You are on page 1of 18

Chapter 4 Configuring AAA

I. Configuring AAA Using the Local User Database
1. Authentication, Authorization, and Accounting
1. Modular architecture that is composed of three functional components
1. Authentication – Authentication is the process by which users prove who they
say they are using mechanisms such as username and password, token cards, and
challenge and response.
2. Authorization – After the user or administrator has been authentication,
authorization services are used to decide which resources he is allowed to access,
as well as which operations he may perform.
3. Accounting and auditing – After being authenticated and authorized, the user
or administrator begins to access the network. It is the role of accounting and
auditing to record what the user or administrator actually did with this access,
what he accessed, and how long he accessed it.
2. AAA for Cisco Routers
1. 3 ways to implement AAA on Cisco routers
1. Cisco Secure ACS Solution Engine – In this implementation, AAA services on
either the router or network access server (NAS), which acts as a gateway to
guard access to protected resources, contact an external Cisco Secure ACS
Solution Engine for both user and administrator authentication. The Cisco
Secure ACS SE is an appliance that contains CSA. This can be an easier
approach for some organizations, rather than purchasing hardware, an OS
license, CSA license, and ACS license. In this more complex configuration, the
administrator would also have to take steps to lock down the server, whereas the
ACS SE is already secure.
2. Cisco Secure Access Control Server (ACS) for Windows Server – This
software package may be used for user and administrator authentication. AAA
services on the router or NAS contact an external Cisco Secure ACS for
Microsoft Windows systems. You need a separate license for CSA if this is what
you want.
3. Self-contained AAA – AAA services are self-contained in either a router or
NAS. Implemented in this fashion, this form of authentication is also known as
local authentication.

Other AAA commands aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication user-prompt . Secure access to privileged EXEC mode 2. Verify the configuration 4. Use the aaa new-model command to enable AAA globally on the perimeter router. Using AAA to Configure Local User Database Authentication 1. vty. BRI. and Login. Configure AAA authorization for use after the user has passed authentication 5. 3. Configure the AAA accounting options 6. and PRI Ppp and network commands 1.3. exec. Configure AAA authentication lists 4. and enable mode) console commands Remote network access Packet (interface mode) Async. Minimum commands to configure AAA local authentication Router(config)# aaa new-model Router(config)# username username password password Router)config)# aaa authentication login default local 2. Router Access Authentication AAA Commands to Secure Administrative and Remote LAN access Access Type Mode Mode Network Access Server AAA Command Ports Element Remote administrative access Character (line or EXEC TTY. group-async. Six steps to configure a Cisco router for local authentication 1. auxiliary.

The aaa authentication ppp command 3. aaa authentication ppp Use the aaa authentication ppp global configuration command to specify one or more AAA authentication methods for use on Serial interfaces running PPP. The aaa authentication enable default command . The no form of this command may be used to disable this authorization method. The no form of this command may be used to disable the override aaa authentication login Use the aaa authentication login global configuration command to set AAA authentication at login. The no form of this command is used to return to the default password prompt text. The no form of this command is used to disable authentication aaa authentication username-prompt Use the aaa authentication username-prompt global configuration command to change the text displayed when users are prompted to enter a username. aaa authentication password-prompt Use the aaa authentication password-prompt global configuration command to change the text displayed when users are prompted for a password. The aaa authentication login command 2. aaa authentication local-override This command is used to configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. The no form of this command is used to disable AAA authentication aaa authentication nasi To specify AAA authentication for NetWare Access Server Interface (NASI) clients who connect using the access server. The no form of this command is used to return to the default username prompt text.AAA Authentication Commands Command Description aaa authentication arap AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+ use the aaa authentication arap global configuration command to enable an AAA authentication method. aaa authentication fail-message This command creates a message that is displayed when a user login fails. Most important command to learn 1. The no form of this command is used to disable authentication for NASI clients. 3. use the aaa authentication nasi global configuration command. The no form of this command is used to disable this authentication aaa authentication banner Use this command to create a personalized login banner aaa authentication enable default Use the aaa authentication enable default global configuration command to enable AAA authentication to determine if a user can access the privileged command level.

