Полезная информация звезды без макияжа

cc/td/doc/product/software/ios112/112cg_cr
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Network Access Security Commands

Network Access Security Commands

This chapter describes the commands used to manage security on the network.

aaa authentication arap

To enable an Authentication Authorization and Accounting (AAA) authentication method for AppleTalk Remote Access (ARA) users using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.

aaa authentication arap {default | list-name} method1 [...[method4]]
no aaa authentication arap {default | list-name} method1 [...[method4]]

Syntax Description
default Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the following list of authentication methods tried when a user logs in.
method One of the keywords described in Table 1.
Default

If the default list is not set, only the local user database is checked. This version has the same effect as the following command:

aaa authentication arap default local
Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. These lists can contain up to four authentication methods that are used when a user tries to log in with ARA. Note that ARAP guest logins are disabled by default when you enable AAA/TACACS+. To allow guest logins, you must use either the guest or auth-guest method listed in Table 1. You can only use one of these methods; they are mutually exclusive.

Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access.) The method argument identifies the list of methods the authentication algorithm tries in the given sequence. You can enter up to four methods. See Table 1 for descriptions of method keywords.

To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails.

Use the show running-config command to view lists of authentication methods.


Table 1: AAA Authentication ARAP Methods
Keyword Description
guest Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.
auth-guest Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.
line Uses the line password for authentication.
local Uses the local username database for authentication.
tacacs+ Uses TACACS+ authentication.
radius Uses RADIUS authentication.

Note This command cannot be used with TACACS or extended TACACS.
Examples

The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:

aaa authentication arap MIS-access tacacs+ none

The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:

aaa authentication arap default tacacs+ none
Related Commands

aaa authentication local-override
aaa new-model
aaa new-model

aaa authentication enable default

To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.

aaa authentication enable default method1 [...[method4]]
no aaa authentication enable default method1 [...[method4]]

Syntax Description
method At least one and up to four of the keywords described in Table 2.
Default

If the default list is not set, only the enable password is checked. This version has the same effect as the following command:

aaa authentication enable default enable

On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. You can specify up to four authentication methods. Method keywords are described in Table 2. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.


Table 2: AAA Authentication Enable Default Methods
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
tacacs+ Uses TACACS+ authentication.
radius Uses RADIUS authentication.

Note This command cannot be used with TACACS or extended TACACS.
Example

The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication enable default tacacs+ enable none
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa authentication local-override
aaa authorization
aaa new-model
enable password
+

aaa authentication local-override

To configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.

aaa authentication local-override
no aaa authentication local-override

Syntax Description

This command has no arguments or keywords.

Default

Override is disabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

This command is useful when you want to configure an override to the normal authentication process for certain personnel such as system administrators.

When this override is set, the user is always prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other aaa commands (such as aaa authentication login). Note that when using this command Username: is fixed as the first prompt.

Example

The following example enables AAA authentication override:

aaa authentication local-override
Related Commands

aaa authentication arap
aaa authentication enable default
aaa authentication login
aaa authentication ppp
aaa new-model

aaa authentication login

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.

aaa authentication login {default | list-name} method1 [...[method4]]
no aaa authentication login {default | list-name} method1 [...[method4]]

Syntax Description
default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the following list of authentication methods activated when a user logs in.
method At least one and up to four of the keywords described in Table 3.
Default

If the default list is not set, only the local user database is checked. This version has the same effect as the following command:

aaa authentication login default local

Note On the console, login will succeed without any authentication checks if default is not set.
Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.

Create a list by entering the aaa authentication list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 3.

To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.


Table 3: AAA Authentication Login Methods
Keyword Description
enable Uses the enable password for authentication.
krb5 Uses Kerberos 5 for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses RADIUS authentication.
tacacs+ Uses TACACS+ authentication.
krb5-telnet Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

Note This command cannot be used with TACACS or extended TACACS.
Examples

The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access tacacs+ enable none

The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication login default tacacs+ enable none

The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:

aaa authentication login default KRB5-TELNET krb5
Related Commands

A dagger (+) indicates that this command is documented outside this chapter.

aaa authentication local-override
aaa new-model
login authentication
+

aaa authentication nasi

To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.

aaa authentication nasi {default | list-name} method1 [...[method4]]
no aaa authentication nasi{default | list-name} method1 [...[method4]]

Syntax Description
default Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.
list-name

Character string used to name the following list of authentication methods activated when a user logs in.
methods At least one and up to four of the methods described in Table 4.
Default

If the default list is not set, only the local user database is selected. This setting has the same effect as the following command:

aaa authentication nasi default local
Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command.

Create a list by entering the aaa authentication nasi command, where list-name is any character string that names this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described in Table 4.

To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations.

The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to displays currently configured lists of authentication methods.


Table 4: AAA Authentication NASI Methods
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
none Uses no authentication.
tacacs+ Uses TACACS+ authentication.

Note This command cannot be used with TACACS or extended TACACS.
Examples

The following example creates an AAA authentication list called list1. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication nasi list1 tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication nasi default tacacs+ enable none
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

ipx nasi-server enable +
nasi authentication
show ipx nasi connections
+
show ipx spx-protocol +

aaa authentication password-prompt

To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.

aaa authentication password-prompt {text-string}
no aaa authentication password-prompt {text-string}

Syntax Description
text-string String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").
Default

This command is disabled by default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:

Password:

The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ or RADIUS server.

