You are on page 1of 18

Chapter 4 Configuring AAA

I. Configuring AAA Using the Local User Database
1. Authentication, Authorization, and Accounting
1. Modular architecture that is composed of three functional components
1. Authentication – Authentication is the process by which users prove who they
say they are using mechanisms such as username and password, token cards, and
challenge and response.
2. Authorization – After the user or administrator has been authentication,
authorization services are used to decide which resources he is allowed to access,
as well as which operations he may perform.
3. Accounting and auditing – After being authenticated and authorized, the user
or administrator begins to access the network. It is the role of accounting and
auditing to record what the user or administrator actually did with this access,
what he accessed, and how long he accessed it.
2. AAA for Cisco Routers
1. 3 ways to implement AAA on Cisco routers
1. Cisco Secure ACS Solution Engine – In this implementation, AAA services on
either the router or network access server (NAS), which acts as a gateway to
guard access to protected resources, contact an external Cisco Secure ACS
Solution Engine for both user and administrator authentication. The Cisco
Secure ACS SE is an appliance that contains CSA. This can be an easier
approach for some organizations, rather than purchasing hardware, an OS
license, CSA license, and ACS license. In this more complex configuration, the
administrator would also have to take steps to lock down the server, whereas the
ACS SE is already secure.
2. Cisco Secure Access Control Server (ACS) for Windows Server – This
software package may be used for user and administrator authentication. AAA
services on the router or NAS contact an external Cisco Secure ACS for
Microsoft Windows systems. You need a separate license for CSA if this is what
you want.
3. Self-contained AAA – AAA services are self-contained in either a router or
NAS. Implemented in this fashion, this form of authentication is also known as
local authentication.

exec. Secure access to privileged EXEC mode 2. Use the aaa new-model command to enable AAA globally on the perimeter router. and Login. auxiliary. BRI. Minimum commands to configure AAA local authentication Router(config)# aaa new-model Router(config)# username username password password Router)config)# aaa authentication login default local 2. Configure AAA authorization for use after the user has passed authentication 5. Six steps to configure a Cisco router for local authentication 1. 3. Configure AAA authentication lists 4.3. Verify the configuration 4. Other AAA commands aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication user-prompt . vty. Configure the AAA accounting options 6. Using AAA to Configure Local User Database Authentication 1. and enable mode) console commands Remote network access Packet (interface mode) Async. group-async. Router Access Authentication AAA Commands to Secure Administrative and Remote LAN access Access Type Mode Mode Network Access Server AAA Command Ports Element Remote administrative access Character (line or EXEC TTY. and PRI Ppp and network commands 1.

AAA Authentication Commands Command Description aaa authentication arap AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+ use the aaa authentication arap global configuration command to enable an AAA authentication method. aaa authentication ppp Use the aaa authentication ppp global configuration command to specify one or more AAA authentication methods for use on Serial interfaces running PPP. The aaa authentication login command 2. The aaa authentication ppp command 3. The aaa authentication enable default command . 3. The no form of this command is used to return to the default password prompt text. The no form of this command is used to disable authentication for NASI clients. aaa authentication local-override This command is used to configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. The no form of this command is used to return to the default username prompt text. The no form of this command may be used to disable this authorization method. The no form of this command may be used to disable the override aaa authentication login Use the aaa authentication login global configuration command to set AAA authentication at login. The no form of this command is used to disable this authentication aaa authentication banner Use this command to create a personalized login banner aaa authentication enable default Use the aaa authentication enable default global configuration command to enable AAA authentication to determine if a user can access the privileged command level. Most important command to learn 1. The no form of this command is used to disable authentication aaa authentication username-prompt Use the aaa authentication username-prompt global configuration command to change the text displayed when users are prompted to enter a username. aaa authentication fail-message This command creates a message that is displayed when a user login fails. aaa authentication password-prompt Use the aaa authentication password-prompt global configuration command to change the text displayed when users are prompted for a password. use the aaa authentication nasi global configuration command. The no form of this command is used to disable AAA authentication aaa authentication nasi To specify AAA authentication for NetWare Access Server Interface (NASI) clients who connect using the access server.

