-
Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
-
aaa authentication banner through aaa group server tacacs+
-
aaa nas port extended through address ipv6 (TACACS+)
-
authentication command bounce-port ignore through auth-type
-
clear dot1x through clear eap
-
client through crl
-
crypto ca authenticate through crypto ca trustpoint
-
crypto key generate rsa
-
Index
-
Feedback
Contents
aaa authentication banner through aaa group server tacacs+
- aaa authentication banner
- aaa authentication dot1x
- aaa authentication fail-message
- aaa authentication login
- aaa authorization
- aaa dnis map accounting network
- aaa dnis map authentication group
- aaa group server radius
- aaa group server tacacs+
aaa authentication banner
To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode. To remove the banner, use the no form of this command.
Syntax Description
d
Any delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string
Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.
Command History
Release
Modification
11.3(4)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.
To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
NoteThe AAA authentication banner message is not displayed if TACACS+ is the first method in the method list.
Examples
The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication login default group radiusThis configuration produces the following standard output:
User Verification Access Username: Password:The following example configures a login banner (in this case, the phrase “Unauthorized use is prohibited.”) that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication banner *Unauthorized use is prohibited.* aaa authentication login default group radiusThis configuration produces the following login banner:
Unauthorized use is prohibited. Username:aaa authentication dot1x
To specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1X, use the aaa authentication dot1x command in global configuration mode. To disable authentication, use the no form of this command
aaa authentication dot1x { default | listname } method1 [ method2 . .. ]
no aaa authentication dot1x { default | listname } method1 [ method2 . .. ]
Syntax Description
Command History
Release
Modification
12.1(6)EA2
This command was introduced for the Cisco Ethernet switch network module.
12.2(15)ZJ
This command was implemented on the following platforms for the Cisco Ethernet Switch Module: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.
12.3(2)XA
This command was introduced on the following Cisco router platforms: Cisco 806, Cisco 831, Cisco 836, Cisco 837, Cisco 1701, Cisco 1710, Cisco 1721, Cisco 1751-V, and Cisco 1760.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T. Router support was added for the following platforms: Cisco 1751, Cisco 2610XM - Cisco 2611XM, Cisco 2620XM - Cisco 2621XM, Cisco 2650XM - Cisco 2651XM, Cisco 2691, Cisco 3640, Cisco 3640A, and Cisco 3660.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
The method argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly 802.1X-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the Cisco IOS configuration file. The enable and line methods use the enable and line passwords for authentication.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command. If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the clients with a password to provide access to the switch.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
The following example shows how to enable AAA and how to create an authentication list for 802.1X. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication:
Router(config)# aaa new model Router(config)# aaa authentication dot1x default group radius noneRelated Commands
Command
Description
debug dot1x
Displays 802.1X debugging information.
identity profile default
Creates an identity profile and enters dot1x profile configuration mode.
show dot1x
Displays details for an identity profile.
show dot1x (EtherSwitch)
Displays 802.1X statistics, administrative status, and operational status for the switch or for the specified interface.
aaa authentication fail-message
To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command.
Syntax Description
d
The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string
Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.
Command History
Release
Modification
11.3(4)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.
To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
Examples
The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)
aaa new-model aaa authentication login default group radiusThis configuration produces the following standard output:
User Verification Access Username: Password: % Authentication failed.The following example configures both a login banner (“Unauthorized use is prohibited.”) and a login-fail message (“Failed login. Try again.”). The login message will be displayed when a user logs in to the system. The failed-login message will display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.
aaa new-model aaa authentication banner *Unauthorized use is prohibited.* aaa authentication fail-message *Failed login. Try again.* aaa authentication login default group radiusThis configuration produces the following login and failed login banner:
Unauthorized use is prohibited. Username: Password: Failed login. Try again.aaa authentication login
To set authentication, authorization, and accounting (AAA) authentication at login, use the aaa authentication login command in global configuration mode. To disable AAA authentication, use the no form of this command.
aaa authentication login { default | list-name } [passwd-expiry] method1 [ method2 . .. ]
no aaa authentication login { default | list-name } [passwd-expiry] method1 [ method2 . .. ]
Syntax Description
Command History
Release
Modification
10.3
This command was introduced.
12.0(5)T
This command was modified. The group radius, group tacacs+, and local-case keywords were added as methods for authentication.
