Using and Configuring Features Version 3.3

Configuring Authentication

This chapter describes the configuration and operational commands for authentication. It includes the following sections:

"Accessing the Authentication Configuration Prompt"
"Authentication Configuration Commands"

Accessing the Authentication Configuration Prompt

To access the Authent config > prompt:

Enter talk 6 at the * prompt.
Enter feature auth at the Config > prompt.

Authentication Configuration Commands

Table 29 lists the commands available at the Authent config > prompt.

Table 29. Authentication Configuration Commands

Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable Disables accounting for AAA.
List Displays the AAA configuration parameters.
Login Configures AAA for login.
Nets-info Displays information about local PPP authentication.
Password-rules Configures password rules (enables or disables).
PPP Configures AAA for PPP.
Quickset Configures the authentication method quickly.
Servers Configures individual remote AAA servers.
Set Configures Authentication parameters regardless of type.
Tunnel Configures AAA for L2TP tunnels.
User-profile Configures local PPP users.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable	Disables accounting for AAA.
List	Displays the AAA configuration parameters.
Login	Configures AAA for login.
Nets-info	Displays information about local PPP authentication.
Password-rules	Configures password rules (enables or disables).
PPP	Configures AAA for PPP.
Quickset	Configures the authentication method quickly.
Servers	Configures individual remote AAA servers.
Set	Configures Authentication parameters regardless of type.
Tunnel	Configures AAA for L2TP tunnels.
User-profile	Configures local PPP users.
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable

Use the disable command to disable accounting.

Syntax:

disable: accounting

List

Use the list command to display the AAA parameters.

Syntax:

list: accounting
: authentication
: authorization
: all
: config

AAA Config> list all
ppp AAA configuration...
 ppp authentication        : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
 ppp authorization         : locallist            
 ppp accounting            : Disabled      
tunnel AAA configuration...
 tunnel authentication     : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
 tunnel authorization      : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
 tunnel accounting         : Disabled      
login AAA configuration...
 login authentication      : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
 login authorization       : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
 login accounting          : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>

AAA Config> list accounting all
accounting AAA configuration...
 accounting ppp            : Disabled      
 accounting tunnel         : Disabled      
 accounting login          : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
AAA Config> list accounting config
accounting ppp            : Disabled      
accounting login          : Radius        serv01
accounting tunnel         : Disabled

AAA Config> list authentication all
authentication AAA configuration...
 authentication ppp        : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>
 authentication tunnel     : Radius        serv01
   authorizeAuthent          YES       
   Primary server address    1.1.1.1
   Secondary server address  2.2.2.2
     Request tries           3
     Request interval        3
   Key for encryption        <notSet>

Login

Use the login command to configure AAA for login.

Table 30 lists the subcommands available with the login command.

Table 30. Login Subcommands

Command Function
Disable Disables accounting for login.
List Displays the AAA configuration parameters for login.
Set Sets the AAA configuration parameters for login.

Command	Function
Disable	Disables accounting for login.
List	Displays the AAA configuration parameters for login.
Set	Sets the AAA configuration parameters for login.

Disable

Use the login disable command to disable accounting.

Syntax:

login disable: accounting

List

Use the login list command to display the AAA configuration parameters.

Syntax:

login list: all
: accounting
: authentication
: authorization
: config

Set

Use the login set command to configure authentication parameters.

Syntax:

login set: aaa
: accounting
: authentication
: authorization

aaa authtype

Sets the authentication, authorization, and accounting type. Authtype is one of the following:

local

Sets the authentication, authorization, and accounting type to use a locally-maintained user database.

remote

Sets the authentication, authorization, and accounting type to use a remote user database.

server id: Specifies the identifier of the remote database.

accounting authtype

Sets the accounting type. Authtype is one of the following:

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authentication authtype

Sets the authentication type. Authtype is one of the following:

local

Sets the authentication type to use a locally-maintained user database.

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authorization authtype

Sets the authorization type. Authtype is one of the following:

local

Sets the authorization type to use a locally-maintained user database.

remote

Sets the authorization type to use a remote user database.

server id: Specifies the identifier of the remote database.

