What are AAA Method Lists and IOS commands for creating AAA Method Lists in Cisco Router or Switch
AAA Method Lists can be used to assign a list of methods for Authentication, Authorization, Accounting. Methods Lists can be used to specify the order. If authentication service is not available or was not successful from the first method, second method can be used and so on.
For user logins to line console, you may need to configure the Cisco Router or Switch in such a way that the "login" process require an authentication and instruct the Cisco Router or Switch to use the local user database. If the local user database authentication failed, then try authentication from Cisco Secure ACS using TACACS+ or RADIUS authentication protocol.
Cisco IOS CLI command syntax for creating a AAA method list is shown below.
aaa [ authentication | authorization | accounting ] <process> { <list-name> | default } { local | group (group-name | radius | tacacs ) } [methods]
AAA Authentication Method Lists
Cisco IOS CLI command syntax for creating a AAA Authentication method list is shown below.
aaa authentication <process> { <list-name> | default } { local | group (group-name | radius | tacacs ) } [methods]
Detailed explanation of the Cisco IOS command for creating AAA Authentication Method list is shown below.
| Command Options | Description |
|---|---|
| default | "default" keyword can be used to create a default method list which is applied to all lines and interfaces as default. |
| list-name | "list-name" option can be used to create a user defined list which you may required for a specific line or interface. When this list is applied to a line or interface, it will override the default method list. |
| group group-name | "group group-name" can be used to specify a group of RADIUS or TACACS+ servers for authentication. A group of RADIUS or TACACS+ servers can be created with the "aaa group server radius" or "aaa group server tacacs+" Cisco IOS CLI command. |
| group-name radius | group-name radius can be used to specify a RADIUS server |
| group-name tacacs+ | group-name tacacs+ can be used to specify a TACACS+ server |
| methods | "methods" can be used to specify the order of authentication methods. If authentication service is not available from the first method, second method is used and so on. The available methods are enable (enable password/secret), group(server-group), krb5 (Kerberos authentication), line (line console or line vty passwords), local (local username database), none (no authentication, means that you can enter without any authentication check) |
AAA Authorization Method Lists
Cisco IOS CLI command syntax for creating a AAA Authorization Method List is shown below.
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [methods]
Detailed explanation of the Cisco IOS command for creating AAA Authorization Method list is shown below.
| Command Options | Description |
|---|---|
| network | authorization for SLIP, PPP etc. |
| exec | privilege EXEC shell authorization. |
| commands | authorization for commands for a Privilege Level. |
| level | to specify a Privilege Level (1-15) |
| reverse-
access |
authorization for reverse access connections |
| default | "default" keyword can be used to create a default method list which is applied to all lines and interfaces as default. |
| list-name | "list-name" option can be used to create a user defined list which you may required for a specific line or interface. When this list is applied to a line or interface, it will override the default method list. |
| group group-name | "group group-name" can be used to specify a group of RADIUS or TACACS+ servers for authentication. A group of RADIUS or TACACS+ servers can be created with the "aaa group server radius" or "aaa group server tacacs+" Cisco IOS CLI command. |
| group-name radius | group-name radius can be used to specify a RADIUS server |
| group-name tacacs+ | group-name tacacs+ can be used to specify a TACACS+ server |
| methods | "methods" can be used to specify the order of authentication methods. If authentication service is not available from the first method, second method is used and so on. The available methods are enable (enable password/secret), group(server-group), krb5 (Kerberos authentication), line (line console or line vty passwords), local (local username database), none (no authentication, means that you can enter without any authentication check) |
AAA Accounting Method Lists
Cisco IOS CLI command syntax for creating a AAA Accounting Method List is shown below.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name
Detailed explanation of the Cisco IOS command for creating AAA Accounting Method list is shown below.
| Command Options | Description |
|---|---|
| auth-proxy | authenticated-proxy user events. |
| system | accounting for all system-level events |
| network | accounting for SLIP, PPP etc. |
| exec | privilege EXEC shell accounting. |
| connection | accounting for all outbound connections made from a network access server |
| commands | accounting for commands for a Privilege Level (1-15) |
| default | "default"accounting Method List |
| list-name | "list-name" option can be used to create a user defined list with a name |
| start-stop | If this option is selected, the accounting record is sent as soon as a session begins. |
| stop-only | If this option is selected, the accounting record is sent only when the session ends. |
| group-name tacacs+ | group-name tacacs+ can be used to specify a TACACS+ server |
| broadcast | broadcast option allows to send AAA accounting records to multiple AAA servers. |