AAA Authentication Configuration Command
aaa authentication enable default
aaa authentication password-prompt
aaa authentication username-prompt
This Chapter describes the
commands used for configuring the AAA authentication method. Authentication
defines the access right of the users before they are allowed to access the
network and network service.
Please refer to “Configuration Authentication” for information on how to use
the AAA method to configure the authentication. Please refer to the last part
for examples of the documentation “Example” to review the examples configured
by the commands in this Chapter.
aaa authentication enable default
AAA
authentication shall be enabled so as to determine whether a user has
the access to the command of privileged priority by using the command “ aaa
authentication enable default”. The authentication method can be closed
by using the “no” format of the
said command.
aaa authentication enable
default method1 [method2...]
no aaa authentication
enable default method1 [method2...]
parameter:
Method
is one of the key words at the least in list 1
Default:
If
default is not set, the enable password shall be used to make authentication,
it has the same effect as the command below.
aaa
authentication enable default enable
If
the enable password exists in configuration list, the password should be used.
If no password is set, the final feedback result will recognize the success of
authentication.
Command mode:
global configuration mode
Explanation:
The command “aaa
authentication enable default” can be
used to create a series of authentication methods, which are used to determine
whether a user has the right to use the privileged commands. The keyword “method” has
been explained in form 1. Only when the previous authentication method feeds
back error, other authentication methods shall be applied. If the feedback
result of the said authentication method informs the failure of the
authentication, other authentication method shall be employed. If all the
authentication method is expected to feed back the result of failure and the
authentication still succeeds, “none” can be designated as the last
authentication method of command line.
On top of that, when the method of RADIUS
or TACACS+ is available for making authentication of enable, the user names
applied are different. The user name shall be “$ENABLElevel$” in case
“RADIUS” is used for authentication. The “level” in the user name refers to the
privileged level accessible to the user. When TACACS+ is used for
authentication, the user name is the one used when the user log on the router.
The relevant specific configuration can be referred to as the part of “AAA
Authentication Configuration” in the document.
Form 1 Effective Default Method of AAA
Authentication
Key Word |
Description |
group |
The server group is used for
authentication |
group-restrict |
The server group is used for
authentication. But when the user designates a server, the server group is
disabled. |
enable |
The enable password is used for
authentication. |
line |
The password line is used for
authentication |
none |
Authenticating the passage of none
condition |
tacacs+ |
TACACS+ is used for authentication
|
radius |
RADIUS is used for authentication.
|
Example:
An
authentication list is created in the following example. The list first tries
to connect with TACACS+ server. If
no error is fed back by TACACS+ server or no server is found, AAA will try using the enable password.
Should the error be fed back to such trial (as no effective password is configured
on the server), the user will be allowed to access the server without
authentication.
aaa authentication enable
default tacacs+ enable none
Relevant command:
enable password
The global configuration command “aaa
authentication login” shall be used for setting AAA authentication at
the time of login. The “no” format of the command can be used to close AAA
authentication.
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name} method1 [method2...]
parameter:
Default: It uses the listed
authentication method following the parameter as the default authentication
method list at the time of the user’s login.
list-name:It is used to name the
character string of authentication method list. When the user logs in, the
methods listed in authentication method list will be activated.
method:It is one of the key words described in the Form 2 at the
least.Default:
If no default method list is set, the default will
not make authentication. At this moment, it has the same effect as the one
below:
aaa authentication login
default none
Command mode:
global configuration mode
Explanation:
The
default list or other naming list created by the command “aaa authentication
login” will act on some specific line using the command “login authentication”.
Only when the said authentication
method feeds back error, other authentication methods will be used. Should the
said authentication method feed back the failure, no other authentication
methods will be used. To ensure the success of authentication even if all
authentication methods feed back error, “none” shall be designated as the last
method of the command line.
If no authentication is specially
set for a line, no authentication will be executed at the time of default.