12.4(6)T
This command was modified. The password-expiry keyword was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB. The cache group-name keyword and argument were added as a method for authentication.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.0(1)M
This command was integrated into Cisco IOS Release 15.0(1)M.
15.1(1)T
This command was modified. The group ldap keyword was added.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.
15.0(1)S
This command was integrated into Cisco IOS Release 15.0(1)S.
Usage Guidelines
If the default keyword is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication login default local
NoteOn the console, login will succeed without any authentication checks if default keyword is not set.
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication login list-name methodcommand for a particular protocol. The list-name argument is the character string used to name the list of authentication methods activated when a user logs in. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. The “Authentication Methods That Cannot be used for the list-name Argument” section lists authentication methods that cannot be used for the list-name argument and the table below describes the method keywords.
To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.
The password is prompted only once to authenticate the user credentials and in case of errors due to connectivity issues, multiple retries are possible through the additional methods of authentication. However, the switchover to the next authentication method happens only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.
Authentication Methods That Cannot Be Used for the list-name Argument
The authentication methods that cannot be used for the list-name argument are as follows:
- auth-guest
- enable
- guest
- if-authenticated
- if-needed
- krb5
- krb-instance
- krb-telnet
- line
- local
- none
- radius
- rcmd
- tacacs
- tacacsplus
NoteIn the table below, the group radius, group tacacs +, group ldap, and groupgroup-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius, aaa group server ldap,and aaa group server tacacs+ commands to create a named group of servers.
The table below describes the method keywords.
Table 1 aaa authentication login Methods Keywords Keyword
Description
cache group-name
Uses a cache server group for authentication.
enable
Uses the enable password for authentication. This keyword cannot be used.
group group-name
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
group ldap
Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.
group radius
Uses the list of all RADIUS servers for authentication.
group tacacs+
Uses the list of all TACACS+ servers for authentication.
krb5
Uses Kerberos 5 for authentication.
krb5-telnet
Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.
line
Uses the line password for authentication.
local
Uses the local username database for authentication.
local-case
Uses case-sensitive local username authentication.
none
Uses no authentication.
passwd-expiry
Uses the login list to provide password aging support.
Examples
The following example shows how to create an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access group tacacs+ enable noneThe following example shows how to create the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default group tacacs+ enable noneThe following example shows how to set authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:
aaa authentication login default krb5The following example shows how to configure password aging by using AAA with a crypto client:
aaa authentication login userauthen passwd-expiry group radiusaaa authorization
To set the parameters that restrict user access to a network, use the aaa authorization command in global configuration mode. To remove the parameters, use the no form of this command.
aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | exec | ipmobile | multicast | network | policy-if | prepaid | radius-proxy | reverse-access | subscriber-service | template } { default | list-name } [ method1 [ method2 . .. ] ]
no aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | exec | ipmobile | multicast | network | policy-if | prepaid | radius-proxy | reverse-access | subscriber-service | template } { default | list-name } [ method1 [ method2 . .. ] ]
Syntax Description
auth-proxy
Runs authorization for authentication proxy services.
cache
Configures the authentication, authorization, and accounting (AAA) server.
commands
Runs authorization for all commands at the specified privilege level.
level
Specific command level that should be authorized. Valid entries are 0 through 15.
config-commands
Runs authorization to determine whether commands entered in configuration mode are authorized.
configuration
Downloads the configuration from the AAA server.
console
Enables the console authorization for the AAA server.
exec
Runs authorization to determine if the user is allowed to run an EXEC shell. This facility returns user profile information such as the autocommand information.
ipmobile
Runs authorization for mobile IP services.
multicast
Downloads the multicast configuration from the AAA server.
network
Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).
policy-if
Runs authorization for the diameter policy interface application.
prepaid
Runs authorization for diameter prepaid services.
radius-proxy
Runs authorization for proxy services.
reverse-access
Runs authorization for reverse access connections, such as reverse Telnet.
subscriber-service
Runs authorization for iEdge subscriber services such as virtual private dialup network (VPDN).
template
Enables template authorization for the AAA server.
default
Uses the listed authorization methods that follow this keyword as the default list of methods for authorization.
list-name
Character string used to name the list of authorization methods.
method1 [method2...]
(Optional) Identifies an authorization method or multiple authorization methods to be used for authorization. A method may be any one of the keywords listed in the table below.
