Configuring Exec Access using Radius then Local 

Router(config)#aaa authentication login default group radius local

All users are authenticated using the Radius server (the first method).  If the Radius server doesn’t respond, then the router’s local database is used (the second method).

For local authentication, define the username name and password:

Router(config)#username xxx password yyy

Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux).

Using the example above, if we do not include the local keyword, we have:

Router(config)#aaa authentication login default group radius

If the AAA server does not reply to the authentication request, the authentication will fail (since the router does not have an alternate method to try).

The group keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service.


Configuring Console Access Using Line Password 

Let’s expand the configuration example above so that console login is only authenticated by the password set on line con 0.

The named list is CONSOLE.  There is only one authentication method (line).

Router(config)#aaa authentication login CONSOLE line

Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect.  This is done using the login authentication list_name command:

Router(config)#line con 0

Router(config-line)#exec-timeout 0 0

Router(config-line)#password cisco

Router(config-line)#login authentication CONSOLE

The CONSOLE list overrides the default method list default on line con 0. You need to enter the password “cisco” (configured on line con 0) to get console access. The default list is still used on tty, vty and aux.

To have console access authenticated by a local username and password, use the following:

Router(config)#aaa authentication login CONSOLE local

In this case, a username and password have to be configured in the local database of the router.  The list must also be applied to the line or interface.

To have no authentication, use the following:

Router(config)#aaa authentication login CONSOLE none

In this case, there is no authentication to get to the console access. The list must also be applied to the line or interface.


Configuring Enable Mode Access Using External AAA Server 

You can also easily configure authentication for enable mode (privilege 15) logins.

Router(config)#aaa authentication enable default group radius enable

Only the password will be requested, the username is $enab15$.  Hence the username $enab15$ must be defined on the AAA server.


Configure AAA Authorization

Authorization is the process by which you can control what a user can and cannot do.  First define a named list of authorization methods.  Then apply that list to one or more interfaces (except for the default method list).  The first listed method is used. If it fails to respond, the second one is used, and so on.

Exec Authorization 

The aaa authorization exec command determines if the user is allowed to run an EXEC shell.  This facility might return user profile information such as autocommand information, idle timeout, session timeout, access-list and privilege and other per-user factors. Exec authorization is only carried out over vty and tty lines.

The following example uses Radius Authentication for all users.

Router(config)#aaa authentication login default group radius local

All users who want to log in to the access server have to be authorized using Radius (first method) or local database (second method).

The following example uses Radius Authentication for Exec access.

Router(config)#aaa authorization exec default group radius local

On the AAA server, Service-Type=1 (login) must be selected.

With this example, if the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail.

If the Radius server doesn’t reply, the enable password configured locally on the router will have to be configured for the user to gain access.


Configure AAA Accounting

The aaa authorization network command runs authorization for all network-related service requests such as PPP, SLIP and ARAP.  This section focuses on PPP, which is most commonly used.

The AAA server checks if a PPP session by the client is allowed.  Moreover, PPP options can be requested by the client: callback, compression, IP address, and so on.  These options have to be configured on the user profile on the AAA server.  Moreover, for a specific client, the AAA profile can contain idle-timeout, access-list and other per-user attributes which will be downloaded by the Cisco IOS software and applied for this client.



Configuring Radius Authorization

In this scenario, the access server is used to accept PPP dialin connections. So first we must configure Radius authentication. 


Router(config)#aaa authentication ppp default group radius local

Then we need to configure the Authorization.

Router(config)#aaa authorization network default group radius local

For every dial-in PPP session, accounting information is sent to the AAA server once the client is authenticated and after the disconnect using the keyword start-stop.  So let’s configure the start and stop of the Accounting records.

Router(config)#aaa accounting network default start-stop group radius local

Let’s say we only want accounting information to be sent and recorded after a client’s disconnects.  We then use the keyword stop and configure the following line.

Router(config)#aaa accounting network default stop group radius local

Until this point, AAA accounting provides start and stop record support for calls that have passed user authentication.  But what happens if authentication or PPP negotiation fails?  There is no record of authentication. The solution is to use AAA resource failure stop accounting command.

Router(config)#aaa accounting send stop-record authentication failure

Then a stop record is sent to the AAA server.  But what if we want to enable full resource accounting, which generates both a start record at call setup and a stop record at call termination?  We would then configure the following.

Router(config)#aaa accounting resource start-stop

With this command, a call setup and call disconnect start-stop accounting record tracks the progress of the resource connection to the device. A separate user authentication start-stop accounting record tracks the user management progress. These two sets of accounting records are interlinked using a unique session ID for the call.