Form 2 The Registration Method of AAA
Authentication
Key Word |
Description |
enable |
The enable password is used for
authentication |
group |
The server group is used for
authentication |
group-restrict |
The server group is used for
authentication. But when the user designates a server, the server group is
disabled. |
line |
The password line is used for
authentication |
local |
The database of local user names
is used for authentication. |
local-case |
The database of local user names
is used for authentication (case sensitive for user name) |
none |
No authentication is made. |
radius |
RADIUS is used for authentication |
tacacs+ |
TACACS+ is used for
authentication. |
Example:
AAA
authentication methods list named “TEST” is created in the following example. This authentication first tries to
connect with TACACS+ server. If
no error is fed back by TACACS+ or no server is found, AAA will try using the enable password. Should
error be fed back to such attempt (as no enable password is configured on the
router), the user will be allowed to access the network without authentication.
aaa authentication login
TEST tacacs+ enable none
The same list is created in the Example below, but
the default list is set. If no other lists are designated, the list will be
used for all the login authentication.
aaa authentication login
default tacacs+ enable none
Relevant command:
无
aaa authentication
password-prompt
The
global configuration command “aaa authentication password-prompt” should
be used for changing the text display prompting the user password input. The “no” format
of the command can be employed for reusing the default prompt text of the
password.
aaa authentication
password-prompt text-string
no aaa authentication
password-prompt text-string
parameter:
test-string: It is used to prompt
the user of the text displayed at the time of password input.
Default:
When the user-defined text-string is
not used, the password prompt is “Password”.
Command mode:
global configuration mode
Explanation:
The displayed default literal information
prompting the user password input can be changed by using the command “aaa
authentication password-prompt”. The command not only changes the password prompt
of the enable password, it also changes the password prompt of login password.
The “no” format of the command restores the password prompt to default value.
Password:
The
command “aaa authentication password-prompt” does not change any prompting
information provided by remote TACACS+ or RADIUS server.
Example:
The following Example will change the password
prompt to “YourPassword:”
aaa authentication
password-prompt YourPassword:
Relevant command:
aaa authentication
username-prompt
enable password
The
global configuration command “aaa authentication ppp” can be
used for designating one or multiple AAA authentication methods used for
running serial interface of PPP. The “no” format
of the command is used for closing authentication.
aaa authentication ppp {default | list-name} method1 [method2...]
no aaa authentication ppp {default | list-name} method1 [method2...]
parameter:
Default: It uses the authentication method
list following the parameter as the default authentication method at the time
of the user’s login.
list-name:It is used to name the
character string of authentication method list.
mehod1 [method2...]:It is one of the methods described in Form 3 at the
least.
Default:
If
no default is set, the database of local users shall be examined for
authentication. It has the same effect as the command below:
aaa authentication ppp
default local
Command mode:
global configuration mode
Explanation:
The default list and naming list
created by the command “aaa authentication ppp” are used
in the command “ppp authentication”. These lists
contain four authentication methods at most. These authentication methods are
used when the user connects the serial interface.
The list
is created by the command “aaa authentication ppp list-name method”, of
which the keyword “list-name” is used for naming
any character string of the list. The parameter “method” designates
the specific authentication methods. These methods are used in the
authentication process on the sequence of configuration. Four methods can be
entered at most. The keywords of the methods is described in Form 3.
Only
when the said authentication method feeds back error will other authentication
methods be used. Should the said authentication method feed back the failure,
no other authentication methods will be used. “none” shall be designated as the
last method of the command line to ensure the success of authentication even if
all the authentication methods feed back error.
table3:PPP Method of AAA Authentication
Key Word |
Description |
group |
The server group is used for
authentication. |
group-restrict
|
The server group is used for
authentication. But when the user designates a server, the server group is
disabled. |
local |
The database of local user names
is used for authentication. |
local-case
|
The database of local user names
is used for authentication (case sensitive for user name) |
none |
No authentication is made. |
radius |
RADIUS is used for authentication |
tacacs+
|
TACACS+ is used for
authentication. |
Example:
AAA
authentication methods list named “TEST” is created in the following example for using the serial line of PPP. This
authentication first tries connecting with TACACS+server. If error is fed back, the user will be
allowed to access the network without authentication.
aaa authentication ppp TEST
tacacs+ none
相关命令
ppp authentication
aaa
authentication username-prompt
The
global configuration command “aaa authentication username-prompt” can be
used for changing the text display prompting the user name input. The “no” format
of the command is used for restoring the default prompting character string of
the user name.
aaa authentication
username-prompt text-string
no aaa authentication
username-prompt text-string
parameter:
text-string:It
is used to prompt the user of the text to be displayed at the time of the user
name input.
