Previous Page Next Page

Configuration Examples

PPP Authentication, Authorization, and Accounting Using RADIUS

Example 8-3 shows how to configure PPP authentication, authorization, and accounting using RADIUS protocol. In this example, a default method list is used with the keyword default for all services and is applied to all interfaces by default. The if-needed keyword in the authentication indicates that if the user has already authenticated by going through the ASCII login procedure, PPP authentication is not necessary and can be skipped. The if-authenticated keyword in the authorization indicates that users can be given access to requested services only if they have been authenticated first.

Example 8-3. Configuring PPP Authentication, Authorization, and Accounting Using RADIUS

aaa new-model
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius if-authenticated
aaa accounting network default start-stop group radius
!
radius-server host 10.1.1.1
radius-server key cisco

Login Authentication and Command Authorization and Accounting Using TACACS+

Example 8-4 shows how to configure login authentication and command authorization and accounting using TACACS+ protocol. In this example, named method lists are used and explicitly applied to VTY lines only. Authorization and accounting is also enabled for all IOS Exec IOS commands for privilege 1 and 15 command-sets. The example also shows a fallback method configured to the local router database in the event of an ERROR response where AAA server is not responding to the authentication and authorization requests.

Example 8-4. Configuring Login Authentication and Command Authorization and Accounting Using TACACS+

username cisco password cisco
!
aaa new-model
aaa authentication login myauthen group tacacs+ local
aaa authorization commands 1 yusuf1 group tacacs+ local
aaa authorization commands 15 yusuf15 group tacacs+ local
aaa accounting commands 1 yusuf1 start-stop group tacacs+
aaa accounting commands 15 yusuf15 start-stop group tacacs+
!
tacacs-server host 10.1.1.1
tacacs-server key cisco
!
line vty 0 4
login authentication myauthen
authorization commands 1 yusuf1
authorization commands 15 yusuf1
accounting commands 1 yusuf1
accounting commands 15 yusuf15

Login Authentication with Password Retry Lockout

Example 8-5 shows how to configure the Login password retry lockout feature that allows system administrators to lock out a local user account after a specified number of unsuccessful attempts to log in. This feature is available for local authentication only.

The example shows that the maximum number of failed user attempts has been set for 3.

Example 8-5. Configuring Login Authentication Password Retry Lockout Feature

username test password test123
username admin privilege 15 password cisco
!
aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local

Caution

A drawback of this feature is that it has no way to distinguish between an attacker who is using brute force and a legitimate authorized user who is entering the password incorrectly multiple times. Hence, a potential DoS attack is possible, in which an authorized user could be locked out by an attacker if the username of the authorized user is known to the attacker.


When the user is locked out, only the system administrator can unlock the user to resume normal service. To unlock the locked-out user, use the clear aaa local user lockout {username username | all} command from privilege exec mode.

To monitor and display a list of locked-out users, use the show aaa local user locked command.

Note

A user configured with maximum root privilege (privilege level 15) is deemed a system administrator account and cannot be locked out by using this feature. This feature is applicable to any login authentication method, such as character-based ASCII logins, CHAP, and PAP.

The login password retry lockout feature was integrated into Cisco IOS Release 12.3(14)T. Use the Feature Navigator tool to check platform support and corresponding Cisco IOS Software image at http://www.cisco.com/go/fn.


Previous Page Next Page