vty. aaa authentication login console-in local – specifies the login authentication method list named console-in using the local username-password database on the router. aaa authentication login tty-in – is used to specify a login authentication list named tty-in using the line password configured on the router. A list name may be any alphanumeric string you want to use. Serial Line Interface Protocol (SLIP). and async lines. Either use the default method list name or specify a method list name. 2. line. async. and virtual configured for PPP. 1. aaa authentication login default enable – is used to specify a default login authentication method list using the enable password. If this is not applied. You may configure multiple strings on the router. or ARAP 3. Defining a Method List 1. or enable authentication). 3. NASI. and how the router should handle requests when a method is not operating. Lines – TTY. These allow an administrator to designate one or more security protocols to be used for authentication. Apply the authentication method lists to each of the following 1. Setting AAA Authentication for Login 1. Indicate the service (PPP. For instance. the default method list applies 3. allowing for a backup system for authentication should the initial method have an error or not be reachable.2. dot1x. group TACACS+. Be aware that a defined method list overrides the default method list after it is applied to an interface. console. but each must have a unique name. auxiliary. group RADIUS. Specify the authentication method (local. use the aaa authentication command to configure an AAA authentication method list. or the console port for login and asynchronous lines (in most cases) for ARAP 2. 4. In global configuration mode. Interfaces – Interfaces sync. 2. Method lists are sequential lists that describe the authentication methods that should be queried when authenticating a user. 1. 3. . The aaa authentication login command is issued to set AAA authentication for login to a router's administration port. and so on) or login authentication 2. is an AAA server down? Up to four methods may be specified.

2. Group group-name: Uses either a subnet of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.] aaa authentication login Command Elements Command Element Description Default Specifies the default list of methods to be used when a user logs in based on the methods that follow this argument list-name Used to name the list of authentication methods activated when a user logs in Method One keyword must be specified. If the local username is not defined. It should be used on the initial login attempt. . To use the local user database. using the local username-password database on the router... aaa authentication ppp default local – This command is used to specify a default PPP authentication method list using the local username-password database on the router. Configuring AAA Authentication on Serial Interfaces Running PPP 1. 4. 1. aaa authentication login {default | list-name} method1 [method2. various authentication methods for serial interfaces running PPP. Line: The line password is used for authentication local: The local username database is used for authentication local-case: Provides case-sensitive local username authentication none: No authentication is used group radius: The list of all RADIUS servers is used for authentication group tacacs+: The list of all TACACS+ servers is used for authentication.2. aaa authentication ppp dial-in local none – This command is used to specify a PPP authentication method list named dial-in. Syntax example 1. no authentication is used. use the local keyword enable: The enable password is used for authentication krb5: Kerberos 5 is used for authentication krb5-telnet: Kerberos 5 Telnet authentication protocol is used when using Telnet to connect to the router.

. line console 0 – is issued to enter line console configuration mode 2. int s3/0 – is issued to enter interface configuration mode on port 0 of serial interface slot number 3 4. Using the aaa authentication enable default command 1.. login authentication console-in – specifies an authentication list named console-in for login authentication on console port 0.] 2.5. aaa authentication enable default method1 [method2. 3. ppp authentication chap dial-in – specifies an authentication method list named dial-in for use with PPP CHAP authentication on interface s3/0 . Applying Authentication Commands to Router Lines and Interfaces router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in 1. use the aaa authentication enable default command to determine if a user can access the privileged command level 1.

.6. restrict administrative EXEC access to the routers or user access to the network 1. such as SLIP. as the default list of methods for authorization List-name Provides a character string used to name the list of authorization methods Method Specifies the method to be used for authentication using one of the following keywords: group group-name: Specifies a subset of RADIUS or TACACS+ servers to be used for authentication. reverse-access Used to implement authorization for reverse access connections. . aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2. list-name and method.. If-authenticated: The user is permitted to access the requested function if he or she has been validly authenticated krb5-instance: Used in conjunction with the Kerberos instance map command to specify the instance to be used local: Specifies the use of the local user database for authorization none: Authorization is not performed. Implementing the aaa authorization Command 1. Commands Used to implement authorization for all commands for a specific privilege level Level Used to specify the command level that should be authorized. PPP Network Control Protocol (NCP). such as reverse Telnet Configuration Used to download the configuration from the AAA server Default Used to list the authentication methods. and ARAP Exec Used to implement authorization to determine if the user is allowed to run an EXEC shell. Values may range from 0 to 15. These are defined with the aaa group server RADIUS or aaa group server tacacs+ commands.] aaa authorization Command Elements Command Description Element Network Used to implement authorization for all network-related service requests.