Nets-info

Use the nets-info command to display the currently configured PPP authentication protocol on each PPP interface.

Syntax:

nets-info

Password-rules

Use the password-rules command to configure the password (enable or disable).

Table 31 lists the subcommands available with the password-rules command.

Table 31. Login Subcommands

Command Function
Disable Disables a password rule.
Enable Enables a password rule.
List Displays the current state of the password rules (enabled or disabled).

Command	Function
Disable	Disables a password rule.
Enable	Enables a password rule.
List	Displays the current state of the password rules (enabled or disabled).

Disable

Use the password-rules disable command to disable any or all of the password rules.

Syntax:

password-rules disable: all
: compare-ident-prev
: change-days
: first-non-numeric
: ident-chars
: last-non-numeric
: lockout
: minimum-length
: one-alpha
: one-nonalpha
: prev-three
: userid-contained

compare-ident-prev

Compares the previous user identity with the user requesting a password change.

change-days

The maximum number of days before a password change is required.

Valid values: 0 to 360

Default value: 180

first_non-numeric

The first character of a password cannot be numeric.

Valid values: any non-numeric character

Default value: none

ident-chars

Cannot contain more than 3 characters used in a previous password in the same position.

last-non-numeric

The last character in the password cannot be numeric.

Valid values: any non-numeric character

Default value: none

lockout

The number of times you can try a password before you are locked out.

Valid values: 0 to 360

Default value: 3

minimum-length

The least number of characters required to have a valid password.

Valid values: 1 to 31

Default value: 8

maximum-length

The maximum number of characters a password can contain.

Valid values: 1 to 31

Default value: 8

one-alpha

At least one character in the password must be an alpha.

one-nonalpha

At least one character in the password must be numeric.

prev-three

The password cannot be the same as any of the last three passwords.

userid-contained

The password cannot contain the userid as a part of the password.

Enable

Use the password-rules enable command to enable any or all of the password rules. See the disable command for a list of password rule descriptions.

Syntax:

password-rules enable: all
: compare-ident-prev
: change-days
: first-non-numeric
: ident-chars
: last-non-numeric
: lockout
: minimum-length
: one-alpha
: one-nonalpha
: prev-three
: userid-contained

List

Use the password-rules list command to display the current state of the password rules (disabled or enabled).

Syntax:

password-rules list

PPP

Use the ppp command to configure AAA for PPP.

Table 32 lists the subcommands available with the ppp command.

Table 32. PPP Subcommands

Command Function
Disable Disables accounting for PPP.
List Displays the AAA configuration parameters for PPP.
Set Sets the AAA configuration parameters for PPP.

Command	Function
Disable	Disables accounting for PPP.
List	Displays the AAA configuration parameters for PPP.
Set	Sets the AAA configuration parameters for PPP.

Disable

Use the ppp disable command to disable accounting for PPP.

Syntax:

ppp disable: accounting

List

Use the ppp list command to display the AAA configuration parameters for PPP.

Syntax:

ppp list: all
: accounting
: authentication
: authorization
: config

Set

Use the ppp set command to set the AAA configuration parameters for PPP.

Syntax:

ppp set: aaa
: accounting
: authentication
: authorization

aaa authtype

Sets the authentication, authorization, and accounting type. Authtype is one of the following:

local

Sets the authentication, authorization, and accounting type to use a locally-maintained user database.

remote

Sets the authentication, authorization, and accounting type to use a remote user database.

server id: Specifies the identifier of the remote database.

accounting authtype

Sets the accounting type. Authtype is one of the following:

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authentication authtype

Sets the authentication type. Authtype is one of the following:

local

Sets the authentication type to use a locally-maintained user database.

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authorization authtype

Sets the authorization type. Authtype is one of the following:

local

Sets the authorization type to use a locally-maintained user database.

remote

Sets the authorization type to use a remote user database.

server id: Specifies the identifier of the remote database.

Servers

Use the servers command to configure individual remote AAA servers.

Table 33 lists the subcommands available with the servers command.