Default:
When there is no user-defined text-string, the
prompting character string of the user name is “Username”.
Command mode:
global configuration mode
Explanation:
The
command “aaa authentication username-prompt” is used for
changing the displayed character string prompting the user name input. The “no” format
of the command changes the prompt of username into default value.
Username:
Some
protocols (such as TACACS+) have the capability to cover the prompting information of local username.
Under such circumstances, the use of the command “aaa authentication
username-prompt” will not change the prompting character string of
username.
Note:
The command “aaa authentication username-prompt” does
not change any prompting information provided by remote TACACS +server.
Example:
The
following Example will change the prompt of username into the displayed
character string.
aaa authentication
username-prompt YourUsernam:
相关命令
aaa authentication
password-prompt
When
the user is not authenticated, a default username will be set for the user. The
command below can be used for changing the character string used by the default
username. The “no” format of the command can be used to restore its default
value.
aaa default-username username
no aaa default-username
parameter:
Username: character string
of default username.
Default:
Under the default status, the
default name is DEFAULT
Command mode:
global configuration mode
Explanation:
If
the user carries out the authorized operation under the case of no
authentication and uses default username, the service available for the user
will be limited to the authority corresponding to the default username.
Example:
The following Example changes the default
username into default-user.
aaa default-username
default-user
相关命令
The
command “aaa directed-request” can be used if the user is allowed to designate
the AAA Server preferred to be used first through the format of username@host-ip-address. The “no”
format of the command can be used to forbid this form.
aaa directed-request 〔no-truncate〕
no aaa directed-request
parameter:
no-truncate:It uses @host-ip-address as a part
of the username instead of truncating it from the username.
Default:
Default does not allow use
of the server designated by this method and is preferred to be used first
Command mode:
global configuration mode
Explanation:
Example:
The
Example below allows use of the form of @host-ip-address to designate the AAA
Server preferred to be used first, but @host-ip-address is not used as a part
of the username.
aaa directed-request
The
commands below are used to access to the configuration level of server group
for supporting the configuration of AAA server group. The “no” format of the
command is used to delete the configured server group.
aaa group server radius group-name
no aaa group server radius group-name
parameter:
group-name: Character string of the name of the
server group
Default:
no server Group
Command mode:
global configuration mode
Explanation:
Accessing
to configuration level of server group by using the command, then adding the
corresponding sever to the group.
Example:
aaa group server radius
radius-group
The said
command is used for adding a radiusserver group named ““radius-group”.
相关命令
The
command “debug aaa authentication” can be used for tracing the authentication process
of the user. The “no” format of the command is used to close the debug
information.
debug aaa authentication
no debug aaa authentication
parameter:
无
Default:
Closing debug information
Command mode:
Supervisor mode
Explanation:
The
command can be used for tracing the authentication process of each user to find
out the cause of the failure of authentication.
Example:
The Example below will open the debug
information of authentication:
router#debug aaa
authentication
AAA: Authen start
(0x1f74208), user=, authen_type=ASCII, priv=0, method-list=default
AAA: Use authen method
LOCAL (0x1f74208).
AAA: Authen CONT, need
username.
AAA: Authen CONT, need
password.
AAA: Authen ERROR
(0x1f74208)! Use next method.
AAA: Authen
FAIL(0x1f74208)! Method-list polling finish.
Output Information |
Explanation |
Authen start (0x1f74208), user=, authen_type=ASCII, priv=0,
method-list=default |
When the authentication starts,
the username is unknown. ASCII is employed for authentication. The privileged
level required for user’s access is 0. The default authentication methods
list is used. UserID = 0x1f74208. |
Use authen method LOCAL (0x1f74208) |
The local authentication method is
used. UserID = 0x1f74208. |
Authen CONT, need username |
Inquiring username. |
Authen CONT, need password |
Inquiring password. |
Authen ERROR (0x1f74208)! Use next
method |
The method of local “none”
completes the authentication by using the next authentication method in the
method list. |
Authen FAIL(0x1f74208)!