5. 2. such as SLIP. this command does not perform authorization. examples of aaa authorization commands: router(config)# aaa authorization commands 15 default local router(config)# aaa authorization commands 1 mickey local router(config)# aaa authorization commands 15 goofy local router(config)# aaa authorization exec donald if-authenticated 4. for the method list named Pluto. and ARAP. aaa authorization commands 15 default local – The local user database is used to authorize the use of all level 15 commands for the default method list. aaa authorization exec donald if-authenticated – If the user has already been authenticated. . aaa authorization network pluto local none – The local user database is used to authorize the use of all network services. Up to four failover methods may be chosen 3. and the user can use all network services.2. If no local username is defined. this command allows the user to run the EXEC process. aaa authorization commands 1 mickey local – The local username database is used to authorize all level 1 commands for the mickey method list. Above commands explained: 1. aaa authorization commands 15 goofy local – The local user database is used to authorize the use of all level 15 commands for the goofy method list 4. PPP. 3.

Working with the aaa accounting Command 1. aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name aaa accounting Command Elements Command Description Element auth-proxy Provides information about all authenticated proxy user events system Performs accounting for all system-level events that are not associated with users network Runs accounting for all network-related service requests. group groupname Defines the character string used to name the group of accounting methods. failover occurs using the backup servers defined within that group. list-name The list of at least one of the accounting methods. Privilege level entries are integers and may range from 0 to 15 default Sets the default list of methods for accounting services based on the listed accounting methods specified by list-name. Examples 1.7. PPP NCP. start-stop Sends "start" accounting notice at the beginning of a process and "stop" accounting notice at the end of a process. may be used to specify a VPN routing and forwarding (VRF) configuration. and ARAP exec Provides accounting for EXEC shell sessions connection Provides information about all outbound connections made from the NAS commands level Runs accounting for all commands at the specified privilege level. The start accounting record is sent in the background. Accounting records are simultaneously sent to the first server in each group. used only with system accounting. 2. Regardless of whether the start accounting notice was received by the accounting server. stop-only Sends a stop accounting notice at the end of the requested user process. broadcast This optional command element allows the sending of accounting records to multiple AAA servers. PPP. none Disables accounting services on this line or interface. the requested user process begins. router(config)# aaa accounting commands 15 default stop-only group tacacs+ 2. Should the first server be unavailable. vrf vrf-name This optional command element. including SLIP. router(config)# aaa accounting auth-proxy default start-stop group tacacs+ .

and network infrastructure resources. Cisco Secure ACS manages and administers user access for cisco network devices using IEEE 802. This evaluation of the host credentials can enforce many specific policies. such as OS patch level and anti virus digital audio tape (DAT) file version. debug aaa authentication 2. and Cisco VPNs 4. Overview of Cisco Secure ACS for Windows 1. Cisco . including Cisco routers. 1. Edge and core routers 3. Lightweight Directory Access Protocol (LDAP) and Open Database Connectivity (ODBC) user authentication support 2.1x authentication type support 3. Wired and wireless LAN switches and access points 2. Use the following to troubleshoot AAA 1.1x access control. debug aaa authorization 3. Restrictions such as time of day and day of week 2. and importing of tools for large-scale deployments 5. Automatic service monitoring. NAC solution as the centralized control point for managing network users.In NAC deployments. Content and storage devices 5. Dialup and broadband terminators 4. Device command set authorization 6. Using Cisco SDM to Configure AAA page 127 II. Configuring AAA Using Cisco Secure ACS 1. debug aaa accounting 6. configurable policies that it uses to evaluate and validate the credentials received from the Cisco Trust Agent (posture). Combines AAA with policy control to extend network access security. For hosts without the appropriate agent technology. Secures ACS provides RADIUS and TACACS+ security server. Using the CLI to Troubleshoot AAA for Cisco Routers 1. or a private VLAN assignment. VPNs 2. 802. Dynamic quota generation 7. 3. Access control lists (ACL) that may be downloaded for any Layer 3 device. VoIP 6. Additional Features of Cisco Secure ACS 4. acts as policy decision point. Supports Network Access Devices: 1. User and device group profiles 8. Cisco PIX Firewalls.5. administrators. Firewalls 7. a policy-based ACL. With these it also determines the state of the host and sends a per-user authorization to the NAD: ACLs.0 for Windows 1. database synchronization. Network access restrictions 10. User and administrative access reporting 9. Cisco NAC support . Cisco Secure ACS also records the results of this policy evaluation for use with monitoring systems.

