aaa authentication arap
To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To disable this authentication, use the no form of this command.
aaa authentication arap {default | list-name} method1 [method2 . . . ]
no aaa authentication arap {default | list-name} method1 [method2 . . . ]
Syntax Description
default |
Uses the listed methods that follow this argument as the default list of methods when a user logs in. |
list-name |
Character string used to name the following list of authentication methods tried when a user logs in. |
method1 [method2... ] |
At least one of the keywords described in the table below. |
Command Default
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication arap default local
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
10.3 |
This command was introduced. |
12.0(5)T |
Group server and local-case support were added as method keywords for this command. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed in the table below. You can only use one of these methods; they are mutually exclusive.
Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access ). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. See the table below for descriptions of method keywords.
To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Use the more system:running-config command to view currently configured lists of authentication methods.
Note |
In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers. |
Keyword |
Description |
---|---|
guest |
Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed. |
auth-guest |
Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed. |
line |
Uses the line password for authentication. |
local |
Uses the local username database for authentication. |
local-case |
Uses case-sensitive local username authentication. |
group radius |
Uses the list of all RADIUS servers for authentication. |
group tacacs+ |
Uses the list of all TACACS+ servers for authentication. |
group group-name |
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. |
Examples
The following example creates a list called MIS-access , which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access group tacacs+ none
The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:
aaa authentication arap default group tacacs+ none