Example

The following example changes the text for the password prompt:

aaa authentication password-prompt "Enter your password now:"
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa authentication username prompt
aaa new-model
enable password
+

aaa authentication ppp

To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point (PPP) and TACACS+, use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.

aaa authentication ppp {default | list-name} method1 [...[method4]]
no aaa authentication ppp {default | list-name} method1 [...[method4]]

Syntax Description
default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the following list of authentication methods tried when a user logs in.
method At least one and up to four of the keywords described in Table 5.
Default

If the default list is not set, only the local user database is checked. This command has the same effect as the following command:

aaa authentication ppp default local
Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.

Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 5.

The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.

If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display lists of authentication methods.


Table 5: AAA Authentication PPP Methods
Keyword Description
if-needed Does not authenticate if user has already been authenticated on a TTY line.
krb5 Uses Kerberos 5 for authentication (can only be used for PAP authentication).
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses RADIUS authentication.
tacacs+ Uses TACACS+ authentication.

Note This command cannot be used with TACACS or extended TACACS.
Example

The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.

aaa authentication MIS-access ppp tacacs+ none
Related Commands

A dagger (+) indicates that this command is documented outside this chapter.

aaa authentication local-override
aaa new-model
ppp authentication

aaa authentication username-prompt

To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.

aaa authentication username-prompt {text-string}
no aaa authentication username-prompt {text-string}

Syntax Description
text-string String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").
Default

This command is disabled by default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:

Username:

Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.


Note The aaa authentication username-prompt command does not change any dialog that is supplied by a remote TACACS+ server.
Example

The following example changes the text for the username prompt:

aaa authentication username-prompt "Enter your name here:"
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa authentication password-prompt
aaa new-model
enable password
+

aaa authorization

Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.

aaa authorization {network | exec | command level} method
no aaa authorization {network | exec | command level}

Syntax Description
network Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol.
exec Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.
command Runs authorization for all commands at the specified privilege level.
level Specific command level that should be authorized. Valid entries are 0 through 15.
method One of the keywords in Table 6.
Default

Authorization is disabled for all actions (equivalent to the keyword none).

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.


Note There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.

Use the aaa authorization command to create at least one, and up to four, authorization methods that can be used when a user accesses the specified function. Method keywords are described in Table 6.


Note This command, along with aaa accounting, replaces the tacacs-server suite of commands in previous versions of TACACS.

The additional methods of authorization are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.

If authorization is not specifically set for a function, the default is none and no authorization is performed.


Table 6: AAA Authorization Methods
Keyword Description
tacacs+ Requests authorization information from the TACACS+ server.
if-authenticated Allows the user to access the requested function if the user is authenticated.
none No authorization is performed.
local Uses the local database for authorization.
radius Uses RADIUS to get authorization information.
krb5-instance Uses the instance defined by the Kerberos instance map command.

The authorization command causes a request packet containing a series of attribute value pairs to be sent to the TACACS daemon as part of the authorization process. The daemon can do one of the following:

Table 7 describes attribute value (AV) pairs associated with the aaa authorization command. Registered users can find more information about TACACS+ and attribute pairs on Cisco Connection Online (CCO).


Table 7: Supported TACACS+ AV Pairs
Attribute Description Cisco IOS Release
11.0
Cisco IOS Release11.1 Cisco IOS Release11.2
service=x The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included. yes yes yes
protocol=x A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, http, and unknown. yes yes yes
cmd=x A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to. yes yes yes
cmd-arg=x An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent. yes yes yes
acl=x ASCII number representing a connection access list. Used only when service=shell. yes yes yes
inacl=x ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. yes yes yes
inacl#<n> ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connect ion. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx. no no 11.2(4)F
outacl=x ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces. yes (PPP/IP only) yes yes
outacl#<n> ACSII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. no no 11.2(4)F
zonelist=x A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5). yes yes yes
addr=x A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=1.2.3.4. yes yes yes
addr-pool=x Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.

Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example:

ip address-pool local

ip local pool boo 1.0.0.1 1.0.0.10

ip local pool moo 2.0.0.1 2.0.0.20

You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address.

yes yes yes
routing=x Specifies whether routing information is to be propagated to, and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true). yes yes yes
route Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.

During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:

route="dst_address mask [gateway]"

This indicates a temporary static route that is to be applied. dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server.

If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates.

no yes yes
route#<n> Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. no no 11.2(4)F
timeout=x The number of minutes before an ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap. yes yes yes
idletime=x Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. no yes yes
autocmd=x Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell. yes yes yes
noescape=x Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true). yes yes yes
nohangup=x Used with service=shell. Specifies the nohangup option. Can be either true or false (for example, nohangup=false). yes yes yes
priv-lvl=x Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest. yes yes yes
callback-dialstring Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. no yes yes
callback-line The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. no yes yes
callback-rotary The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. no yes yes
nocallback-verify Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN. no yes yes
tunnel-id Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn. no no yes
ip-addresses Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn. no no yes
nas-password Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. no no yes
gw-password Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. no no yes
rte-ftr-in#<n> Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. no no 11.2(4)F
rte-ftr-out#<n> Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. no no yes 11.2(4)F
sap#<n> Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx. no no yes 11.2(4)F
sap-fltr-in#<n> Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. no no yes 11.2(4)F
sap-fltr-out#<n> Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. no no 11.2(4)F
pool-def#<n> Used to define IP address pools on the network access server. Used with service=ppp and protocol=ip. no no 11.2(4)F
source-ip=x Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command. no no yes
Examples

The following example specifies that TACACS+ authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.

aaa authorization network tacacs+ none

The following example specifies that TACACS+ authorization is run for level 15 commands. If this authorization method returns an error (that is, if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.

aaa authorization command 15 tacacs+ none
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa accounting +
aaa new-model

aaa authorization config-commands

To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization command level method command was issued.

aaa authorization config-commands
no aaa authorization config-commands

Syntax Description

This command has no arguments or keywords.