administrators may classify access requests based on network location.Network access filters (NAF). including significant performance increases in the number of transactions per second across the full protocol portfolio supported by Cisco Secure ACS. administrators may now replicate NAPs and all related configurations. Secure ACS 4. EAP-FASTv1a. wireless access. Administrators can use MARs to control authorization of EAP-TLS. With this feature. AAA clients and hosts 3. protocol type. When NAFs are applied by IP addresses. Support for password expiration and change 4. Additional logging attributes EAP-FAST enhanced support . NDGs.0 version of Cisco Secure ACS for Windows supports an industry-standard relational database management system (RDBMS). give administrators a flexible way to apply network access restrictions and downloadable ACLs on network device names.The 4. Improvements have also been made in performance.Through the improved replication provided by Cisco Secure ACS 4. Extended replication components . for instance. Posture validation settings 2. You can configure this to limit authorization as needed. you may use IP address ranges and wildcards.2.1x EAP type to support customers who cannot enforce a strong password policy. Improvements to scalability . 6.0 for Windows makes it possible for these hosts to be audited by third-party vendors before granting network access. Dictionaries 7. Flexible and easy to deploy and manage Machine access restrictions (MARs): MARs is offered as an enhancement of Microsoft Windows machine authentication. Shared-profile components 8. increasing the number of devices (AAA clients) ten times while increasing the number of users by three times the previous number.0 for Windows. membership in a network device group (NDG). Versatile supports for user and password database types 3. 3. Using this feature allows you as an administrator to apply a different access policy based on. 4.0 for Windows is Network Access profiles. users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify. 5. Network Access Profiles (NAP) . 7.Cisco has developed EAP-FAST as a publicly accessible IEEE 802. Using these. Global authentication configuration 5. or their IP address.One new feature providing by Cisco Secure ACS 4. No digital certificate is required 2. or other RADIUS attribute values sent by the NAD used by the user to connect. or you may choose to deny network access. including 1.1x EAP type that has the following characteristics: 1. NDGs 6. a new type of shared profile component. AAA policies may be mapped to specific profiles. External policy servers also make it possible to extend Cisco Secure ACS policies. NAFs . External database configuration 4. EAP-FAST is also for those who want to deploy an 802. This new . and Microsoft PEAP users who authenticate with a Microsoft Windows external user database when Microsoft Windows machine authentication is enabled.

0 for Windows Installation Ports Used by Cisco Secure ACS for Client Communication Feature Protocol Port(s) RADIUS authentication authorization UDP 1645. NAC forwards the password to the TACACS+ server 12.An X. NAC prompts the user 5. Certificate revocation list (CRL) comparison . and Cisco IOS routers. 1813 TACACS+ TCP 49 Cisco Secure ACS database replication TCP 2000 RDBMS synchronization TCP 2000 User-changeable password web application TCP 2000 Logging TCP 2001 Administrative HTTP port for new sessions TCP 2002 Administrative HTTP port range TCP Configurable 3. Downloadable IP ACLs . Steps involved in the authentication processed with TACACS+ 1. 2.509 CRL profile is used to support certificate revocation in this version of Cisco Secure ACS for Windows.Per-user ACL support is extended to any Layer 3 network device that supports downloadable IP ACLS. The TACACS+ server accepts or rejects the user . The NAC requests a username from the TACACS+ server 3.feature allows for granular application of network access restrictions (NAR) and downloadable ACLs. Further. NAC prompts the user for the password 10. per access device. The user requests access 2. Overview of TACACS+ and RADIUS 1. This works hand in hand with NAC by enforcing the correct ACL policy. Sets of ACLs may be defined that can be applied per user or per group. 8. tailoring ACLs uniquely per user. Cisco PIX Firewalls. 1812 RADIUS accounting UDP 1646. these supported only the use of the same access restrictions or ACLs to all devices. TACACS+ Authentication 1. such as Cisco ASA. The user submits the password 11. Cisco VPN solutions. The user provides a username 6. 9. these may be used along with NAFs to apply downloadable ACLs differently on a per-device basis. NAC requests the password prompt from the TACACS+ server 8. Previously. The TACACS+ server provides a password prompt 9. The TACACS+ server provides a username prompt 4. Cisco Secure ACS 4. NAC forwards the username to the TACACS+ server 7.