Interfaces – Interfaces sync. use the aaa authentication command to configure an AAA authentication method list. aaa authentication login console-in local – specifies the login authentication method list named console-in using the local username-password database on the router. vty. console. 2. 3. aaa authentication login tty-in – is used to specify a login authentication list named tty-in using the line password configured on the router. 4. 1. A list name may be any alphanumeric string you want to use. or the console port for login and asynchronous lines (in most cases) for ARAP 2. . and virtual configured for PPP. If this is not applied. In global configuration mode. and so on) or login authentication 2. or enable authentication). dot1x. allowing for a backup system for authentication should the initial method have an error or not be reachable. These allow an administrator to designate one or more security protocols to be used for authentication. Setting AAA Authentication for Login 1. Specify the authentication method (local. aaa authentication login default enable – is used to specify a default login authentication method list using the enable password. Defining a Method List 1. line. 1. but each must have a unique name. Apply the authentication method lists to each of the following 1. NASI. Lines – TTY. 3. The aaa authentication login command is issued to set AAA authentication for login to a router's administration port. is an AAA server down? Up to four methods may be specified. auxiliary. and async lines. Indicate the service (PPP. Either use the default method list name or specify a method list name. Method lists are sequential lists that describe the authentication methods that should be queried when authenticating a user. the default method list applies 3. group RADIUS. or ARAP 3. Serial Line Interface Protocol (SLIP). group TACACS+. For instance. and how the router should handle requests when a method is not operating. 2.2. async. You may configure multiple strings on the router. Be aware that a defined method list overrides the default method list after it is applied to an interface.

Group group-name: Uses either a subnet of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. aaa authentication ppp default local – This command is used to specify a default PPP authentication method list using the local username-password database on the router.. 4. To use the local user database. various authentication methods for serial interfaces running PPP. . Configuring AAA Authentication on Serial Interfaces Running PPP 1.] aaa authentication login Command Elements Command Element Description Default Specifies the default list of methods to be used when a user logs in based on the methods that follow this argument list-name Used to name the list of authentication methods activated when a user logs in Method One keyword must be specified. use the local keyword enable: The enable password is used for authentication krb5: Kerberos 5 is used for authentication krb5-telnet: Kerberos 5 Telnet authentication protocol is used when using Telnet to connect to the router. aaa authentication login {default | list-name} method1 [method2. It should be used on the initial login attempt.2. 1.. Line: The line password is used for authentication local: The local username database is used for authentication local-case: Provides case-sensitive local username authentication none: No authentication is used group radius: The list of all RADIUS servers is used for authentication group tacacs+: The list of all TACACS+ servers is used for authentication. If the local username is not defined. using the local username-password database on the router. 2. no authentication is used. Syntax example 1. aaa authentication ppp dial-in local none – This command is used to specify a PPP authentication method list named dial-in.

Using the aaa authentication enable default command 1. Applying Authentication Commands to Router Lines and Interfaces router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in 1. line console 0 – is issued to enter line console configuration mode 2.. int s3/0 – is issued to enter interface configuration mode on port 0 of serial interface slot number 3 4..5.] 2. 3. aaa authentication enable default method1 [method2. use the aaa authentication enable default command to determine if a user can access the privileged command level 1. login authentication console-in – specifies an authentication list named console-in for login authentication on console port 0. ppp authentication chap dial-in – specifies an authentication method list named dial-in for use with PPP CHAP authentication on interface s3/0 .

and ARAP Exec Used to implement authorization to determine if the user is allowed to run an EXEC shell. list-name and method. Values may range from 0 to 15. such as SLIP.] aaa authorization Command Elements Command Description Element Network Used to implement authorization for all network-related service requests. as the default list of methods for authorization List-name Provides a character string used to name the list of authorization methods Method Specifies the method to be used for authentication using one of the following keywords: group group-name: Specifies a subset of RADIUS or TACACS+ servers to be used for authentication. . such as reverse Telnet Configuration Used to download the configuration from the AAA server Default Used to list the authentication methods.. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2.6.. These are defined with the aaa group server RADIUS or aaa group server tacacs+ commands. Commands Used to implement authorization for all commands for a specific privilege level Level Used to specify the command level that should be authorized. restrict administrative EXEC access to the routers or user access to the network 1. Implementing the aaa authorization Command 1. If-authenticated: The user is permitted to access the requested function if he or she has been validly authenticated krb5-instance: Used in conjunction with the Kerberos instance map command to specify the instance to be used local: Specifies the use of the local user database for authorization none: Authorization is not performed. PPP Network Control Protocol (NCP). reverse-access Used to implement authorization for reverse access connections.

