Search

What are AAA Method Lists and IOS commands for creating AAA Method Lists in Cisco Router or Switch

AAA Method Lists can be used to assign a list of methods for Authentication, Authorization, Accounting. Methods Lists can be used to specify the order. If authentication service is not available or was not successful from the first method, second method can be used and so on.

For user logins to line console, you may need to configure the Cisco Router or Switch in such a way that the "login" process require an authentication and instruct the Cisco Router or Switch to use the local user database. If the local user database authentication failed, then try authentication from Cisco Secure ACS using TACACS+ or RADIUS authentication protocol.

Cisco IOS CLI command syntax for creating a AAA method list is shown below.

aaa [ authentication | authorization | accounting ] <process> { <list-name> | default } { local | group (group-name | radius | tacacs ) } [methods]

AAA Authentication Method Lists

Cisco IOS CLI command syntax for creating a AAA Authentication method list is shown below.

aaa authentication <process> { <list-name> | default } { local | group (group-name | radius | tacacs ) } [methods]

Detailed explanation of the Cisco IOS command for creating AAA Authentication Method list is shown below.

Command Options Description
default "default" keyword can be used to create a default method list which is applied to all lines and interfaces as default.
list-name "list-name" option can be used to create a user defined list which you may required for a specific line or interface. When this list is applied to a line or interface, it will override the default method list.
group group-name "group group-name" can be used to specify a group of RADIUS or TACACS+ servers for authentication. A group of RADIUS or TACACS+ servers can be created with the "aaa group server radius" or "aaa group server tacacs+" Cisco IOS CLI command.
group-name radius group-name radius can be used to specify a RADIUS server
group-name tacacs+ group-name tacacs+ can be used to specify a TACACS+ server
methods "methods" can be used to specify the order of authentication methods. If authentication service is not available from the first method, second method is used and so on. The available methods are enable (enable password/secret), group(server-group), krb5 (Kerberos authentication), line (line console or line vty passwords), local (local username database), none (no authentication, means that you can enter without any authentication check)

 

AAA Authorization Method Lists

Cisco IOS CLI command syntax for creating a AAA Authorization Method List is shown below.

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [methods]

Detailed explanation of the Cisco IOS command for creating AAA Authorization Method list is shown below.

Command Options Description
network authorization for SLIP, PPP etc.
exec privilege EXEC shell authorization.
commands authorization for commands for a Privilege Level.
level to specify a Privilege Level (1-15)
reverse- access
authorization for reverse access connections
default "default" keyword can be used to create a default method list which is applied to all lines and interfaces as default.
list-name "list-name" option can be used to create a user defined list which you may required for a specific line or interface. When this list is applied to a line or interface, it will override the default method list.
group group-name "group group-name" can be used to specify a group of RADIUS or TACACS+ servers for authentication. A group of RADIUS or TACACS+ servers can be created with the "aaa group server radius" or "aaa group server tacacs+" Cisco IOS CLI command.
group-name radius group-name radius can be used to specify a RADIUS server
group-name tacacs+ group-name tacacs+ can be used to specify a TACACS+ server
methods "methods" can be used to specify the order of authentication methods. If authentication service is not available from the first method, second method is used and so on. The available methods are enable (enable password/secret), group(server-group), krb5 (Kerberos authentication), line (line console or line vty passwords), local (local username database), none (no authentication, means that you can enter without any authentication check)

 

AAA Accounting Method Lists

Cisco IOS CLI command syntax for creating a AAA Accounting Method List is shown below.

aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

Detailed explanation of the Cisco IOS command for creating AAA Accounting Method list is shown below.

Command Options Description
auth-proxy authenticated-proxy user events.
system accounting for all system-level events
network accounting for SLIP, PPP etc.
exec privilege EXEC shell accounting.
connection accounting for all outbound connections made from a network access server
commands accounting for commands for a Privilege Level (1-15)
default "default"accounting Method List
list-name "list-name" option can be used to create a user defined list with a name
start-stop If this option is selected, the accounting record is sent as soon as a session begins.
stop-only If this option is selected, the accounting record is sent only when the session ends.
group-name tacacs+ group-name tacacs+ can be used to specify a TACACS+ server
broadcast broadcast option allows to send AAA accounting records to multiple AAA servers.

Related Tutorials