The user is authenticated. ACCEPT . If an ERROR response is received. and authorization begins at this point if the NAS has been configured to require it. rlogin. REJECT . Services may include 1. Connection parameters. depending on the TACACS+ daemon. an error occurred. and user timeouts Authorization process with TACACS+ after the user has successfully authenticated . 1. 3. SLIP. 2.Authentication has failed for the user.TACACS+ daemon is contacted again and it returns either ACCEPT or REJECT.1. the response contains attributes that direct the EXEC or NETWORK session for that user which determines which services the user can access. TACACS+ daemon provides the NAS with one of the following responses 1.At some point during the authentication process. The user either is prompted to retry the login sequence or is denied further access. ERROR . Telnet. Authorization if required . the NAS usually attempts to use an alternative method to authenticate the user.The user is prompted for further authentication information before acceptance or rejection 5. such as the host or client IP address. 4. This may have occurred at either the daemon or in the network connection between the daemon and the NAS. PPP. If accepted. CONTINUE . ACL. or EXEC services 2.

8. Route (PPP/IP. Typically each AAA transaction uses a dedicated TCP connection. 5.Used with SLIP or PPP/IP connections to list an inbound IP ACL. Authorization parameters are sent to the NAC if the access is permitted and are applied to the user connection. 2. TACACS+ establishes a new TCP session.Used to specify a command to be automatically executed at EXEC startup. PIX. Figure below shows what happens when an admin enters the configure terminal command. During this process.1. Priv-lvl (EXEC authorization) .The attribute-value (AV) pair is used to start an authorization request for an EXEC command 4. 7. OutACL . InACL (PPP/IP. SLIP authorization) . It is used to specify the current privilege level for command authorization.This may be an integer between 0 and 15. TACACS+ is proprietary and uses TCP port 49. Primary protocol for Cisco AAA implementations. CMD (EXEC) . PPP/IP authorization) . The steps involved in this process are as follows: 1. TACACS+ frequently uses a number of attributes for authentication and authorization: 1.Lists an access class number that will be applied to a line 2. To improve performance. 3. Autocmd . By default. this is used to specify the IP address of the remote host that should be assigned. ACL (EXEC authorization) . switches. both the Cisco Secure ACS and the router have to be configured for this functionality. . 6. as well as for a variety of other parameters. 9. ADDR (SLIP. TACACS+ can be used to upload a per-user ACL and static route to the NAS.Used to specify the name of a local address pool from which to obtain the address of the remote host. Supports routers. To realize this benefit.Used to specify a route to be applied to an interface. Addr-pool .Used with SLIP or PPP/IP connections to list an outbound IP ACL.When using a SLIP or PPP/IP connection. SLIP authorization) . 3. Cisco Secure ACS supports persistent TCP sessions. The request is either accepted or denied by TACACS+. NAC submits an authorization request for the network access to the TACACS+ server. TACACS+ Attributes 1. 2. This single session persists as long as the server or network device is operational. 2. By using a single connection there is less server load and better detection of a break in communication. a new TCP session is established for each authorization request. Command Authorization with TACACS+ 1. this may lead to delays when users enter commands.

the server responds with an Access-Accept datagram. CHAP-Password 4.Indicates that the user-provided information is incorrect 6. Framed-IP-Address 2. The NAS prompts the client for a password 4. 50 AV pairs defined by IETF. Microsoft CHAP (MS-CHAP). The client provides the password 5. 2.Used for authentication methods that employ a challengebased approach such as Challenge Handshake Authentication Protocol (CHAP).Indicates that the user-provided information is correct 4. Access-Request . as well as additional information such as the NAS port.Contains AV pairs for the username and password that are encrypted by RADIUS. On the other hand. Access-Reject . User-Name 2. Cisco has added several vendor-specific attributes on the server side. 2. Authentication steps for RADIUS 1. and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) 3. For instance. RADIUS Attributes 1. but you can change them to just use standard AV pairs for compatibility reasons. Cisco AV pairs are used by default on Cisco IOS devices. NAS-Port 6. An Access-Request datagram containing all the necessary AV pairs is used to send information about the username and password to the RADIUS server. 6. and NAS terminates the connection. Commonly used RADIUS AV pairs: 1. this might be the IP address to be assigned. RADIUS Message Types 1. Access-Accept . The client provides a username to the NAS 3.4. an Access-Reject message is returned. if the information that the user has provided is incorrect. Access-Challenge . NAS-IP-Address 5. This Access-Accept message also contains authorization parameters in the form of AV pairs. . 5. If the information provided by the user is correct. User-Password (encrypted) 3. Service-Type 7. and so on. Four RADIUS message types are as follows 1. Authentication and Authorization with RADIUS 1. The NAS prompts the client for a username 2. RADIUS created by IETF and uses UDP/IP.