Default

After the aaa authorization command level method has been issued, this command is enabled by default--meaning that all configuration commands in the EXEC mode will be authorized.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

If aaa authorization command level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server not from attempting configuration command authorization.

Once the no form of this command has been issued, AAA authorization of configuration commands is completely disabled. Care should be taken before issuing the no form of this command because it potentially reduces the amount of administrative control on configuration commands.

Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization command level method command.

Example

The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:

aaa new-model
aaa authorization command 15 tacacs+ none
no aaa authorization config-commands
Related Commands

aaa authorization

aaa new-model

To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable this functionality.

aaa new-model
no aaa new-model

Syntax Description

This command has no arguments or keywords.

Default

AAA is not enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command enables the AAA access control system and TACACS+. If you initialize AAA functionality and later decide to use TACACS or extended TACACS, issue the no version of this command before you enable the version of TACACS that you want to use.

After enabling AAA/TACACS+ with the aaa new-model command, you must use the tacacs-server key command to set the authentication key used in all TACACS+ communications with the TACACS+ daemon.

Example

The following example initializes AAA and TACACS+:

aaa new-model
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa accounting +
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
tacacs-server key

arap authentication

To enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.

arap authentication {default | list-name}
no arap authentication {default | list-name}

 If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.
Syntax Description
default Default list created with the aaa authentication arap command.
list-name Indicated list created with the aaa authentication arap command.
Default

ARA protocol authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.

Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.

Example

The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:

line 7
arap authentication MIS-access
Related Command

aaa authentication arap

clear kerberos creds

Use the clear kerberos creds EXEC command to delete the contents of your credentials cache.

clear kerberos creds
Syntax Description

This command has no keywords or arguments.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Credentials are cleared when the user logs out.

Cisco supports Kerberos 5.

Example

The following example illustrates the clear kerberos creds command:

cisco-2500> show kerberos creds 
Default Principal: chet@cisco.com
Valid Starting          Expires                 Service Principal
18-Dec-1995 16:21:07    19-Dec-1995 00:22:24    krbtgt/CISCO.COM@CISCO.COM
cisco-2500> clear kerberos creds
cisco-2500> show kerberos creds 
No Kerberos credentials.
cisco-2500>
Related Command

show kerberos creds

enable last-resort

To specify what happens if the TACACS and extended TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. Use the no form of this command to restore the default.

enable last-resort {password | succeed}
no enable last-resort
{password | succeed}
Syntax Description
password Allows you to enter enable mode by entering the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters.
succeed Allows you to enter enable mode without further question.
Default

Access to enable mode is denied.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

The secondary authentication is used only if the first attempt fails.


Note This command is not used in AAA/TACACS+, which uses the aaa authentication suite of commands instead.
Example

In the following example, if the TACACS servers do not respond to the enable command, the user can enable by entering the privileged level password:

enable last-resort password
Related Command

A dagger (+) indicates that the command is documented outside this chapter.

enable +

enable use-tacacs

To enable use of the TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no form of this command to disable TACACS verification.

enable use-tacacs
no enable use-tacacs

 If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.
Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When you add this command to the configuration file, the EXEC enable command prompts for a new username and password pair. This pair is then passed to the TACACS server for authentication. If you are using extended TACACS, it also passes any existing UNIX user identification code to the server.


Note This command initializes TACACS. Use the tacacs server-extended command to initialize extended TACACS, or use the aaa new-model command to initialize AAA/TACACS+.
Example

The following example sets TACACS verification on the privileged EXEC-level login sequence:

enable use-tacacs
tacacs-server authenticate enable
Related Command

A dagger (+) indicates that the command is documented outside this chapter.

tacacs-server authenticate enable +

ip radius source-interface

Use the ip radius source-interface global configuration command to force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. Use the no form of this command to disable use of a specified interface IP address.

ip radius source-interface subinterface-name
no ip radius source-interface

Syntax Description
subinterface-name Name of the interface that RADIUS uses for all of its outgoing packets.
Default

This command has no factory-assigned default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all RADIUS packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Example

The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:

ip radius source-interface s2
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

ip tacacs source-interface +
ip telnet source-interface +
ip tftp source-interface +

ip tacacs source-interface

Use the ip tacacs source-interface global configuration command to force TACACS to use the IP address of a specified interface for all outgoing TACACS packets. Use the no form of this command to disable use of a specified interface IP address.

ip tacacs source-interface subinterface-name
no ip tacacs source-interface

Syntax Description
subinterface-name Name of the interface that TACACS uses for all of its outgoing packets.
Default

This command has no factory-assigned default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Use this command to set a subinterface's IP address for all outgoing TACACS packets. This address is used as long as the interface is in the up state. In this way, the TACACS server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all TACACS packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Example

The following example makes TACACS use the IP address of subinterface s2 for all outgoing TACACS (TACACS, extended TACACS, or TACACS+) packets:

ip tacacs source-interface s2
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

ip radius source-interface +
ip telnet source-interface +
ip tftp source-interface +

kerberos clients mandatory

Use the kerberos clients mandatory global configuration command to cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server. Use the no form of this command to disable this option.

kerberos clients mandatory
no kerberos clients mandatory

Syntax Desctiption

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

User Guidelines

This command first appeared in Cisco IOS Release 11.2.

If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the un-Kerberized protocols if unsuccessful.

If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate the Keberos protocol.

