To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.
aaa authentication ppp {default | list-name} method1 [method2...]
no aaa authentication ppp {default | list-name} method1 [method2...]
default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the list of authentication methods tried when a user logs in.
method1 [method2...] At least one of the keywords described in Table 7.
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication ppp default local
Global configuration
| Release | Modification | 10.3 | This command was introduced. |
|---|
The lists that you create with theaaa authentication ppp command are used with the pppauthentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-namemethodcommand, where list-name is any character string used to name this list (such as MIS-access). The methodargument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 7.
The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is performed. Use themore system:running-configcommand to display currently configured lists of authentication methods.
| Keyword | Description |
| if-needed | Does not authenticate if user has already been authenticated on a TTY line. |
| krb5 | Uses Kerberos 5 for authentication (can only be used for PAP authentication). |
| local | Uses the local username database for authentication. |
| none | Uses no authentication. |
| radius | Uses RADIUS authentication. |
| tacacs+ | Uses TACACS+ authentication. |
This command cannot be used with TACACS or extended TACACS.
The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.
aaa authentication ppp MIS-access tacacs+ none
| Command | Description |
|---|---|
| aaa authentication local-override | Configures the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. |
| aaa new-model | Enables the AAA access control model. |
| ppp authentication | Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.