?
Solved

AAA Authentication types and methods - Setting for Admin or general user access

Posted on 2003-11-23
3
Medium Priority
?
1,098 Views
Last Modified: 2010-04-17
I have a few questions about the authentication options (methods) available on the NAS.

1)  Is arap, nasi, and ppp only used for network access, meaning that it has no effect on the user who is using the authentication but only effects whether the user can use that particular protocol to connect to the network?

2)  What is the 'enable' option for?  Can you give me an example?

3)  When the 'default' method is used and is automatically applied to all lines, does this mean all lines or all lines and interfaces on the router?  For example, if I have a 2521 with con, aux, vty, serial 0 3 (serial 3 is async for dialin), and isdn, are all these lines/interfaces under the control of the 'default' authentication unless configured otherwise?

4)  Would I ever use the AAA NAS without the CSACS or similar server to control authorization for user access?  I don't see much in the way of network service control on the NAS username options?

Thanks,






0
Comment
Question by:benje02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:sheahmed
ID: 9808579
ppp is the encapsulation of layer 2, consider it as physical pipe, which support other upper layer protocols ... you may carry anyother protocol end to end until and unless both ends are supporting the protocols ...

when you are accessing your server via dial-up or any other means... it certainly depends on the hardware and the flexibility it provides on the particular interfaces ... and obviously your ios ...

most of the time ppp is used as protocol and two authentication procedures are supported ...

these are ...
- ppp authentication pap
and
- ppp authentication chap
or
- aaa authentication arap (if you have support of arap)

chap - challenge handshake authentication protocol is a little more complex than pap (password authentication protocol).

For home users to dial-in we prefer pap.

in cisco ... enable commands enables a certain option on a particular place ...

You need to configure authenticaion on physical interfaces like serials and bri, etc separately ... remember each physical interface is associated with a line ...

HeadOffice#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
     0 CTY              -    -      -    -    -      0       0     0/0       -
    39 TTY 115200/115200- inout     -    -    -      0       0     0/0     Se1/6
    40 TTY 115200/115200- inout     -    -    -      0       0     0/0     Se1/7
    65 AUX 115200/115200- inout     -    -    -      2       0   470/0       -
*   66 VTY              -    -      -    -    -     76       0     0/0       -
*   67 VTY              -    -      -    -    -     25       0     0/0       -
*   68 VTY              -    -      -    -    -     11       0     0/0       -
    69 VTY              -    -      -    -    -      5       0     0/0       -
    70 VTY              -    -      -    -    -      2       0     0/0       -

while on the vty lines you can deploy configuration in a bundle fashion... like ...

!
line vty 0 4
login sheeraz
password sheeraz
!

you can use AAA without TACACS or RADIUS on router or access server and you can define username and respective passwords ... let me show you the sample config ...

username ABC-KHI password 7 xxxxxxxxxx
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default local
aaa session-id common    
!
radius-server authorization permit missing Service-Type
!

try this ... because i m successfully configured usernames on my router using this ...
0
 

Author Comment

by:benje02
ID: 9812588
So authenticating a user is a two step process?  One step is the layer 2 protocol they can use to access the network and the other is how their user ID will be authenticated?  Are both commands below needed for a dialup user to access the NAS?

aaa authentication login default local  (user ID/password part??)
aaa authentication ppp default local  (network access method??)

****
What I meant by the 'enable' is its use in the authentication command, for example;  

pita(config)#aaa authen enable default ?
  enable  Use enable password for authentication.
  group   Use Server-group
  line      Use line password for authentication.
  none    NO authentication.


What does this command do?  This seems redundent with the login option.  See below;

pita(config)#aaa authen login default ?
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5            Use Kerberos 5 authentication.
  krb5-telnet   Allow logins only if already authenticated via Kerberos V
                    Telnet.
  line             Use line password for authentication.
  local           Use local username authentication.
  local-case    Use case-sensitive local username authentication.
  none         NO authentication.

****
If each physical interface is associated with a line, then why are some serial interfaces not showing up in the 'show line' command?  Only the serial interfaces that I can change the hardware to async show up.




0
 
LVL 7

Accepted Solution

by:
NicBrey earned 800 total points
ID: 9837502
Hi there

>pita(config)#aaa authen enable default
Here enable specifies that the user can access the enable mode on the router/access server

>pita(config)#aaa authen login default
This command is not complete. You still have to select one of the options listed for login level access.


>If each physical interface is associated with a line, then why are some serial interfaces not showing up in the 'show line' command?
It depends on the type of card you have installed in the router. Not all serail cards can be configured for async.


0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question