Method-list polling finish |
After having polled all the
authentication methods, the authentication fails here. |
相关命令
无
The authentication password of the corresponding
privileged level can be configured for authenticating the user accessible to
privileged level through the command “enable password”. The “no” format
of the command can be used for canceling the password.
enable password { password | [encryption-type] encrypted-password }
[level number]
no enable password [level
number]
parameter:
password:plaintext of character-string of password
encryption-type:
The type of password encryption
encrypted-password:Cipher
text of password corresponding to and limited by encryption-type.
Level:The parameter of privileged level
number:The specific value of the
privileged level (1-15)
Default:
none
Command mode:
global configuration mode
Explanation:
The password of router configuration
contains no blank, namely at the time of using the command “enable password”, the
blank shall not be entered when the plaintext of password needs to be entered
directly. The length of plain password can not exceed 126 characters.
When no level parameter is entered,
the default parameter is level 15. The higher the privileged level, the more
the authority. If no password is configured to a privileged level, no
authentication will be made when the user accesses this privileged level.
Currently
there are only two encryption-types
supported by our router system. The parameters in the commands are 0 and 7
respectively. 0 stands for 0, meaning no encryption. The following encrypted-password is entered directly using the plaintext of password. This
method has the same effect as the method of direct input of password parameter
without adding encryption-type. “7” represents a kind of algorithm defined by
Our Company for encrypting. The encrypted cipher text of password is needed to
be entered in the following encrypted-password. The cipher text can be
copied from other configuration files of the router.
Example:
The
password added by the following Example for privileged level 10 is clever. The
encryption-type applied is 0, namely the plaintext of password.
enable password 0 clever level 10
The
password added by the following Example for the default privileged level (15)
is Oscar. The encryption-type applied is 7, namely the encryption method. The
cipher text of the password is needed to be entered.
enable password 7 074A05190326
Given the assumption that the cipher text of Oscar
is 074A05190326, the
value of the cipher text is obtained from the configuration file of
another router.
相关命令
aaa authentication enable default
service password-encryption
The configuration command “ppp
authentication” can be used for employing CHAP pr PAP (or applying these two
protocols simultaneously) and designating the interface to choose the sequence
of CHAAP and PAP authentication. The “no” format of the command is used for
closing the authentication.
ppp authentication {chap | chap pap | pap chap | pap |
ms-chap} [list-name | default] [callin]
no ppp authentication
parameter:
chap |
Activating CHAP on the serial
interface. |
pap |
Activating PAP on the serial
interface. |
chap pap |
Activating CHAP and PAP
simultaneously. CHAP authentication is made before executing PAP
authentication. |
pap chap |
Activating CHAP and PAP
simultaneously. PAP authentication is made before executing CHAP
authentication. |
ms-chap |
Activating MS-CHAP on the serial
interface. |
list-name |
It is used together with AAA for
designating the name of authentication methods list to be used. If the name
of authentication methods list is designated, the system will use the default
list. The list is created by the command “aaaa uthentication ppp” (optional) |
Default |
The name of authentication methods
list created by the command “aaa authentication ppp” (optional) |
callin |
Designating the authentication for
call-in. |
Warning: If the methods list that is not
configured through the command “aaa authentication ppp”, the method of “none”
shall be used on the interface for running PPP.
缺省:
Not activating PPP authentication
命令模式:
Interface Configuration mode
使用说明:
When CHAP or PAP authentication is
activated (or these two authentications are activated simultaneously), the
local router requires the identity authentication of remote equipments before
they are allowed to transmit the data. PAP authentication requires the remote
equipment to send the name and password that are to be used for comparing them
with the lists in the database of local usernames or the matching items in the
database of remote security server. CHAP authentication sends a challenge
message to the remote equipment. The equipment uses the shared secret key
encryption for the challenge message and feeds back the encrypted value and its
name to the local router in its reply packet. The local router matches the
feedback value and name with the secret information that is related to the name
of the remote equipment and stored in the database of the local usernames or
the database of the remote security server. It uses the stored secret key to
encrypt the original challenge message and to verify whether the encrypted
value matches or not.