which can then be used locally for command authorization. and accounting. Multiprotocol support Supports other protocols. separating authentication. Uses the AAA architecture and separates each process. NetBIOS. 3.7. Cisco's RADIUS is RFC 2865 plus IETF attribute 26. the vendor-specific attribute (VSA) for Cisco. The combination of authentication and authorization on one function Comparison of RADIUS and TACACS+ Topic TACACS+ RADIUS Packet delivery TCP UDP Packet Encryption Encrypts the entire body of the packet but leaves a standard TCP header Encrypts only the password in the Access-Request packet from the client to the server. Limitations 1. authorization. Combines authentication and authorization. AAA support Uses the AAA architecture. Via this VSA any authorization request specified in the TACACS+ specification can be sent to an access device through RADIUS. Responses Uses multiple-challenge responses for each of the AAA processes. . Features of RADIUS 1. Radius is RFC 2865 2. Uses single-challenge response. Combines authentication and authorization. and IPX None Router management Enables network administrators to control which commands can be executed on a router Can pass a privilege level down to the router. such as AppleTalk. Limited security 2.

Enable AAA globally to allow the use of all AAA elements. .10. router(config)# tacacs-server host 192. 2.4. Configure an encryption key to be used to encrypt the data transfer between the network access server and the Cisco Secure ACS. 2. This is a prerequisite for all other AAA commands tacacs-server host Used to indicate the address of the Cisco Secure ACS server and to specify the ip-address single.use of the TCP single-connection feature of Cisco Secure ACS. (NAS) 3.75 single connection 3. Configuring the Network Access Server with TACACS+ 1. Specify which Cisco Secure ACS will provide AAA services for the network access server. Configuring TACACS+ 1. router(config)# aaa new model 2. This is a prerequisite for all other AAA commands. Performance is connection improved by maintaining a single TCP connection for the life of the session between the NAS and the Cisco Secure ACS server. which is the default tacacs-server key Used to establish a shared secret encryption key between the network access key server and the Cisco Secure ACS server. router(config)# tacacs-server key shared1 Commonly Used AAA Configuration Commands Command Description aaa new-model Used to enable AAA on the router.168. rather than opening and closing TCP connections for each session. CLI Steps 1.

aaa authentication login {default | list-name } group {group-name | radius | tacacs+} [method2 [method3 [method4]]] aaa authentication login parameters Parameter Description Default Used to create a default that is automatically applied to all lines and interfaces to specify the method or sequence of methods used for authentication list-name Used to create a list (you may choose the name) that is applied explicitly to a line or interface using the method or methods specified.The local username and password database is used for authentication local-case . The group-name string is used to specify a predefined group of RADIUS or TACACS+ servers for group radius authentication (created with the aaa group server radius or aaa group server tacacs+ command). Up to four methods may be configured for each operation.Specifies the use of case-sensitive local username authentication none . group tacacs+ method2 method3 method4 Used to execute authentication methods in the order listed. The group radius and group tacacs+ name methods refer to previously defined RADIUS or TACACS+ servers.The line password is used for authentication local . such as a timeout error. The method must be supported by the authentication operation specified A general list of methods includes the following: enable . Using the CLI to Configure AAA Login Authentication on Cisco Routers 1.2. group group. If an error is returned by the authentication method.Uses server-group krb5 . the Cisco IOS software attempts to execute the next method.Kerberos version 5 is used for authentication line .Used to specify the use of an AAA server.No authentication is used . This list overrides the default when applied to a specific line or interface. To enable AAA authentication process to secure logging into the Cisco IOS device 1. Access is denied if the authentication fails.The enable password for authentication group .