examples of aaa authorization commands: router(config)# aaa authorization commands 15 default local router(config)# aaa authorization commands 1 mickey local router(config)# aaa authorization commands 15 goofy local router(config)# aaa authorization exec donald if-authenticated 4. and the user can use all network services. for the method list named Pluto. this command allows the user to run the EXEC process. Above commands explained: 1. 2.2. aaa authorization network pluto local none – The local user database is used to authorize the use of all network services. 3. PPP. aaa authorization exec donald if-authenticated – If the user has already been authenticated. If no local username is defined. and ARAP. . aaa authorization commands 1 mickey local – The local username database is used to authorize all level 1 commands for the mickey method list. Up to four failover methods may be chosen 3. aaa authorization commands 15 goofy local – The local user database is used to authorize the use of all level 15 commands for the goofy method list 4. aaa authorization commands 15 default local – The local user database is used to authorize the use of all level 15 commands for the default method list. such as SLIP. this command does not perform authorization. 5.

including SLIP. used only with system accounting. list-name The list of at least one of the accounting methods. broadcast This optional command element allows the sending of accounting records to multiple AAA servers. failover occurs using the backup servers defined within that group. Should the first server be unavailable. router(config)# aaa accounting auth-proxy default start-stop group tacacs+ . PPP. PPP NCP. and ARAP exec Provides accounting for EXEC shell sessions connection Provides information about all outbound connections made from the NAS commands level Runs accounting for all commands at the specified privilege level. The start accounting record is sent in the background.7. none Disables accounting services on this line or interface. start-stop Sends "start" accounting notice at the beginning of a process and "stop" accounting notice at the end of a process. group groupname Defines the character string used to name the group of accounting methods. Examples 1. 2. may be used to specify a VPN routing and forwarding (VRF) configuration. stop-only Sends a stop accounting notice at the end of the requested user process. aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name aaa accounting Command Elements Command Description Element auth-proxy Provides information about all authenticated proxy user events system Performs accounting for all system-level events that are not associated with users network Runs accounting for all network-related service requests. router(config)# aaa accounting commands 15 default stop-only group tacacs+ 2. Regardless of whether the start accounting notice was received by the accounting server. Privilege level entries are integers and may range from 0 to 15 default Sets the default list of methods for accounting services based on the listed accounting methods specified by list-name. Working with the aaa accounting Command 1. vrf vrf-name This optional command element. Accounting records are simultaneously sent to the first server in each group. the requested user process begins.

This evaluation of the host credentials can enforce many specific policies. Cisco . Combines AAA with policy control to extend network access security. Configuring AAA Using Cisco Secure ACS 1. including Cisco routers. Secures ACS provides RADIUS and TACACS+ security server. Dynamic quota generation 7. configurable policies that it uses to evaluate and validate the credentials received from the Cisco Trust Agent (posture). Cisco NAC support . VoIP 6. or a private VLAN assignment. debug aaa authorization 3. Device command set authorization 6. and importing of tools for large-scale deployments 5. Network access restrictions 10.1x access control.5. a policy-based ACL. 802. and Cisco VPNs 4. 1. Use the following to troubleshoot AAA 1. Dialup and broadband terminators 4. VPNs 2. Access control lists (ACL) that may be downloaded for any Layer 3 device.In NAC deployments. Automatic service monitoring. Cisco Secure ACS manages and administers user access for cisco network devices using IEEE 802. Supports Network Access Devices: 1. administrators. Additional Features of Cisco Secure ACS 4. Using Cisco SDM to Configure AAA page 127 II. Restrictions such as time of day and day of week 2.1x authentication type support 3. database synchronization. 3. Cisco Secure ACS also records the results of this policy evaluation for use with monitoring systems. Using the CLI to Troubleshoot AAA for Cisco Routers 1. debug aaa authentication 2. User and device group profiles 8. Firewalls 7. NAC solution as the centralized control point for managing network users. Cisco PIX Firewalls. and network infrastructure resources. Edge and core routers 3. With these it also determines the state of the host and sends a per-user authorization to the NAD: ACLs. Content and storage devices 5. Wired and wireless LAN switches and access points 2. debug aaa accounting 6. Lightweight Directory Access Protocol (LDAP) and Open Database Connectivity (ODBC) user authentication support 2. For hosts without the appropriate agent technology. acts as policy decision point. such as OS patch level and anti virus digital audio tape (DAT) file version. Overview of Cisco Secure ACS for Windows 1.0 for Windows 1. User and administrative access reporting 9.