Command History
Release
Modification
10.0
This command was introduced.
12.0(5)T
This command was modified. The group radius and group tacacs+ keywords were added as methods for authorization.
12.2(28)SB
This command was modified. The cache group-name keyword and argument were added as a method for authorization.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.0(1)M
This command was integrated into Cisco IOS Release 15.0(1)M.
15.1(1)T
This command was modified. The group ldap keyword was added.
Usage Guidelines
Use the aaa authorizationcommand to enable authorization and to create named methods lists, which define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways in which authorization will be performed and the sequence in which these methods will be performed. A method list is a named list that describes the authorization methods (such as RADIUS or TACACS+) that must be used in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all the defined methods are exhausted.
NoteThe Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle--meaning that the security server or the local username database responds by denying the user services--the authorization process stops and no other authorization methods are attempted.
If the aaa authorization command for a particular authorization type is issued without a specified named method list, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place. The default authorization method list must be used to perform outbound authorization, such as authorizing the download of IP pools from the RADIUS server.
Use the aaa authorization command to create a list by entering the values for the list-nameand the method arguments, where list-name is any character string used to name this list (excluding all method names) and methodidentifies the list of authorization methods tried in the given sequence.
NoteIn the table below, the group group-name, group ldap, group radius, and group tacacs + methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius, aaa group server ldap,and aaa group server tacacs+ commands to create a named group of servers.
The table below describes the method keywords.
Table 2 aaa authorization Methods Keyword
Description
cache group-name
Uses a cache server group for authorization.
group group-name
Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name command.
group ldap
Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.
group radius
Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
group tacacs+
Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
if-authenticated
Allows the user to access the requested function if the user is authenticated.
Note The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated.
local
Uses the local database for authorization.
none
Indicates that no authorization is performed.
Cisco IOS software supports the following methods for authorization:
- Cache Server Groups--The router consults its cache server groups to authorize specific rights for users.
- If-Authenticated --The user is allowed to access the requested function provided the user has been authenticated successfully.
- Local --The router or access server consults its local database, as defined by the username command, to authorize specific rights for users. Only a limited set of functions can be controlled through the local database.
- None --The network access server does not request authorization information; authorization is not performed over this line or interface.
- RADIUS --The network access server requests authorization information from the RADIUS security server group. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the appropriate user.
- TACACS+ --The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
Method lists are specific to the type of authorization being requested. AAA supports five different types of authorization:
- Commands --Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
- EXEC --Applies to the attributes associated with a user EXEC terminal session.
- Network --Applies to network connections. The network connections can include a PPP, SLIP, or ARA connection.
NoteYou must configure the aaa authorization config-commands command to authorize global configuration commands, including EXEC commands prepended by the do command.
- Reverse Access --Applies to reverse Telnet sessions.
- Configuration --Applies to the configuration downloaded from the AAA server.
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, the method lists must be applied to specific lines or interfaces before any of the defined methods are performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
For a list of supported RADIUS attributes, see the module RADIUS Attributes. For a list of supported TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.
NoteFive commands are associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.
Examples
The following example shows how to define the network authorization method list named mygroup, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, local network authorization will be performed.
aaa authorization network mygroup group radius localRelated Commands
Command
Description
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa group server radius
Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa group server tacacs+
Groups different TACACS+ server hosts into distinct lists and distinct methods.
aaa new-model
Enables the AAA access control model.
radius-server host
Specifies a RADIUS server host.
tacacs-server host
Specifies a TACACS+ host.
username
Establishes a username-based authentication system.
aaa dnis map accounting network
To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group that will be used for AAA accounting, use the aaa dnis map accounting networkcommand in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.
aaa dnis map dnis-number accounting network [ start-stop | stop-only | none ] [broadcast] group groupname
no aaa dnis map dnis-number accounting network
Syntax Description
dnis-number
Number of the DNIS.
start-stop
(Optional) Indicates that the defined security server group will send a “start accounting” notice at the beginning of a process and a “stop accounting” notice at the end of a process. The “start accounting” record is sent in the background. (The requested user process begins regardless of whether the “start accounting” notice was received by the accounting server.)
stop-only
(Optional) Indicates that the defined security server group will send a “stop accounting” notice at the end of the requested user process.
none
(Optional) Indicates that the defined security server group will not send accounting notices.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname
At least one of the keywords described in the table below.