Example

The following example illustrates the kerberos clients mandatory command:

kerberos clients mandatory
Related Commands

A dagger (+) indicates that this command is documented outside this chapter.

copy rcp +
kerberos credentials forward
rlogin
+
rsh +
telnet +

kerberos credentials forward

Use the kerberos credentials forward global configuration command to force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication. Use the no form of this command to turn off Kerberos credentials forwarding.

kerberos credentials forward
no kerberos credentials forward

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Enable credentials forwarding to have users' TGTs forwarded to the host they authenticate to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.

Example

The following example illustrates the kerberos credentials forward command:

kerberos credentials forward 
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

copy rcp +
rlogin +
rsh +
telnet +

kerberos instance map

Use the kerberos instance map global configuration command to map Kerberos instances to Cisco IOS privilege levels. Use the no form of this command to remove a Kerberos instance map.

kerberos instance map instance privilege-level
no kerberos instance map
instance
Syntax Description
instance Name of a Kerberos instance.
privilege-level The privilege level at which a user is set if the user's Kerberos principle contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.
Default

Privilege level 1

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to create user instances with access to administrative commands.

Example

In the following example, the privilege level is set to 15 for authenticated Kerberos users with the admin instance in Kerberos realm cisco.com:

kerberos instance map admin 15
Related Command

aaa authorization

kerberos local-realm

Use the kerberos local-realm global configuration command to specify the Kerberos realm in which the router is located. Use the no form of this command to remove the specified Kerberos realm from this router.

kerberos local-realm kerberos-realm
no kerberos local-realm

Syntax Description
kerberos-realm The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.
Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.

Example

The following example illustrates the kerberos local realm command:

kerberos local-realm MURUGA.COM
Related Commands

kerberos preauth
kerberos realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote

kerberos preauth

Use the kerberos preauth global configuration command to specify a preauthentication method to use to communicate with the KDC. Use the no form of this command to disable Kerberos preauthentication.

kerberos preauth [encrypted-unix-timestamp | none]
no kerberos preauth

Syntax Description
encrypted-unix-timestamp Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.
none Do not use Kerberos preauthentication.
Default

Disabled

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.

The no form of this command is equivalent to using then none keyword.

Example

The following example illustrates how to enable and disable Kerberos preauthentication:

kerberos preauth encrypted-unix-timestamp
kerberos preauth none 
Related Commands

kerberos local-realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote

kerberos realm

Use the kerberos realm global configuration command to map a host name or Domain Naming System (DNS) domain to a Kerberos realm. Use the no form of this command to remove a Kerberos realm map.

kerberos realm {dns-domain | host} kerberos-realm
no kerberos realm {dns-domain | host} kerberos-realm

Syntax Description
dns-domain Name of a DNS domain or host.
host Name of a DNS host.
kerberos-realm Name of the Kerberos realm the specified domain or host belongs to.
Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

DNS domains are specified with a leading dot (.) character; hostnames cannot begin with a dot (.) character. There can be multiple entries of this line.

A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.

Example

The following example illustrates the kerberos realm command:

kerberos realm .muruga.com MURUGA.COM
kerberos realm muruga.com MURUGA.COM
Related Commands

kerberos local-realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote

kerberos server

Use the kerberos server global configuration command to specify the location of the Kerberos server for a given Kerberos realm. Use the no form of this command to remove a Kerberos server for a specified Kerberos realm.

kerberos server kerberos-realm {hostname | ip-address} [port-number]
no kerberos server kerberos-realm {hostname | ip-address}

Syntax Description
kerberos-realm Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.
hostname Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).
ip-address IP address of the host functioning as a Kerberos server for the specified Kerberos realm.
port-number (Optional) Port that the KDC/TGS monitors (defaults to 88).
Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Example

The following example specifies 126.38.47.66 as the Kerberos server for the Kerberos realm MURUGA.COM:

kerberos server MURUGA.COM 126.38.47.66
Related Commands

kerberos local-realm
kerberos realm
kerberos srvtab entry
kerberos srvtab remote

kerberos srvtab entry

Use the kerberos srvtab remote global configuration command (not kerberos srvtab entry) to retrieve a SRVTAB file from a remoe host and automatically generate a Kerberos SRVTAB entry configuration. (The Kerberos SRVTAB entry is the router's locally stored SRVTAB.) Use the no form of this command to remove a SRVTAB entry from the router's configuration.

kerberos srvtab entry kerberos-principle principle-type timestamp key-version number
key-type
key-length encrypted-keytab
no kerberos srvtab entry
kerberos-principle principle-type
Syntax Description
kerberos-principle A service on the router.
principle-type Version of the Kerberos SRVTAB.
timestamp Number representing the date and time the SRVTAB entry was created.
key-version number Version of the encryption key format.
key-type Type of encryption used.
key-length Length, in bytes, of the encryption key.
encrypted-keytab Secret key the router shares with the KDC. It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.
Command Mode

Global configuration.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.

If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.

If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.

Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.

Example

In the following example, host/new-router.loki.com@LOKI.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:

kerberos srvtab entry host/new-router.loki.com@LOKI.COM 0 817680774 1 1 8 .cCN.YoU.okK
Related Commands

kerberos srvtab remote
key config-key

kerberos srvtab remote

Use the kerberos srvtab remote configuration command to retrieve a krb5 SRVTAB file from the specified host.

kerberos srvtab remote {hostname | ip-address} {filename}
Syntax Description
hostname Machine with the Kerberos SRVTAB file.
ip-address IP address of the machine with the Kerberos SRVTAB file.
filename Name of the SRVTAB file.
Command Mode

Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with the private Data Encryption Standard (DES) key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write the router's running configuration to NVRAM.