and Microsoft PEAP users who authenticate with a Microsoft Windows external user database when Microsoft Windows machine authentication is enabled. EAP-FAST is also for those who want to deploy an 802. you may use IP address ranges and wildcards. You can configure this to limit authorization as needed. 6. give administrators a flexible way to apply network access restrictions and downloadable ACLs on network device names. 7.0 for Windows. Dictionaries 7.0 version of Cisco Secure ACS for Windows supports an industry-standard relational database management system (RDBMS). AAA policies may be mapped to specific profiles. 3. Using this feature allows you as an administrator to apply a different access policy based on.0 for Windows makes it possible for these hosts to be audited by third-party vendors before granting network access. administrators may now replicate NAPs and all related configurations.1x EAP type that has the following characteristics: 1. Administrators can use MARs to control authorization of EAP-TLS. NAFs .2. users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify. Versatile supports for user and password database types 3.Through the improved replication provided by Cisco Secure ACS 4. Extended replication components . Improvements have also been made in performance. Additional logging attributes EAP-FAST enhanced support . for instance. including significant performance increases in the number of transactions per second across the full protocol portfolio supported by Cisco Secure ACS. When NAFs are applied by IP addresses. NDGs 6. External policy servers also make it possible to extend Cisco Secure ACS policies. Global authentication configuration 5. including 1. Improvements to scalability . External database configuration 4.The 4. a new type of shared profile component.1x EAP type to support customers who cannot enforce a strong password policy. or their IP address. No digital certificate is required 2. Network Access Profiles (NAP) . administrators may classify access requests based on network location. Flexible and easy to deploy and manage Machine access restrictions (MARs): MARs is offered as an enhancement of Microsoft Windows machine authentication.One new feature providing by Cisco Secure ACS 4. Posture validation settings 2. 4. NDGs. AAA clients and hosts 3. EAP-FASTv1a. Support for password expiration and change 4. protocol type. 5. or you may choose to deny network access. This new . wireless access. Shared-profile components 8. With this feature.0 for Windows is Network Access profiles. Using these.Network access filters (NAF).Cisco has developed EAP-FAST as a publicly accessible IEEE 802. increasing the number of devices (AAA clients) ten times while increasing the number of users by three times the previous number. Secure ACS 4. membership in a network device group (NDG). or other RADIUS attribute values sent by the NAD used by the user to connect.

8. Cisco Secure ACS 4. Sets of ACLs may be defined that can be applied per user or per group. Cisco PIX Firewalls.0 for Windows Installation Ports Used by Cisco Secure ACS for Client Communication Feature Protocol Port(s) RADIUS authentication authorization UDP 1645. The TACACS+ server accepts or rejects the user . NAC prompts the user for the password 10. per access device. Cisco VPN solutions. TACACS+ Authentication 1. Overview of TACACS+ and RADIUS 1.feature allows for granular application of network access restrictions (NAR) and downloadable ACLs. NAC prompts the user 5. Steps involved in the authentication processed with TACACS+ 1. 9. The user submits the password 11. The user provides a username 6. these supported only the use of the same access restrictions or ACLs to all devices.An X. these may be used along with NAFs to apply downloadable ACLs differently on a per-device basis. 2. This works hand in hand with NAC by enforcing the correct ACL policy. 1812 RADIUS accounting UDP 1646.509 CRL profile is used to support certificate revocation in this version of Cisco Secure ACS for Windows. The TACACS+ server provides a username prompt 4. 1813 TACACS+ TCP 49 Cisco Secure ACS database replication TCP 2000 RDBMS synchronization TCP 2000 User-changeable password web application TCP 2000 Logging TCP 2001 Administrative HTTP port for new sessions TCP 2002 Administrative HTTP port range TCP Configurable 3. The user requests access 2. Previously. NAC forwards the password to the TACACS+ server 12.Per-user ACL support is extended to any Layer 3 network device that supports downloadable IP ACLS. The TACACS+ server provides a password prompt 9. Certificate revocation list (CRL) comparison . Downloadable IP ACLs . NAC forwards the username to the TACACS+ server 7. NAC requests the password prompt from the TACACS+ server 8. Further. The NAC requests a username from the TACACS+ server 3. and Cisco IOS routers. tailoring ACLs uniquely per user. such as Cisco ASA.