Command History
Release
Modification
12.0(7)T
This command was introduced.
12.1(1)T
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command lets you assign a DNIS number to a particular AAA server group so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
The table below contains descriptions of accounting method keywords.
Table 3 AAA Accounting Methods Keyword
Description
group radius
Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
group tacacs+
Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
group group-name
Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.
In the table above, the group radiusand group tacacs + methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.
aaa new-model radius-server host 172.30.0.0 acct-port 1646 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 accounting network group group1Related Commands
Command
Description
aaa dnis map authentication ppp group
Maps a DNIS number to a particular authentication server group.
aaa dnis map enable
Enables AAA server selection based on DNIS.
aaa group server
Groups different server hosts into distinct lists and distinct methods.
aaa new-model
Enables the AAA access control model.
radius-server host
Specifies a RADIUS server host.
aaa dnis map authentication group
To map a dialed number identification service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting [AAA] authentication), use the aaa dnis map authentication group command in AAA-server-group configuration mode. To remove the DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authentication { ppp | login } group server-group-name
no aaa dnis map dnis-number authentication { ppp | login } group server-group-name
Command History
Release
Modification
12.0(7)T
This command was introduced.
12.1(3)XL1
This command was modified with the addition of the login keyword to include character-mode authentication.
12.2(2)T
Support for the login keyword was added into Cisco IOS Release 12.2(2)T and this command was implemented for the Cisco 2600 series, Cisco 3600 series, and Cisco 7200 platforms.
12.2(8)T
This command was implemented on the Cisco 806, Cisco 828, Cisco 1710, Cisco SOHO 78, Cisco 3631, Cisco 3725, Cisco 3745, and Cisco URM for IGX8400 platforms.
12.2(11)T
This command was implemented on the Cisco AS5300 and Cisco AS5800 platforms.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the aaa dnis map authentication group command to assign a DNIS number to a particular AAA server group so that the server group can process authentication requests for users that are dialing in to the network using that particular DNIS. To use the aaa dnis map authentication group command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 uses RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS number 7777.
aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authentication ppp group group1 aaa dnis map 7777 authentication login group group1Related Commands
Command
Description
aaa dnis map accounting network group
Maps a DNIS number to a particular accounting server group.
aaa dnis map enable
Enables AAA server selection based on DNIS.
aaa group server
Groups different server hosts into distinct lists and distinct methods.
aaa new-model
Enables the AAA access control model.
radius-server host
Specifies a RADIUS server host.
aaa group server radius
To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radiuscommand in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.
Command History
Release
Modification
12.0(5)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts.
The table below lists words that cannot be used as the group-name argument.
Examples
The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers:
aaa group server radius radgroup1 server 10.1.1.1 auth-port 1700 acct-port 1701 server 10.2.2.2 auth-port 1702 acct-port 1703 server 10.3.3.3 auth-port 1705 acct-port 1706
NoteIf auth-port and acct-port are not specified, the default value of auth-port is 1645 and the default value of acct-port is 1646.
Related Commands
Command
Description
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa authentication login
Set AAA authentication at login.
aaa authorization
Sets parameters that restrict user access to a network.
aaa new-model
Enables the AAA access control model.
radius-server host
Specifies a RADIUS server host.
aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists and distinct methods, use the aaa group servertacacs+ command in global configuration mode. To remove a server group from the configuration list, use the no form of this command.
Command History
Release
Modification
12.0(5)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(54)SG
This command was integrated into Cisco IOS Release 12.2(54)SG.
Cisco IOS XE Release 3.2S
This command was modified. Support for IPv6 was added.
Usage Guidelines
The Authentication, Authorization, and Accounting (AAA) Server-Group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.
The table below lists the keywords that cannot be used for the group-name argument value.
Examples
The following example shows the configuration of an AAA server group named tacgroup1 that comprises three member servers:
aaa group server tacacs+ tacgroup1 server 10.1.1.1 server 10.2.2.2 server 10.3.3.3Related Commands
Command
Description
aaa accounting
Enables AAA accounting of requested services for billing or security.
aaa authentication login
Enables AAA accounting of requested services for billing or security purposes.
aaa authorization
Sets parameters that restrict user access to a network.
aaa new-model
Enables the AAA access control model.
tacacs-server host
Specifies a TACACS+ host.
