Example 8-3 shows how to configure PPP authentication, authorization, and accounting using RADIUS protocol. In this example, a default method list is used with the keyword default for all services and is applied to all interfaces by default. The if-needed keyword in the authentication indicates that if the user has already authenticated by going through the ASCII login procedure, PPP authentication is not necessary and can be skipped. The if-authenticated keyword in the authorization indicates that users can be given access to requested services only if they have been authenticated first.
aaa new-model aaa authentication ppp default if-needed group radius aaa authorization network default group radius if-authenticated aaa accounting network default start-stop group radius ! radius-server host 10.1.1.1 radius-server key cisco |
Example 8-4 shows how to configure login authentication and command authorization and accounting using TACACS+ protocol. In this example, named method lists are used and explicitly applied to VTY lines only. Authorization and accounting is also enabled for all IOS Exec IOS commands for privilege 1 and 15 command-sets. The example also shows a fallback method configured to the local router database in the event of an ERROR response where AAA server is not responding to the authentication and authorization requests.
username cisco password cisco ! aaa new-model aaa authentication login myauthen group tacacs+ local aaa authorization commands 1 yusuf1 group tacacs+ local aaa authorization commands 15 yusuf15 group tacacs+ local aaa accounting commands 1 yusuf1 start-stop group tacacs+ aaa accounting commands 15 yusuf15 start-stop group tacacs+ ! tacacs-server host 10.1.1.1 tacacs-server key cisco ! line vty 0 4 login authentication myauthen authorization commands 1 yusuf1 authorization commands 15 yusuf1 accounting commands 1 yusuf1 accounting commands 15 yusuf15 |
Example 8-5 shows how to configure the Login password retry lockout feature that allows system administrators to lock out a local user account after a specified number of unsuccessful attempts to log in. This feature is available for local authentication only.
The example shows that the maximum number of failed user attempts has been set for 3.
username test password test123 username admin privilege 15 password cisco ! aaa new-model aaa local authentication attempts max-fail 3 aaa authentication login default local |
Caution
A drawback of this feature is that it has no way to distinguish between an attacker who is using brute force and a legitimate authorized user who is entering the password incorrectly multiple times. Hence, a potential DoS attack is possible, in which an authorized user could be locked out by an attacker if the username of the authorized user is known to the attacker.
When the user is locked out, only the system administrator can unlock the user to resume normal service. To unlock the locked-out user, use the clear aaa local user lockout {username username | all} command from privilege exec mode.
To monitor and display a list of locked-out users, use the show aaa local user locked command.
Note
A user configured with maximum root privilege (privilege level 15) is deemed a system administrator account and cannot be locked out by using this feature. This feature is applicable to any login authentication method, such as character-based ASCII logins, CHAP, and PAP.
The login password retry lockout feature was integrated into Cisco IOS Release 12.3(14)T. Use the Feature Navigator tool to check platform support and corresponding Cisco IOS Software image at http://www.cisco.com/go/fn.