PPP. If an ERROR response is received. rlogin. 3. the NAS usually attempts to use an alternative method to authenticate the user.Authentication has failed for the user. 1. depending on the TACACS+ daemon. Authorization if required . or EXEC services 2. ERROR . REJECT . Services may include 1.The user is prompted for further authentication information before acceptance or rejection 5. ACCEPT . ACL. such as the host or client IP address.The user is authenticated. This may have occurred at either the daemon or in the network connection between the daemon and the NAS. and authorization begins at this point if the NAS has been configured to require it. Connection parameters.At some point during the authentication process. 4. an error occurred. TACACS+ daemon provides the NAS with one of the following responses 1. If accepted.TACACS+ daemon is contacted again and it returns either ACCEPT or REJECT. Telnet. The user either is prompted to retry the login sequence or is denied further access.1. SLIP. 2. CONTINUE . and user timeouts Authorization process with TACACS+ after the user has successfully authenticated . the response contains attributes that direct the EXEC or NETWORK session for that user which determines which services the user can access.

Used to specify the name of a local address pool from which to obtain the address of the remote host. 2. this may lead to delays when users enter commands. To realize this benefit. The request is either accepted or denied by TACACS+.This may be an integer between 0 and 15. CMD (EXEC) . Figure below shows what happens when an admin enters the configure terminal command. InACL (PPP/IP. Priv-lvl (EXEC authorization) . OutACL . 2. ADDR (SLIP.1. PIX. 6. TACACS+ Attributes 1. To improve performance. Command Authorization with TACACS+ 1. During this process. Addr-pool . PPP/IP authorization) .Used to specify a route to be applied to an interface. Authorization parameters are sent to the NAC if the access is permitted and are applied to the user connection. 8. TACACS+ establishes a new TCP session. as well as for a variety of other parameters. Typically each AAA transaction uses a dedicated TCP connection. SLIP authorization) . 2. By default.Used with SLIP or PPP/IP connections to list an inbound IP ACL.Used to specify a command to be automatically executed at EXEC startup. By using a single connection there is less server load and better detection of a break in communication. Cisco Secure ACS supports persistent TCP sessions. both the Cisco Secure ACS and the router have to be configured for this functionality. Autocmd . It is used to specify the current privilege level for command authorization. switches. a new TCP session is established for each authorization request. 5. Route (PPP/IP.When using a SLIP or PPP/IP connection. The steps involved in this process are as follows: 1. TACACS+ is proprietary and uses TCP port 49.Lists an access class number that will be applied to a line 2. Supports routers. TACACS+ can be used to upload a per-user ACL and static route to the NAS. . TACACS+ frequently uses a number of attributes for authentication and authorization: 1.Used with SLIP or PPP/IP connections to list an outbound IP ACL.The attribute-value (AV) pair is used to start an authorization request for an EXEC command 4. 3. SLIP authorization) . This single session persists as long as the server or network device is operational. NAC submits an authorization request for the network access to the TACACS+ server. Primary protocol for Cisco AAA implementations. ACL (EXEC authorization) . 9. 7. this is used to specify the IP address of the remote host that should be assigned. 3.

Four RADIUS message types are as follows 1. For instance. 2. Framed-IP-Address 2.Indicates that the user-provided information is correct 4. Access-Request . NAS-Port 6. as well as additional information such as the NAS port. 50 AV pairs defined by IETF. 6. 2. The NAS prompts the client for a password 4. Access-Reject .Used for authentication methods that employ a challengebased approach such as Challenge Handshake Authentication Protocol (CHAP). NAS-IP-Address 5. . the server responds with an Access-Accept datagram. Service-Type 7.Contains AV pairs for the username and password that are encrypted by RADIUS. and NAS terminates the connection. The NAS prompts the client for a username 2. Access-Challenge . Microsoft CHAP (MS-CHAP). An Access-Request datagram containing all the necessary AV pairs is used to send information about the username and password to the RADIUS server. RADIUS Attributes 1. User-Password (encrypted) 3.4. RADIUS Message Types 1. and so on. 5. Authentication and Authorization with RADIUS 1. an Access-Reject message is returned. if the information that the user has provided is incorrect. Cisco AV pairs are used by default on Cisco IOS devices. but you can change them to just use standard AV pairs for compatibility reasons. this might be the IP address to be assigned. The client provides the password 5. RADIUS created by IETF and uses UDP/IP. On the other hand. Commonly used RADIUS AV pairs: 1. and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) 3.Indicates that the user-provided information is incorrect 6. Access-Accept . This Access-Accept message also contains authorization parameters in the form of AV pairs. If the information provided by the user is correct. Authentication steps for RADIUS 1. CHAP-Password 4. Cisco has added several vendor-specific attributes on the server side. The client provides a username to the NAS 3. User-Name 2.