PAP or CHAP (or two) can be
activated in any sequence. If the two methods are activated simultaneously, the
first designated method is needed during the link dialogue. When the terminal
suggests the second method or rejects the first method, the second method shall
be tried. Some remote equipment only supports CHAP, while some other remote
equipment only supports PAP. The designation of the sequence of the methods
shall be based on the capability of the right dialogue between the remote
equipment and suitable method and the security level of the required data line.
The username and password of PAP is transmitted in plaintext, which is likely
to be intercepted in the midway and to be reused. CHAP has removed most of the
known loopholes of security.
The activating or closing of PPP
authentication does not affect the capability of local router to authenticate
itself to the remote equipment.
If the automatic selection is used
on TTY line, the command “ppp authentication” can be used to open
PPP authentication for the corresponding interface.
MA-CHAP is the Microsoft version of
CHAP. Just like the standard version of CHAP, MS-CHAP is based on PPP
authentication. Under this circumstance, the authentication is made between a
personal computer installed with Microsoft Windows NT or Microsoft Windows 95 and
the router of Our Company or the access server used for network access server.
The activating or closing of PPP
authentication does not affect the capability of the local router to
authenticate itself to the remote equipment.
If the automatic selection is used
on TTY line, the command “ppp authentication” is expected to be
used to activate PPP authentication for the corresponding interface.
Example::
CHAP is
activated on the Asynchronous interface in the following Example by using the
authentication list of MIS-access:
interface async 4
encapsulation ppp
ppp authentication chap
MIS-access
相关命令:
aaa authentication ppp
username
The
interface configuration command “ppp chap hostname” is used for
creating the dial router group under the same hostname at the time of CHAP
authentication. The “no” format of the command is used for closing the
function.
ppp chap hostname hostname
no ppp chap hostname hostname
parameter:
hostname: The
name sent in CHAP challenge.
Default:
No effect. The name of router is sent in
any CHAP challenge.
Command mode:
Interface Configuration mode
Explanation:
Currently,
the router dialing up to a group of access routers requires each possible
router of this router group to have an item of username because each router
makes a query by using its username. When a router is added to a group of dial
routers, all the connected router shall be updated. The command “ppp chap
hostname” designates a common alias name for all the routers of the router group, so
what should be done is to configure a username in the dial router. The command
is usually used together with local CHAP authentication (at this time the
router authenticates the terminal). The command can also be used for remote
CHAP authentication.
Example:
The
command in the Example below designates the dial interface 0 as the first item
of the router group and designates PPP as the encapsulation method of interface
use of all the members. The Example illustrates how to use the method of CHAP
authentication in receiving call. The username ISPCorp will be sent
in all CHAP challenge and reply packets.
interface dialer 0/0
encapsulation ppp
ppp authentication chap
callin
ppp chap hostname ISPCorp
Relevant command:
aaa authentication ppp
ppp authentication
ppp chap password
ppp chap refuse
The
interface configuration command “ppp chap password” is used for
activating the secret password of CHAP on the router of the router group of the
command not supported by the call and uses the password in response to the
challenge of unknown terminal. The “no” format
of the command can be used for closing the password of PPP CHAP.
ppp chap password secret
no ppp chap password secret
parameter:
secret: It is
used for computing the secret password of response value of CHAP challenge sent
by the unknown terminal.
Default:
none
Command mode:
Interface Configuration mode
Explanation:
The
command allows the use of its unitary copy on any dial interface or Asynchronous group interface to
replace the configuration of several username and password.
The command is only used in the remote
CHAP authentication (at this time router authenticates the terminal) and does
not affect local CHAP authentication.
