In preparation of your CCNA Security 640-553 exam, we want to make sure we cover topics that you are very likely to encounter on your Cisco CCNA exam. So to assist you, below we will discuss Configuring AAA authentication.

The AAA model can be enabled on a Cisco router using the aaa new-model command.

You can use the aaa authentication login command to authenticate users who want exec access into the access server (tty, vty, console and aux).

Example 1: Exec Access using Radius then Local

Configure:

aaa authentication login default group radius local

All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method).

For local authentication, define the username name and password:

Configure:

username xxx password yyy

Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux).

Using the example above, if we do not include the local keyword, we have:

aaa authentication login default group radius

If the AAA server does not reply to the authentication request, the authentication will fail (since the router does not have an alternate method to try).

The group keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service.

Example 2: Console Access Using Line Password

Let's expand the configuration from Example 1 so that console login is only authenticated by the password set on line con 0.

The named list is CONSOLE. there is only one authentication method (line).

Configure:

aaa authentication login CONSOLE line

Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list_name command:

Configure:

line con 0

exec-timeout 0 0

password cisco

login authentication CONSOLE

The CONSOLE list overrides the default method list default on line con 0. You need to enter the password "cisco" (configured on line con 0) to get console access. The default list is still used on tty, vty and aux.

To have console access authenticated by a local username and password, use:

Configure:

aaa authentication login CONSOLE local

In this case, a username and password have to be configured in the local database of the router. The list must also be applied to the line or interface.

To have no authentication, use

Configure:

aaa authentication login CONSOLE none

In this case, there is no authentication to get to the console access. The list must also be applied to the line or interface.

Example 3: Enable Mode Access Using External AAA Server

You can issue authentication to get to enable mode (privilege 15).

Configure:

aaa authentication enable default group radius enable

Only the password will be requested, the username is $enab15$. Hence the username $enab15$ must be defined on the AAA server.

If the Radius server doesn't reply, the enable password configured locally on the router will have to be entered.

I hope you found this article to be of use and it helps you prepare for your Cisco CCNA Security 640-553 certification exam. I am sure you will quickly find out that hands-on real world experience that our CCNA lab kits offer is the best way to cement the CCNA concepts in your head to help you pass your CCNA test!