NDGs 6. Using this feature allows you as an administrator to apply a different access policy based on. 5. administrators may now replicate NAPs and all related configurations. Improvements to scalability . EAP-FASTv1a. Global authentication configuration 5.Network access filters (NAF). Support for password expiration and change 4. including 1. Posture validation settings 2.0 version of Cisco Secure ACS for Windows supports an industry-standard relational database management system (RDBMS).0 for Windows. 7.One new feature providing by Cisco Secure ACS 4. EAP-FAST is also for those who want to deploy an 802.2. Administrators can use MARs to control authorization of EAP-TLS.The 4. Secure ACS 4. You can configure this to limit authorization as needed. or their IP address.0 for Windows makes it possible for these hosts to be audited by third-party vendors before granting network access. and Microsoft PEAP users who authenticate with a Microsoft Windows external user database when Microsoft Windows machine authentication is enabled. NDGs. External policy servers also make it possible to extend Cisco Secure ACS policies. Dictionaries 7. AAA clients and hosts 3. Using these. With this feature.0 for Windows is Network Access profiles. a new type of shared profile component. Flexible and easy to deploy and manage Machine access restrictions (MARs): MARs is offered as an enhancement of Microsoft Windows machine authentication. wireless access. protocol type. AAA policies may be mapped to specific profiles. increasing the number of devices (AAA clients) ten times while increasing the number of users by three times the previous number.

The TACACS+ server accepts or rejects the user .An X. NAC forwards the password to the TACACS+ server 12. NAC prompts the user for the password 10. such as Cisco ASA. Certificate revocation list (CRL) comparison . The user provides a username 6. 8. The TACACS+ server provides a username prompt 4. tailoring ACLs uniquely per user. Cisco VPN solutions. The user submits the password 11. Sets of ACLs may be defined that can be applied per user or per group. Cisco Secure ACS 4. per access device. Previously. NAC forwards the username to the TACACS+ server 7. Steps involved in the authentication processed with TACACS+ 1. The TACACS+ server provides a password prompt 9.0 for Windows Installation Ports Used by Cisco Secure ACS for Client Communication Feature Protocol Port(s) RADIUS authentication authorization UDP 1645.feature allows for granular application of network access restrictions (NAR) and downloadable ACLs. 2. these supported only the use of the same access restrictions or ACLs to all devices. Further. and Cisco IOS routers. 9. these may be used along with NAFs to apply downloadable ACLs differently on a per-device basis. The user requests access 2. This works hand in hand with NAC by enforcing the correct ACL policy. NAC prompts the user 5. The NAC requests a username from the TACACS+ server 3. Downloadable IP ACLs . Cisco PIX Firewalls.Per-user ACL support is extended to any Layer 3 network device that supports downloadable IP ACLS. 1813 TACACS+ TCP 49 Cisco Secure ACS database replication TCP 2000 RDBMS synchronization TCP 2000 User-changeable password web application TCP 2000 Logging TCP 2001 Administrative HTTP port for new sessions TCP 2002 Administrative HTTP port range TCP Configurable 3. 1812 RADIUS accounting UDP 1646.509 CRL profile is used to support certificate revocation in this version of Cisco Secure ACS for Windows. TACACS+ Authentication 1. Overview of TACACS+ and RADIUS 1. NAC requests the password prompt from the TACACS+ server 8.

PPP. the NAS usually attempts to use an alternative method to authenticate the user. 1. Services may include 1. an error occurred. 3. 4.At some point during the authentication process. ERROR . and user timeouts Authorization process with TACACS+ after the user has successfully authenticated . 2.1.The user is prompted for further authentication information before acceptance or rejection 5. SLIP. Connection parameters. depending on the TACACS+ daemon. rlogin. The user either is prompted to retry the login sequence or is denied further access. such as the host or client IP address. If an ERROR response is received. Telnet. ACCEPT .TACACS+ daemon is contacted again and it returns either ACCEPT or REJECT. CONTINUE . the response contains attributes that direct the EXEC or NETWORK session for that user which determines which services the user can access.The user is authenticated. REJECT . TACACS+ daemon provides the NAS with one of the following responses 1. Authorization if required .Authentication has failed for the user. If accepted. and authorization begins at this point if the NAS has been configured to require it. ACL. This may have occurred at either the daemon or in the network connection between the daemon and the NAS. or EXEC services 2.