Table 33. Server Subcommands

Command Function
Add Adds a remote AAA server profile.
Change Changes a remote server profile.
Delete Deletes a remote server profile.
Lists Displays the AAA server profile information.

Command	Function
Add	Adds a remote AAA server profile.
Change	Changes a remote server profile.
Delete	Deletes a remote server profile.
Lists	Displays the AAA server profile information.

Add

Use the servers add command to add a remote server profile.

Syntax:

servers add: name

radius

Sets the authentication type to use the radius authentication server protocol.

Values for the following parameters can be set:

key-for-encryption:

Specifies the encryption key.

Valid Values: Any alphanumeric character string up to 32 characters long.

Default Value: None.

primary-server-address:

Specifies the address of the primary authentication server.

Valid Values: Any valid IP address

Default Value: 0.0.0.0

retries

Valid Values: 1 to 100

Default Value: 3

retry-interval

Valid Values: 1 to 60

Default Value: 3

secondary-server-address:

Specifies the address of the secondary authentication server.

Valid Values: Any valid IP address

Default Value: 0.0.0.0

Author-Authent

Specifies whether authorization attributes are transferred during authentication.

Valid Values: yes, no

Default Value: yes

tacacs

Sets the authentication type to use the TACACS authentication server protocol.

Values for the following parameters can be set:

primary-server-address:

Specifies the address of the primary authentication server.

Valid Values: Any valid IP address

Default Value: 0.0.0.0

retries

Valid Values: 1 to 100

Default Value: 3

retry-interval

Valid Values: 1 to 60

Default Value: 3

secondary-server-address:

Specifies the address of the secondary authentication server.

Valid Values: Any valid IP address

Default Value: 0.0.0.0

tacacsplus

Sets the authentication type to use the TACACS+ authentication server protocol.

Values for the following parameters can be set:

encryption:

Specifies whether encryption will be used.

Valid Values: yes, no

Default Value:

key-for-encryption:

Specifies the encryption key to be used.

Valid Values: Any 16-hexadecimal digit value

Default Value:

primary-server-address:

Specifies the address of the primary authentication server.

Valid Values: Any valid IP address

Default Value: 0.0.0.0

privilege-level

Valid Values: 0 through 15

Default Value: 0

restarts

Sets the number of restarts. This parameter does not include timeout restarts and only pertains to restarts requested by the server.

Valid Values: 0 to 3200

Default Value: 0

time-to-connect

The amount of time to allow to obtain the authentication from the server.

Valid Values: 1 to 60

Default Value: 9

secondary-server-address:

Specifies the address of the secondary authentication server.

Valid Values: Any valid IP address

Default Value: 0.0.0.0

Change

Use the servers change command to change a remote server profile. See the add command for the remote server profile descriptions.

Syntax:

servers change: radius
: tacacs
: tacacsplus

See the servers add command for remote server profile descriptions.

Delete

Use the servers delete command to delete a remote server profile. See the add command for the remote server profile descriptions.

Syntax:

servers delete: radius
: tacacs
: tacacsplus

See the servers add command for the remote server profile descriptions.

List

Use the servers list command to display the AAA server profile information.

Syntax:

servers list: all
: names
: profile

Set

Use the set command to set the parameters for login, PPP, and L2TP tunnel.

Syntax:

set: aaa
: accounting
: authentication
: authorization

aaa authtype

Sets the authentication, authorization, and accounting type. Authtype is one of the following:

local

Sets the authentication, authorization, and accounting type to use a locally-maintained user database.

remote

Sets the authentication, authorization, and accounting type to use a remote user database.

server id: Specifies the identifier of the remote database.

accounting authtype

Sets the accounting type for login, PPP and tunnel. Authtype is one of the following:

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authentication authtype

Sets the authentication type for login, PPP, tunnel. Authtype is one of the following:

local

Sets the authentication type to use a locally-maintained user database.

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authorization authtype

Sets the authorization type for login, PPP, and tunnel. Authtype is one of the following:

local

Sets the authorization type to use a locally-maintained user database.

remote

Sets the authorization type to use a remote user database.

server id: Specifies the identifier of the remote database.