Example:
The
command in the Example below designates the number of ISDN BRI as 0. The
encapsulation method on the interface is PPP. If CHAP challenge is received on
the terminal and the name of the terminal is not found in the global username
list, the encrypted secret key 7 1234567891 is decrypted and is used to create a
CHAP response value.
interface bri 0/0
encapsulation ppp
ppp chap password
1234567891
Relevant command:
aaa authentication ppp
ppp authentication
ppp chap hostname
ppp chap refuse
The interface
configuration command “ppp chap
refuse” shall be
used for refusing the request of the terminal requiring CHAP authentication.
The “no” format of the command shall be used for allowing CHAP authentication.
ppp chap refuse [callin]
no ppp chap refuse [callin]
parameter:
callin: |
(optional) The keyword
instructs the router to refuse to reply to the challenge of CHAP
authentication, but it still requires the terminal to answer any CHAP
challenge sent by the router |
Default:
none
Command mode:
Interface Configuration mode
Explanation:
The command instructs all the calls
to close CHAP authentication, it means that all the terminals attempting to
force the user to make authentication by using CHAP will be refused. When the
keyword “callin” is used, CHAP authentication will be closed to the calling
from the terminal while it will be executed to the calling to the terminal.
If the outbound PAP is activated (by using the
command “ppp pap sent-username”), PAP will be recommended as the authentication
method in the reject packet.
Example:
The
command in the Example below designates the number of ISDN BRI as 0. The
encapsulation method of the interface is PPP. The Example closes CHAP
authentication request of the terminals calling for CHAP authentication.
interface bri 0/0
encapsulation ppp
ppp chap refuse
Relevant command:
aaa authentication ppp
ppp authentication
ppp chap hostname
The
interface configuration command “ppp pap sent-username” can be used for reactivating the
remote PAP support for some interface and using “sent-username” and
“password” in PAP authentication request packet sent to the
terminal. The “no” format of the command is used for closing remote
PAP support.
ppp pap sent-username username password password
no ppp pap sent-username
parameter:
username |
The username
sent in PAP authentication request |
Password |
It must
include 1 to 25 capital letters, small letters or digital characters |
Default:
Closing remote PAP support.
Command mode:
Interface Configuration mode
Explanation:
The commands
are used for reactivating remote PAP support (for example, replying to request
of the terminal for PAP authentication) and designating the parameters used for
sending PAP authentication request.
Example:
The command in the Example below identifies the
dial interface 0 as the start of rotary dial group and designates PPP as the
encapsulation method of the interface. CHAP or PAP is used for authentication
only when the call is received. If the terminal requires the router to carry
out the authentication by using PAP, ISPCorp will be sent to the terminal as
the username.
interface dialer 0/0
encapsulation ppp
ppp authentication chap pap
callin
ppp chap hostname ISPCorp
ppp pap sent username
ISPCorp fjhfeu
Relevant command:
aaa authentication ppp
ppp authentication
ppp chap hostname
ppp chap refuse
ppp chap password
The
command is used for adding a server in an AAA server group. The “no” format of
the command is used for deleting a server.
server A.B.C.D
no server A.B.C.D
parameter:
A.B.C.D:IP address of server
Default:
no server
Command mode:
Server Group Configuration Mode
Explanation:
20 different
servers can be added to a server group at most.
Example:
server 12.1.1.1
The above command is
used for adding the server whose address is 12.1.1.1 to server group.
相关命令
The command “show users” can be used for showing the summary
information of all the on-line users.
show users
parameter:
无
Default:
无
Command mode:
Supervisor mode
Explanation:
The
command is used for showing all the on-line users, including the information
below: port, username, service type, authentication method, time online and IP
peer address.
Example:
#show users
Port User Service Auth_Meth
Time Peer-address
===============================================================
0 someone exec unknown
2d06h01m(m) unknown
2 admin
ppp local 2d01h10m(m) 192.168.30.87
Area |
Explanation |
Port |
The index number of Vty or ID of the
interface where the user is located. |
User |
Character string of the username |
Service |
The service requested by the user. |
Auth_Meth |
Through which method the user obtains the
authentication. |
Time |
The statistic time of the user online |
Peer-address |
IP address of remote host where the user is
located. |
相关命令
username
service password-encryption
The command can be used for
encrypting the relevant password in the system. The “no” format of the command
can be used for canceling the encryption of the new set password.
service password-encryption
no service password-encryption
parameter:
无
Default:
The password in the system
is not encrypted.