Example

The command in the following example copies the SRVTAB file residing on bucket.cisco.com to a router named scooter.cisco.com:

kerberos srvtab remote bucket.cisco.com scooter.cisco.com-new-srvtab
Related Commands

kerberos srvtab entry
key config-key

key config-key

Use the key config-key global configuration command to define a private DES key for the router. Use the no form of this command to delete a private Data Encryption Standard (DES) key for the router.

key config-key 1 string
Syntax Description
string Private DES key (can be up to 8 alphanumeric characters).
Default

No DES-key defined.

Command Mode

Global configuration.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command defines for the router a private DES key that will not show up in the router configuration. This private DES key can be used to DES-encrypt certain parts of the router's configuration.

  The private DES key is unrecoverable. If you encrypt part of your configuration with the private DES key and lose or forget the key, you will not be able to recover the encrypted data.
Example

The command in the following example sets bubba as the private DES key on the router:

key config-key 1 bubba
Related Commands

kerberos srvtab entry
kerberos srvtab remote

login tacacs

To configure your router to use TACACS user authentication, use the login tacacs line configuration command. Use the no form of this command to disable TACACS user authentication for a line.

login tacacs
no login tacacs

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

You can use TACACS security if you have configured a TACACS server and you have a command control language (CCL) script that allows you to use TACACS security. For information about using files provided by Cisco Systems to modify CCL scripts to support TACACS user authentication, refer to the "Configuring AppleTalk Remote Access" chapter in the Access Services Configuration Guide.


Note This command cannot be used with AAA/TACACS+. Use the login authentication command instead.
Example

In the following example, lines 1 through 16 are configured for TACACS user authentication:

line 1 16
login tacacs

nasi authentication

To enable TACACS+ authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication line configuration command. Use the no form of the command to return to the default, as specified by the aaa authentication nasi command.

nasi authentication {default | list-name}
no login authentication {default | list-name}

Syntax Description
default Uses the default list created with the aaa authentication nasi command.
list-name Uses the list created with the aaa authentication nasi command.
Default

Uses the default set with the aaa authentication nasi command.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command is a per-line command used with AAA authentication that specifies the name of a list of TACACS+ authentication methods to try at login. If no list is specified, the default list is used, even if it is specified in the command line. (You create defaults and lists with the aaa authentication nasi command.) Entering the no form of this command has the same effect as entering the command with the default argument.

 If you use a list-name value that was not configured with the aaa authentication nasi command, you will disable login on this line.

Before issuing this command, create a list of authentication processes by using the aaa authentication nasi global configuration command.

Examples

The following example specifies that the default AAA authentication be used on line 4:

line 4
nasi authentication default

The following example specifies that the AAA authentication list called list1 be used on line 7:

line 7
nasi authentication list1
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa authentication nasi
ipx nasi-server enable
+
show ipx nasi connections +
show ipx spx-protocol +

ppp authentication

To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication interface configuration command. Use the no form of the command to disable this authentication.

ppp authentication {chap | chap pap | pap chap | pap } [if-needed] [list-name | default]
[
callin]

no ppp authentication

Syntax Description
chap Enables CHAP on a serial interface.
pap Enables PAP on a serial interface.
chap pap Enables both CHAP and PAP, and performs CHAP authentication before PAP.
pap chap Enables both CHAP and PAP, and performs PAP authentication before CHAP.
if-needed (Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asychronous interfaces.
list-name (Optional) Used with AAA/TACACS+. Specifies the name of a list of TACACS+ methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.
default The name of the method list is created with the aaa authentication ppp command.
callin Specifies authentication on incoming (received) calls only.
 

If you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface.
Default

PPP authentication is not enabled.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When you enable CHAP or PAP Authentication, or both, the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP Authentication requires the remote device to send a name and password, which is checked against a matching entry in the local username database or in the remote TACACS/TACACS+ database. CHAP Authentication sends a Challenge to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local Router in a Response message. The local router attempts to match the remote device's name with an associated secret stored in the local username or remote TACACS/TACACS+ database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match.

You can enable PAP or CHAP, or both, in either order. If you enable both methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only CHAP, and some support only PAP. Base the order in which you specify methods on the remote device's ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as cleartext strings, which can be intercepted and reused. CHAP has eliminated most of the known security holes.

Enabling or disabling PPP authentication does not affect the local router's willingness to authenticate itself to the remote device.

If you are using autoselect on a TTY line, you probably want to use the ppp authentication command to turn on PPP authentication for the corresponding interface.

Example

The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access:

interface async 4
encapsulation ppp
ppp authentication chap MIS-access
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa authentication ppp
aaa new-model
autoselect
+
encapsulation ppp +
ppp use-tacacs
username
+

ppp chap hostname

Use the ppp chap hostname interface configuration command to create a pool of dialup routers that all appear to be the same host when authenticating with CHAP. To disable this function, use the no form of the command.

ppp chap hostname hostname
no ppp chap hostname hostname

Syntax Description
hostname The name sent in the CHAP challenge.
Default

Disabled. The router name is sent in any CHAP challenges.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Currently, a router dialing a pool of access routers requires a username entry for each possible router in the pool because each router challenges with its hostname. If a router is added to the dialup rotary pool, all connecting routers must be updated. The ppp chap hostname command allows you to specify a common alias for all routers in a rotary group to use so that only one username must be configured on the dialing routers.

This command is normally used with local CHAP authentication (when the router authenticates to the peer), but it can also be used for remote CHAP authentication.