Tunnel

Use the tunnel command to configure AAA for L2TP tunnel.

Table 34 lists the subcommands available with the tunnel command.

Table 34. Tunnel Subcommands

Command Function
Disable Disables accounting for L2TP tunnel.
List Displays AAA configuration parameters for L2TP tunnel.
Set Sets the AAA configuration parameters for L2TP tunnel.

Command	Function
Disable	Disables accounting for L2TP tunnel.
List	Displays AAA configuration parameters for L2TP tunnel.
Set	Sets the AAA configuration parameters for L2TP tunnel.

Disable

Use the tunnel disable command to disable accounting for L2TP tunnel.

Syntax:

tunnel disable: accounting

List

Use the tunnel list command to display the AAA for L2TP tunnel.

Syntax:

tunnel list: all
: accounting
: authentication
: authorization
: config

Set

Use the tunnel set command to set the AAA configuration parameters for L2TP tunnel.

Syntax:

tunnel set: aaa
: accounting
: authentication
: authorization

aaa authtype

Sets the authentication, authorization, and accounting type. Authtype is one of the following:

local

Sets the authentication, authorization, and accounting type to use a locally-maintained user database.

remote

Sets the authentication, authorization, and accounting type to use a remote user database.

server id: Specifies the identifier of the remote database.

accounting authtype

Sets the accounting type. Authtype is one of the following:

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authentication authtype

Sets the authentication type. Authtype is one of the following:

local

Sets the authentication type to use a locally-maintained user database.

remote

Sets the authentication type to use a remote user database.

server id: Specifies the identifier of the remote database.

authorization authtype

Sets the authorization type. Authtype is one of the following:

local

Sets the authorization type to use a locally-maintained user database.

remote

Sets the authorization type to use a remote user database.

server id: Specifies the identifier of the remote database.

User-profiles

Use the user-profiles command to access the User profile config> command prompt. From this prompt, you can access the following commands.

Table 35. User-profile Configuration Commands

Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add Adds a PPP user profile.
Change Changes a PPP user profile.
Delete Deletes a PPP user profile.
Disable Disables a PPP user profile.
Enable Enables a PPP user profile.
List Lists the PPP user profile information.
Report Generates a PPP user profile report.
Reset-user Resets a PPP user profile.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add	Adds a PPP user profile.
Change	Changes a PPP user profile.
Delete	Deletes a PPP user profile.
Disable	Disables a PPP user profile.
Enable	Enables a PPP user profile.
List	Lists the PPP user profile information.
Report	Generates a PPP user profile report.
Reset-user	Resets a PPP user profile.
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Add

Use the user profiles add command to add the user profile of a remote user to the local PPP user data base or to give a tunnel peer access through an IP network to the router.

Syntax:

add: ppp-user
: tunnel

ppp-user

Adds the user profile of a remote user to the local PPP user data base. You can add up to 500 users. You add a PPP user for each remote router or DIALS client that can connect to the device you are configuring.

See Add in the chapter "The CONFIG Process (CONFIG - Talk 6) and Commands" in Access Integration Services Software User's Guide for a description of the command syntax and options.

Example:

Config> add ppp-user
Enter name:  [ ]? pppusr01
Password:
Enter again to verify: 
Allow inbound access for user? (Yes, No): [yes] 
Will user be tunneled? (Yes, No): [No] 
Number of days before account expiry[0-1000] [0]? 10
Number of grace logins allowed after an expiry[0-100] [0]? 5
IP address: [0.0.0.0]? 1.1.1.1
Set ECP encryption key for this user? (Yes, No): [No] no
Disable user ? (Yes, No): [No]
 
     PPP user name: pppusr01
   User IP address: 1.1.1.1 
      Virtual Conn: disabled
        Encryption: disabled
            Status: enabled
    Login Attempts: 0
    Login Failures: 0
  Lockout Attempts: 0
   Account expires: Sun 17Feb2036 06:28:16
  Account duration: 10 days  00.00.00
   Password Expiry: <unlimited>
 