Command mode:
global configuration mode
Explanation:
Currently in the implement of the
router system of Our Company, the command is related to the commands of
“username password、enable password and password. If the command is not
configured (i.e. under default status) and the said three commands are stored
in the plaintext of the password, the plaintext of the configured password can
be shown in the command “show running-config”. Once the command is configured,
the password configured in the said three commands will be encrypted. The
plaintext of the configured password is not shown in the command “show
running-config”. The command “no service password-encryption” can not restore
the display of the plaintext of the password. So the configured password shall
be confirmed before the command is used for encryption. The command “no service
password-encryption” is effective only to the password configured after the
command is used and has no effect on the encrypted password configured before
the command is used.
Example:
router_config#service
password-encryption
The
command is used for encrypting the configured plaintext password and encrypting
the plaintext password after the command is used.
相关命令
username username password
enable password
password
The command can be used for adding the user to the
database of local users, authentication of local method and authorization. The “no” format
of the method can be used for deleting the corresponding user.
username username [password { password | [encryption-type] encrypted-password }] [trust-host ip_address] [user-maxlinks number]
[callback-dialstring string] [callback-line line] [callback-rotary
rotary] [nocallback-verify] [autocommand command]
no username username
parameter:
username: |
Character
String of User Name |
password: |
The password corresponding
to the user |
password: |
Plaintext of character string of password |
encryption-type: |
The type of password encryption |
encrypted-password: |
The ciphertext of the password corresponding to the encryption type
limited by “encryption-type”.
|
trust-host: |
The trust-host corresponding to
the user. |
ip_address: |
IP address of trust-host,
the authentication can be passed only when the user logs in the router from
the host. |
user-maxlinks: |
The maximum links to the router, the same user can create at the same
time (Statistic is made only to the user passing the local authentication. |
number: |
The number of links created at the same time. |
callback-dialstring: |
Callback the telephone number |
string: |
Character string of telephone number |
callback-line: |
The line used for callback |
line: |
Line number |
callback-rotary: |
Callback rotary configuration |
rotary: |
rotary number |
nocallback-verify: |
Callback is not verified. |
autocommand: |
When the user logs in the router,
the designated command will be executed automatically. |
command: |
Automatic execution of character
string of the command. |
Default:
No user
Command mode:
global configuration mode
Explanation:
When there is no password parameter,
the password will be interpreted as null character string. The trust-host
bundles up the user and specific host together. When the user logs in the
router from another host, the user will have the “none” method to pass the
authentication. “user-maxlinks” limits the number
of dialogues the same user set up with the router at the same time. However,
when a dialogue of the user is not authenticated by the local authentication
method, the dialogue will not be included. The command “show
users” can be used for examining the kind of authentication the users uses to
pass.
The password of router configuration
of Our Company contains no blank, namely at the time of using the command
“enable password”, the blank shall not be entered when the plaintext of
password needs to be entered directly.
Currently
there are only two encryption-types
supported by our router system. The parameters in the commands are 0 and 7
respectively. 0 stands for 0, meaning no encryption. The plaintext of password is entered
directly in the following encrypted-password. This method has the same effect as the method of direct input of password
parameter without adding encryption-type. 7 represents a kind of algorithm
defined by Our Company for encrypting. The encrypted ciphertext of password is
needed to be entered in the following encrypted-password. The ciphertext
can be copied from other configuration files of the router.
Example:
The local user is added in
the Example below. The username is someone, the password is someother.
username someone password someother
The
local user is added in the Example below, the username is Oscar, the password
is Joan. The encryption type applied is 7, namely the encryption method, the
ciphertext of the password is needed to be entered.
enable password 7 1105718265
Given the assumption that
the ciphertext of Joan is 1105718265, the value of the ciphertext is obtained
from the configuration files of other routers.
相关命令
aaa authentication login
aaa authentication pp