2. SLIP authorization) . 5. Autocmd . The steps involved in this process are as follows: 1. 3. NAC submits an authorization request for the network access to the TACACS+ server. InACL (PPP/IP. Supports routers. Cisco Secure ACS supports persistent TCP sessions. 9. It is used to specify the current privilege level for command authorization. The request is either accepted or denied by TACACS+.Used to specify a route to be applied to an interface. By default. Addr-pool .Lists an access class number that will be applied to a line 2. Command Authorization with TACACS+ 1.1.Used with SLIP or PPP/IP connections to list an inbound IP ACL. TACACS+ establishes a new TCP session. Typically each AAA transaction uses a dedicated TCP connection. Authorization parameters are sent to the NAC if the access is permitted and are applied to the user connection. 6. this may lead to delays when users enter commands. TACACS+ frequently uses a number of attributes for authentication and authorization: 1. Primary protocol for Cisco AAA implementations. 3.When using a SLIP or PPP/IP connection. Route (PPP/IP. switches. PPP/IP authorization) . This single session persists as long as the server or network device is operational. Priv-lvl (EXEC authorization) .Used with SLIP or PPP/IP connections to list an outbound IP ACL. both the Cisco Secure ACS and the router have to be configured for this functionality. Figure below shows what happens when an admin enters the configure terminal command. ADDR (SLIP. ACL (EXEC authorization) . To realize this benefit. By using a single connection there is less server load and better detection of a break in communication. a new TCP session is established for each authorization request. SLIP authorization) .This may be an integer between 0 and 15. CMD (EXEC) . PIX. 7. To improve performance.Used to specify the name of a local address pool from which to obtain the address of the remote host. 8. TACACS+ Attributes 1. TACACS+ can be used to upload a per-user ACL and static route to the NAS. TACACS+ is proprietary and uses TCP port 49. as well as for a variety of other parameters. During this process.Used to specify a command to be automatically executed at EXEC startup. 2. this is used to specify the IP address of the remote host that should be assigned. .The attribute-value (AV) pair is used to start an authorization request for an EXEC command 4. OutACL . 2.

On the other hand. RADIUS Attributes 1. This Access-Accept message also contains authorization parameters in the form of AV pairs.Indicates that the user-provided information is incorrect 6.4. Cisco has added several vendor-specific attributes on the server side. an Access-Reject message is returned. The NAS prompts the client for a password 4. CHAP-Password 4. Access-Accept . An Access-Request datagram containing all the necessary AV pairs is used to send information about the username and password to the RADIUS server.Contains AV pairs for the username and password that are encrypted by RADIUS. Cisco AV pairs are used by default on Cisco IOS devices. .Used for authentication methods that employ a challengebased approach such as Challenge Handshake Authentication Protocol (CHAP). RADIUS Message Types 1. The client provides a username to the NAS 3. Commonly used RADIUS AV pairs: 1. RADIUS created by IETF and uses UDP/IP. as well as additional information such as the NAS port. Access-Challenge . If the information provided by the user is correct. 50 AV pairs defined by IETF. Access-Request . the server responds with an Access-Accept datagram. this might be the IP address to be assigned. User-Password (encrypted) 3. Microsoft CHAP (MS-CHAP). and so on. The client provides the password 5. Access-Reject . NAS-Port 6. The NAS prompts the client for a username 2. and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) 3. Authentication steps for RADIUS 1. Service-Type 7. Four RADIUS message types are as follows 1. 2. For instance. 2. Framed-IP-Address 2. User-Name 2. NAS-IP-Address 5. and NAS terminates the connection.Indicates that the user-provided information is correct 4. 6. 5. if the information that the user has provided is incorrect. but you can change them to just use standard AV pairs for compatibility reasons. Authentication and Authorization with RADIUS 1.

