To enable an AAA authentication method for AppleTalk Remote Access (ARA) using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.
aaa authentication arap {default | list-name} method1 [method2...]
no aaa authentication arap {default | list-name} method1 [method2...]
default Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the following list of authentication methods tried when a user logs in.
method One of the keywords described in Table 3.
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication arap default local
Global configuration
| Release | Modification | 10.3 | This command was introduced. |
|---|
The list names and default that you set with theaaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed in Table 3. You can only use one of these methods; they are mutually exclusive.
Create a list by entering the aaa authentication arap list-namemethodcommand, where list-name is any character string used to name this list (such as MIS-access ). The methodargument identifies the list of methods the authentication algorithm tries in the given sequence. See Table 3 for descriptions of method keywords.
To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Use the more system:running-configcommand to view currently configured lists of authentication methods.
| Keyword | Description |
| guest | Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed. |
| auth-guest | Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed. |
| line | Uses the line password for authentication. |
| local | Uses the local username database for authentication. |
| tacacs+ | Uses TACACS+ authentication. |
This command cannot be used with TACACS or extended TACACS.
The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access tacacs+ none
The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:
aaa authentication arap default tacacs+ none
| Command | Description |
|---|---|
| aaa authentication local-override | Configures the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. |
| aaa new-model | Enables the AAA access control model. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.