Example

The commands in the following example identify the dialer interface 0 as the dialer rotary group leader and specifies ppp as the method of encapsulation used by all member interfaces. CHAP authentication is used on received calls only. The username ISPCorp will be sent in all CHAP challenges and responses.

interface dialer 0
encapsulation ppp
ppp authentication chap callin
ppp chap hostnmae ISPCorp
Related Commands

aaa authentication ppp
ppp authentication
ppp chap password
ppp pap

ppp chap password

Use the ppp chap password interface configuration command to enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer. To disable this function, use the no form of this command.

ppp chap password secret
no chap password secret

Syntax Description
secret The secret used to compute the response value for any CHAP challenge from an unknown peer.
Default

Disabled.

Command Mode

Interface configuration.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.

This command is used for remote CHAP authentication only (when routers authenticate to the peer) and does not affect local CHAP authentication.

Example

The commands in the following example specify Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) number 0. The method of encapsulation on the interface is PPP. If a CHAP challenge is received from a peer whose name is not found in the global list of usernames, the encrypted secret 7 1267234591 is decrypted and used to create a CHAP response value.

interface bri 0
encapsulation ppp
ppp chap password 7 1234567891 
Related Commands

aaa authentication ppp
ppp authentication
ppp chap hostname
ppp pap

ppp pap sent-username

To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username interface configuration command. Use the no form of this command to disable remote PAP support.

ppp pap sent-username username password password
no ppp pap sent-username

Syntax Description
username Username sent in the PAP authentication request.
password Password sent in the PAP authentication request.
password Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.
Default

Remote PAP support disabled.

Command Mode

You must configure this command for each interface.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to reenable remote PAP support (for example to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP Authentication Request.

This is a per-interface command.

Example

The commands in the following example identify dialer interface 0 as the dialer rotary group leader and specify PPP as the method of encapsulation used by the interface. Authentication is by CHAP or PAP on received calls only. ISPCor is the username sent to the peer if the peer requires the router to authenticate with PAP.

interface dialer0
encapsulation ppp
ppp authentication chap pap callin
ppp chap hostname ISPCor
ppp pap sent username ISPCorp password 7 fjhfeu
ppp pap sent-username ISPCorp password 7 1123659238
Related Commands

aaa authentication ppp
ppp authentication
ppp chap hostname
ppp chap password
ppp use-tacacs

ppp use-tacacs

To enable TACACS for PPP authentication, use the ppp use-tacacs interface configuration command. Use the no form of the command to disable TACACS for PPP authentication.

ppp use-tacacs [single-line]
no ppp use-tacacs


Note This command is not used in AAA/TACACS+. It has been replaced with the aaa authentication ppp command.
Syntax Description
single-line (Optional) Accept the username and password in the username field. This option applies only when using CHAP authentication.
Default

TACACS is not used for PPP authentication.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

This is a per-interface command. Use this command only when you have set up an extended TACACS server.

When CHAP authentication is being used, the ppp use-tacacs command with the single-line option specifies that if a username and password are specified in the username, separated by an asterisk (*), a standard TACACS login query is performed using that username and password. If the username does not contain an asterisk, then normal CHAP authentication is performed.

This feature is useful when integrating TACACS with other authentication systems that require a cleartext version of the user's password. Such systems include one-time password systems, token card systems, and Kerberos.

 Normal CHAP authentications prevent the cleartext password from being transmitted over the link. When you use the single-line option, passwords cross the link as cleartext.

If the username and password are contained in the CHAP password, the CHAP secret is not used by the Cisco IOS software. Because most PPP clients require that a secret be specified, you can use any arbitrary string, and the Cisco IOS software ignores it.

Examples

In the following example, asynchronous serial interface 1 is configured to use TACACS for CHAP authentication:

interface async 1
ppp authentication chap
ppp use-tacacs

In the following example, asynchronous serial interface 1 is configured to use TACACS for PAP authentication:

interface async 1
ppp authentication pap
ppp use-tacacs
Related Commands

ppp authentication
tacacs-server extended
tacacs-server host

radius-server dead-time

To improve RADIUS response times when some servers might be unavailable, use the radius-server dead-time global configuration command to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.

radius-server dead-time minutes
no radius-server dead-time

Syntax Description
minutes Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Default

Dead time is set to 0.

Command Mode

Global configuration

Usage Guidelines

Use this command to cause the Cisco IOS to mark as "dead" RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."

Example

The following example specifies 5 minutes dead-time for RADIUS servers that fail to respond to authentication requests.

radius-server dead-time 5
Related Commands

radius-server host
radius-server retransmit
radius-server timeout

radius-server extended-portnames

To display expanded interface information in the NAS-Port-Type attribute, use the radius-server extended-portnames global configuration command. Use the no form of this command to disable this feature.

radius-server extended-portnames
no radius-server extended-portnames

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

There are some situations when PPP or login authentication occurs on an interface different from the interface on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface "ttt" but the call itself occurs on one of the channels of the ISDN interface. Use the radius-server extended-portnames command to configure RADIUS to change the setting of the NAS-Port command to 32 bits and to display extended interface information. The upper 16 bits of this attribute then display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.

Example

The following example specifies that RADIUS will display extended interface information:

radius-server extended-portnames
Related Commands

You can use the master indexes or search online to find documentation of related commands.

radius-server host
radius-server retransmit
radius-server timeout

radius-server host

To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host.

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
no radius-server host {hostname | ip-address}

Syntax Description
hostname DNS name of the RADIUS server host.
ip-address IP address of the RADIUS server host.
auth-port Specifies the UDP destination port for authentication requests.
port-number Port number for authentication requests; the host is not used for authentication if set to 0.
acct-port Specifies the UDP destination port for accounting requests.
port-number Port number for accounting requests; the host is not used for accounting if set to 0.
Default

No RADIUS host is specified.