7. Via this VSA any authorization request specified in the TACACS+ specification can be sent to an access device through RADIUS. Limitations 1. Features of RADIUS 1. NetBIOS. . separating authentication. Cisco's RADIUS is RFC 2865 plus IETF attribute 26. such as AppleTalk. Combines authentication and authorization. Combines authentication and authorization. and accounting. the vendor-specific attribute (VSA) for Cisco. 3. which can then be used locally for command authorization. The combination of authentication and authorization on one function Comparison of RADIUS and TACACS+ Topic TACACS+ RADIUS Packet delivery TCP UDP Packet Encryption Encrypts the entire body of the packet but leaves a standard TCP header Encrypts only the password in the Access-Request packet from the client to the server. and IPX None Router management Enables network administrators to control which commands can be executed on a router Can pass a privilege level down to the router. Limited security 2. Radius is RFC 2865 2. AAA support Uses the AAA architecture. Uses the AAA architecture and separates each process. Multiprotocol support Supports other protocols. Responses Uses multiple-challenge responses for each of the AAA processes. authorization. Uses single-challenge response.

rather than opening and closing TCP connections for each session. (NAS) 3. 2.75 single connection 3. . Configuring the Network Access Server with TACACS+ 1. CLI Steps 1. This is a prerequisite for all other AAA commands tacacs-server host Used to indicate the address of the Cisco Secure ACS server and to specify the ip-address single.4. which is the default tacacs-server key Used to establish a shared secret encryption key between the network access key server and the Cisco Secure ACS server. 2. Configuring TACACS+ 1. This is a prerequisite for all other AAA commands. router(config)# tacacs-server key shared1 Commonly Used AAA Configuration Commands Command Description aaa new-model Used to enable AAA on the router.168. Enable AAA globally to allow the use of all AAA elements. router(config)# aaa new model 2. Performance is connection improved by maintaining a single TCP connection for the life of the session between the NAS and the Cisco Secure ACS server. Configure an encryption key to be used to encrypt the data transfer between the network access server and the Cisco Secure ACS.use of the TCP single-connection feature of Cisco Secure ACS. Specify which Cisco Secure ACS will provide AAA services for the network access server. router(config)# tacacs-server host 192.10.

Up to four methods may be configured for each operation. The method must be supported by the authentication operation specified A general list of methods includes the following: enable .Used to specify the use of an AAA server.2.No authentication is used . such as a timeout error. If an error is returned by the authentication method. group group. group tacacs+ method2 method3 method4 Used to execute authentication methods in the order listed. This list overrides the default when applied to a specific line or interface. The group radius and group tacacs+ name methods refer to previously defined RADIUS or TACACS+ servers. The group-name string is used to specify a predefined group of RADIUS or TACACS+ servers for group radius authentication (created with the aaa group server radius or aaa group server tacacs+ command).The enable password for authentication group . aaa authentication login {default | list-name } group {group-name | radius | tacacs+} [method2 [method3 [method4]]] aaa authentication login parameters Parameter Description Default Used to create a default that is automatically applied to all lines and interfaces to specify the method or sequence of methods used for authentication list-name Used to create a list (you may choose the name) that is applied explicitly to a line or interface using the method or methods specified. the Cisco IOS software attempts to execute the next method.Specifies the use of case-sensitive local username authentication none . Access is denied if the authentication fails.The line password is used for authentication local . To enable AAA authentication process to secure logging into the Cisco IOS device 1.Uses server-group krb5 . Using the CLI to Configure AAA Login Authentication on Cisco Routers 1.Kerberos version 5 is used for authentication line .The local username and password database is used for authentication local-case .