The syntax for a method list is as follows:
aaa type { default | list-name} method-1 [ method-2 method-3 method-4]
Given the AAA command:
aaa authentication login default group radius local
In the above command:
1. AAA type is authentication login
2. The named list is the default one (default).
3. There are two authentication methods (group radius and local).
All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username and password: username xxx password yyy
Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)
The command : aaa authentication login CONSOLE line
In the above command:
i) The named list is CONSOLE.
ii) There is only one authentication method (line).
Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:
line con 0
exec-timeout 0 0
password cisco
login authentication CONSOLE
You need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.
You need to use the login local command to authenticate with the local database or the login authentication {default | list_name} command to authenticate with an AAA server
The following are the important features of RADIUS server:
1. Open standard, and widely supported. Note that TACACS+ is a Cisco proprietary standard, but well supported too.
2. Uses UDP port
3. Provides extensive accounting capability when compared with TACACS+ server
4. Only the password is encrypted in packets transiting between the RADIUS server and the client (any device acting as client, such as a router or a switch or a host computer). On the other hand, TACACS+ provides complete encryption for communication between the TACACS+ server and the client.
5. There is a new upgrade expected, named Diameter.
6. Creating the method list.
R1(config)# aaa authentication login AUTHLIST local
Applying the method list to the VTY lines 0-4
R1(config)# line vty 0 4
R1(config-line)# login authentication AUTHLIST
R1(config-line)# exit
With respect to the given command "test aaa group tacacs+ admin Frisco123 legacy ", the following are true:
a. It enables you to verify that the ACS to router authentication component is working
b. Frisco123 is the shared secret that has been configured on the ACS server
c. It tests the reachability of ACS server
d. tacacs+ is the group name
The sequence of steps in creating and applying a method list on a router are:
a. Enable AAA
b. Create method lists for authentication. You may create more than one method. The second method (local) is used only when the first method fails.
c. Apply the method lists per line/per interface
Typical configuration commands for enabling AAA, and creating a list method AUTHLIST, and applying the same on vty lines is given below:
Frisco(config)# aaa new-model
Frisco(config)# aaa authentication login AUTHLIST local
Frisco(config)# line vty 0 4
Frisco(config-line)# login authentication AUTHLIST
i. Granular control : TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. TACACS+ is very commonly used for device administration.
ii. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
iii. TACACS+ is a Cisco proprietary protocol (later became an Open standard), and very widely supported by various vendors offering AAA servers. Note that RADIUS is an Open Standard and widely supported too.
iv. TACACS+ uses TCP port (port #49) to communicate between the server and the client.