Command Mode

Global configuration

Usage Guidelines

You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.

Example

The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.

radius-server host host1.company.com

The following example specifies port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named host1:

radius-server host host1.company.com auth-port 12 acct-port 16

Note that because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.

To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:

       radius-server host host1.company.com auth-port 0
       radius-server host host2.company.com acct-port 0
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

aaa accounting +
aaa authentication
aaa authorization
login authentication
+
login tacacs
ppp
+
ppp authentication
slip
+
tacacs-server
username
+

radius-server key

Use the radius-server key global configuration command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. Use the no form of the command to disable the key.

radius-server key {string}
no radius-server key

Syntax Description
string (Optional) The key used to set authentication and encryption.
This key must match the encryption used on the RADIUS daemon.
Default

Disabled

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.


Note Specify a RADIUS key after you issue the aaa newmodel command.

The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Example

The following example illustrates how to set the authentication and encryption key to "dare to go":

radius-server key dare to go
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

login authentication +
login tacacs
ppp
+
ppp authentication
slip
+
tacacs-server
username
+

radius-server retransmit

To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit global configuration command. Use the no form of this command to disable retransmission.

radius-server retransmit retries
no radius-server retransmit

Syntax Description
retries Maximum number of retransmission attempts.
Default

Three retries

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.

Example

The following example specifies a retransmit counter value of five times:

radius-server retransmit 5

radius-server timeout

To set the interval a router waits for a server host to reply, use the radius-server timeout global configuration command. Use the no form of this command to restore the default.

radius-server timeout seconds
no radius-server timeout

Syntax Description
seconds Integer that specifies the timeout interval in seconds.
Default

5 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Example

The following example changes the interval timer to 10 seconds:

radius-server timeout 10
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

login authentication +
login tacacs
ppp
+
ppp authentication+
slip +
tacacs-server +
username +

show kerberos creds

Use the show kerberos creds EXEC command to display the contents of your credentials cache.

show kerberos creds
Syntax Description

This command has no keywords or arguments.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The show kerberos creds command is equivalent to the UNIX klist command.

When users authenticate themselves with Kerberos, they are issued an authentication ticket called a credential. The credential is stored in a credential cache.

Sample Displays

In the following example, the entries in the credentials cache are displayed:

Router> show kerberos creds 
Default Principal: chet@cisco.com
Valid Starting          Expires                 Service Principal
18-Dec-1995 16:21:07    19-Dec-1995 00:22:24    krbtgt/CISCO.COM@CISCO.COM

In the following example, output is returned that acknowledges that credentials do not exist in the credentials cache:

Router> show kerberos creds
No Kerberos credentials
Related Command

clear kerberos creds

show privilege

To display your current level of privilege, use the show privilege EXEC command.

show privilege
Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

Sample Display

The following is sample output from the show privilege command. The current privilege level is 15.

Router# show privilege
Current privilege level is 15
Related Command

A dagger (+) indicates that the command is documented outside this chapter.

enable password +

tacacs-server attempts

To control the number of login attempts that can be made on a line set up for TACACS, Extended TACACS, or TACACS+ verification, use the tacacs-server attempts global configuration command. Use the no form of this command to remove this feature and restore the default.

tacacs-server attempts count
no tacacs-server attempts

Syntax Description

count Integer that sets the number of attempts. The default is 3 attempts.

Default

Three attempts

Command Mode

Global configuration

Example

The following example changes the login attempt to just one try:

tacacs-server attempts 1

tacacs-server authenticate

To configure the Cisco IOS software to indicate whether a user can perform an attempted action under TACACS and extended TACACS, use the tacacs-server authenticate global configuration command.

tacacs-server authenticate {connection [always]enable | slip [always] [access-lists]}
Syntax Description
connection Configures a required response when a user makes a TCP connection.
enable Configures a required response when a user enters the enable command.
slip Configures a required response when a user starts a SLIP or PPP session.
always (Optional) Performs authentication even when a user is not logged in. This option only applies to the slip keyword.
access-lists (Optional) Requests and installs access lists. This option only applies to the slip keyword.
Command Mode

Global configuration

Usage Guidelines

The tacacs-server authenticate [connection | enable] command first appeared in Cisco IOS Release 10.0. The tacacs-server authenticate {connection [always]enable | slip [always] [access-lists]} command first appeared in Cisco IOS Release 10.3.

Enter one of the keywords to specify the action (when a user enters enable mode, for example).

Before you use the tacacs-server authenticate command, you must enable the tacacs-server extended command.


Note This command is not used in AAA/TACACS+. It has been replaced by the aaa authorization command.
Example

The following example configures TACACS logins that authenticate users to use Telnet or rlogin:

tacacs-server authenticate connect
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

enable secret +
enable use-tacacs

tacacs-server directed-request

To send only a username to a specified server when a direct request is issued in association with TACACS, Extended TACACS, and TACACS+, use the tacacs-server directed-request global configuration command. Use the no form of this command to disable the direct-request feature.

tacacs-server directed-request
no tacacs-server directed-request

Syntax Description

This command has no arguments or keywords.

Default

Enabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.

Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default tacacs server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS server software that parses the whole string and makes decisions based on it.

With tacacs-server directed-request enabled, only configured TACACS servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS server configured by the administrator, the user input is rejected.

Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS servers and to cause the entire string to be passed to the default server.

Example

The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS server:

no tacacs-server directed-request

tacacs-server extended

To enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.

tacacs-server extended
no tacacs-server extended

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command initializes extended TACACS. To initialize AAA/TACACS+, use the aaa new-model command.