NetBIOS. AAA support Uses the AAA architecture. Combines authentication and authorization. Uses the AAA architecture and separates each process. Radius is RFC 2865 2. Uses single-challenge response. separating authentication. The combination of authentication and authorization on one function Comparison of RADIUS and TACACS+ Topic TACACS+ RADIUS Packet delivery TCP UDP Packet Encryption Encrypts the entire body of the packet but leaves a standard TCP header Encrypts only the password in the Access-Request packet from the client to the server. Limited security 2. the vendor-specific attribute (VSA) for Cisco. Responses Uses multiple-challenge responses for each of the AAA processes. 3. Via this VSA any authorization request specified in the TACACS+ specification can be sent to an access device through RADIUS. Cisco's RADIUS is RFC 2865 plus IETF attribute 26. and accounting. such as AppleTalk.7. Features of RADIUS 1. which can then be used locally for command authorization. Limitations 1. authorization. Combines authentication and authorization. . and IPX None Router management Enables network administrators to control which commands can be executed on a router Can pass a privilege level down to the router. Multiprotocol support Supports other protocols.

which is the default tacacs-server key Used to establish a shared secret encryption key between the network access key server and the Cisco Secure ACS server. router(config)# aaa new model 2. 2. CLI Steps 1. . This is a prerequisite for all other AAA commands tacacs-server host Used to indicate the address of the Cisco Secure ACS server and to specify the ip-address single. Enable AAA globally to allow the use of all AAA elements.use of the TCP single-connection feature of Cisco Secure ACS. router(config)# tacacs-server host 192.4. Configure an encryption key to be used to encrypt the data transfer between the network access server and the Cisco Secure ACS. Specify which Cisco Secure ACS will provide AAA services for the network access server.10. Configuring TACACS+ 1. Configuring the Network Access Server with TACACS+ 1.75 single connection 3. router(config)# tacacs-server key shared1 Commonly Used AAA Configuration Commands Command Description aaa new-model Used to enable AAA on the router. (NAS) 3.168. Performance is connection improved by maintaining a single TCP connection for the life of the session between the NAS and the Cisco Secure ACS server. rather than opening and closing TCP connections for each session. This is a prerequisite for all other AAA commands. 2.

Using the CLI to Configure AAA Login Authentication on Cisco Routers 1.The line password is used for authentication local .Specifies the use of case-sensitive local username authentication none .The enable password for authentication group . group tacacs+ method2 method3 method4 Used to execute authentication methods in the order listed. the Cisco IOS software attempts to execute the next method. To enable AAA authentication process to secure logging into the Cisco IOS device 1.No authentication is used . The group-name string is used to specify a predefined group of RADIUS or TACACS+ servers for group radius authentication (created with the aaa group server radius or aaa group server tacacs+ command). Up to four methods may be configured for each operation. aaa authentication login {default | list-name } group {group-name | radius | tacacs+} [method2 [method3 [method4]]] aaa authentication login parameters Parameter Description Default Used to create a default that is automatically applied to all lines and interfaces to specify the method or sequence of methods used for authentication list-name Used to create a list (you may choose the name) that is applied explicitly to a line or interface using the method or methods specified.Kerberos version 5 is used for authentication line .Uses server-group krb5 .2. This list overrides the default when applied to a specific line or interface.Used to specify the use of an AAA server. The method must be supported by the authentication operation specified A general list of methods includes the following: enable . Access is denied if the authentication fails.The local username and password database is used for authentication local-case . If an error is returned by the authentication method. such as a timeout error. group group. The group radius and group tacacs+ name methods refer to previously defined RADIUS or TACACS+ servers.