User 'pppusr01' has been added

Example:

Config> add ppp-user
Enter name:  [ ]? tunusr01
Password:
Enter again to verify: 
Allow inbound access for user? (Yes, No): [yes] 
Will user be tunneled? (Yes, No): [No] yes
Enter hostname to use when connection to this peer: []? host01
Tunnel-Server endpoint address: [0.0.0.0]? 1.1.1.1
 
--more--           PPP user name: tunusr01
--more--                Endpoint: 1.1.1.1
--more--                Hostname: host01
 
User 'tunusr01' has been added

tunnel

Gives a tunnel peer access through an IP network to the router. The peer is then authorized to initiate tunneled PPP sessions into the router.

See Add in the chapter "Configuring the CONFIG Process" in Access Integration Services Software User's Guide for a description of the command syntax and options.

Example:

Config> add tunnel
Enter name:  []? tunnel02
Enter hostname to use when connecting to this peer: []? host02
Set shared secret? (Yes, No): [No]? yes
Shared secret for tunnel authentication:
Enter again to verify:
Tunnel-Server endpoint address: [0.0.0.0]? 2.2.2.22
 
       Tunnel name: tunnel02
          Endpoint: 2.2.2.22

Change

Use the change command to change a user-profile.

Syntax:

change: ppp-user
: tunnel

Delete

Use the delete command to delete a user-profile.

Syntax:

delete: ppp-user
: tunnel

Disable

Use the disable command to disable a user-profile.

Syntax:

disable: name

Enable

Use the enable command to enable a user-profile.

Syntax:

enable: name

List

Use the list command to list user-profile information.

Syntax:

list: ppp-user
: tunnel

User profile config> list ppp-user
List  (Name, Verb, User, Addr, Encr, zdump): [Verb] 
     PPP user name: ppp01              
            Expiry: <unlimited> 
   User IP address: Interface Default 
        Encryption: Not Enabled
            Status: Enabled
    Login Attempts: 0
    Login Failures: 0
  Lockout Attempts: 0
1 record displayed.

List

Specifies how to access the list information.

Valid values: name, verb, user, addr, encr, zdump

Default value: verb

PPP user name

Lists the user name.

Expiry

List the expiration date.

User IP address

List the users IP address.

Encryption

Lists whether encryption is enabled or not enabled.

Status

Lists whether status is enabled or not enabled

Login attempts

Lists the number of times the user has attempted to login.

Login failures

Lists the number of failed attempts to login.

Lockout attempts

Lists the number of lockout attempts.

Report

Use the report command to generate a PPP user profile report.

Syntax:

report: addresses
: all
: callback
: dump
: encrypt
: name
: password
: time
: user

User profile config> report addresses
PPP user name      User IP address   
-----------------  ------------------
ppp01              Interface Default   
1 record displayed.

User profile config> report all
     PPP user name: ppp01              
            Expiry: <unlimited> 
   User IP address: Interface Default 
        Encryption: Not Enabled
            Status: Enabled
    Login Attempts: 0
    Login Failures: 0
  Lockout Attempts: 0
1 record displayed.

User profile config> report callback
PPP user name      Callback type        Phone Number        
-----------------  -------------------  --------------------
ppp01              
1 record displayed.

User profile config> report dump
Enter user name:  []? user01

User profile config> report encrypt
PPP user name      Encryption     
-----------------  ---------------
ppp01              Not Enabled
1 record displayed.

User profile config> report name
PPP user name      
-----------------  
ppp01              
1 record displayed.

User profile config> report password
PPP user name      Expiry        Grace 
-----------------  ------------  ------
ppp01              <unlimited> 
1 record displayed.

User profile config> report time
PPP user name      Time alotted       
-----------------  -------------------
ppp01              
1 record displayed.

User profile config> report user
Enter user name:  []? login01
     PPP user name: login01            
        Expiry: <unlimited> 
   User IP address: Interface Default 
        Encryption: Not Enabled

Reset-user

Use the reset-user command to reset a user-profile.

Syntax:

reset-user: name

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]