Example

The following example enables extended TACACS mode:

tacacs-server extended

tacacs-server host

To specify a TACACS, Extended TACACS, or TACACS+ host, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address.

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]
no tacacs-server host hostname

Syntax Description
hostname Name or IP address of the host.
single-connection Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon.
port Specify a server port number.
integer Port number of the server (in the range 1 to 10,000).
timeout Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
integer Integer value, in seconds, of the timeout interval.
key Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.
string Character string specifying authentication and encryption key.
Default

No TACACS host is specified.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the single-connection, port, timeout, and key options only when running a AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.

Examples

The following example specifies a TACACS host named Sea_Change:

tacacs-server host Sea_Change

The following example specifies that, for AAA confirmation, the router consult the CiscoSecure TACACS+ host named Sea_Cure on port number 51. The timeout value for requests on this connection is 3 seconds; the encryption key is a_secret.

tacacs-server host Sea_Cure single-connection port 51 timeout 3 key a_secret
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

login tacacs
ppp
+
slip +
tacacs-server key
tacacs-server timeout

tacacs-server key

Use the tacacs-server key global configuration command to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon. Use the no form of the command to disable the key.

tacacs-server key key
no tacacs-server key
[key]
Syntax Description
key Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.
Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.

The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Example

The following example illustrates how to set the authentication and encryption key to "dare to go":

tacacs-server key dare to go
Related Commands

aaa new-model
tacacs-server host

tacacs-server last-resort

To cause the network access server to request the privileged password as verification for TACACS or Extended TACACS, or to allow successful login without further input from the user, use the tacacs-server last-resort global configuration command. Use the no tacacs-server last-resort command to restore the system to the default behavior.

tacacs-server last-resort {password | succeed}
no tacacs-server last-resort
{password | succeed}
Syntax Description
password Allows the user to access the EXEC command mode by entering the password set by the enable command.
succeed Allows the user to access the EXEC command mode without further question.
Default

If, when running the TACACS server, the TACACS server does not respond, the default action is to deny the request.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Use the tacacs-server last-resort command to be sure that login can occur; for example, when a systems administrator needs to log in to troubleshoot TACACS servers that might be down.


Note This command is not used in AAA/TACACS+.
Example

The following example forces successful login:

tacacs-server last-resort succeed
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

enable password +
login (EXEC) +

tacacs-server login-timeout

To specify how long the system will wait for login input (such as username and password) before timing out, use the tacacs-server login-timeout global configuration command. Use the no form of this command to restore the default value of 30 seconds.

tacacs-server login-timeout seconds
no tacacs-server login-timeout
seconds
Syntax Description
seconds Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds.
Default

The default login timeout value is 30 seconds.

Command Mode

Global configuration

Usage Guidelines

With aaa new-model enabled, the default login timeout value is 30 seconds. The tacacs-server login-timeout command lets you change this timeout value from 1 to 300 seconds. To restore the default login timeout value of 30 seconds, use the no tacacs-server login-timeout command.

Example

The following example changes the login timeout value to 60 seconds:

tacacs login 60

tacacs-server notify

To cause a message to be transmitted to the server with retransmission being performed by a background process for up to 5 minutes whenusing TACACS or Extended TACACS, use the tacacs-server notify global configuration command . Use the no form of this command to disable notification.

tacacs-server notify {connection [always] | enable | logout [always] | slip [always]}
no tacacs-server notify

Syntax Description
connection Specifies that a message be transmitted when a user makes a TCP connection.
always (Optional) Sends a message even when a user is not logged in. This option applies only to SLIP or PPP sessions and can be used with the logout or slip keywords.
enable Specifies that a message be transmitted when a user enters the enable command.
logout Specifies that a message be transmitted when a user logs out.
slip Specifies that a message be transmitted when a user starts a SLIP or PPP session.
Default

No message is transmitted to the TACACS server.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0. The always and slip commands first appeared in Cisco IOS Release 11.0.

The terminal user receives an immediate response, allowing access to the feature specified. Enter one of the keywords to specify notification of the TACACS server upon receipt of the corresponding action (when user logs out, for example).


Note This command is not used in AAA/TACACS+. It has been replaced by the
aaa accounting suite of commands.
Example

The following example sets up notification of the TACACS server when a user logs out:

tacacs-server notify logout

tacacs-server optional-passwords

To specify that the first TACACS request to a TACACS or Extended TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.

tacacs-server optional-passwords
no tacacs-server optional-passwords

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When the user enters in the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the TACACS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The TACACS server must support authentication for users without passwords to make use of this feature. This feature supports all TACACS requests--login, SLIP, enable, and so on.


Note This command is not used by AAA/TACACS+.
Example

The following example configures the first login to not require TACACS verification:

tacacs-server optional-passwords

tacacs-server retransmit

To specify the number of times the Cisco IOS software searches the list of TACACS or Extended TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. Use the no form of this command to disable retransmission.

tacacs-server retransmit retries
no tacacs-server retransmit

Syntax Description
retries Integer that specifies the retransmit count.
Default

Two retries

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

The Cisco IOS software will try all servers, allowing each one to time out before increasing the retransmit count.

Example

The following example specifies a retransmit counter value of five times:

tacacs-server retransmit 5

tacacs-server timeout

To set the interval that the server waits for a TACACS, Extended TACACS, or TACACS+ server to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default.

tacacs-server timeout seconds
no tacacs-server timeout

Syntax Description
seconds Integer that specifies the timeout interval in seconds (between 1 and 300).
Default

5 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Example

The following example changes the interval timer to 10 seconds:

tacacs-server timeout 10
Related Command

tacacs-server host

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.