AAA Authentication Configuration Command

aaa authentication enable default

aaa authentication login

aaa authentication password-prompt

aaa authentication ppp

aaa authentication username-prompt

aaa default-username

aaa directed-request

aaa group server

debug aaa authentication

enable password

ppp authentication

ppp chap hostname

ppp chap password

ppp chap refuse

ppp pap sent-username

server

show users

service password-encryption

username

 This Chapter describes the commands used for configuring the AAA authentication method. Authentication defines the access right of the users before they are allowed to access the network and network service.

Please refer to  “Configuration Authentication” for information on how to use the AAA method to configure the authentication. Please refer to the last part for examples of the documentation “Example” to review the examples configured by the commands in this Chapter.

 

aaa authentication enable default

AAA authentication shall be enabled so as to determine whether a user has the access to the command of privileged priority by using the command aaa authentication enable default. The authentication method can be closed by using the no format of the said command. 

aaa authentication enable default method1 [method2...]

no aaa authentication enable default method1 [method2...]

parameter:

Method is one of the key words at the least in list 1

Default:

If default is not set, the enable password shall be used to make authentication, it has the same effect as the command below.

aaa authentication enable default enable

If the enable password exists in configuration list, the password should be used. If no password is set, the final feedback result will recognize the success of authentication.

Command mode:

global configuration mode

Explanation:

The command “aaa authentication enable default can be used to create a series of authentication methods, which are used to determine whether a user has the right to use the privileged commands. The keyword method has been explained in form 1. Only when the previous authentication method feeds back error, other authentication methods shall be applied. If the feedback result of the said authentication method informs the failure of the authentication, other authentication method shall be employed. If all the authentication method is expected to feed back the result of failure and the authentication still succeeds, none can be designated as the last authentication method of command line.

 

On top of that, when the method of RADIUS or TACACS+ is available for making authentication of enable, the user names applied are different. The user name shall be “$ENABLElevel$” in case “RADIUS” is used for authentication. The “level” in the user name refers to the privileged level accessible to the user. When TACACS+ is used for authentication, the user name is the one used when the user log on the router. The relevant specific configuration can be referred to as the part of “AAA Authentication Configuration” in the document.

 

Form 1 Effective Default Method of AAA Authentication

Key Word

Description

group

The server group is used for authentication

group-restrict

The server group is used for authentication. But when the user designates a server, the server group is disabled. 

enable

The enable password is used for authentication.

line

The password line is used for authentication

none

Authenticating the passage of none condition

tacacs+

TACACS+ is used for authentication

radius

RADIUS is used for authentication.

Example:

An authentication list is created in the following example. The list first tries to connect with TACACS+ server. If no error is fed back by TACACS+ server or no server is found, AAA will try using the enable password. Should the error be fed back to such trial (as no effective password is configured on the server), the user will be allowed to access the server without authentication.

aaa authentication enable default tacacs+ enable none

Relevant command:

enable password

 

aaa authentication login

The global configuration command aaa authentication login shall be used for setting AAA authentication at the time of login. The no format of the command can be used to close AAA authentication.

aaa authentication login {default | list-name} method1 [method2...]

no aaa authentication login {default | list-name} method1 [method2...]

parameter:

Default: It uses the listed authentication method following the parameter as the default authentication method list at the time of the user’s login.

list-nameIt is used to name the character string of authentication method list. When the user logs in, the methods listed in authentication method list will be activated.

methodIt is one of the key words described in the Form 2 at the least.Default:

If no default method list is set, the default will not make authentication. At this moment, it has the same effect as the one below:

aaa authentication login default none

Command mode:

global configuration mode

Explanation:

The default list or other naming list created by the command “aaa authentication login” will act on some specific line using the command “login authentication”.

Only when the said authentication method feeds back error, other authentication methods will be used. Should the said authentication method feed back the failure, no other authentication methods will be used. To ensure the success of authentication even if all authentication methods feed back error, “none” shall be designated as the last method of the command line.

If no authentication is specially set for a line, no authentication will be executed at the time of default.

Form 2 The Registration Method of AAA Authentication

Key Word

Description

enable

The enable password is used for authentication

group

The server group is used for authentication

group-restrict

The server group is used for authentication. But when the user designates a server, the server group is disabled. 

line

The password line is used for authentication

local

The database of local user names is used for authentication.

local-case

The database of local user names is used for authentication (case sensitive for user name)

none

No authentication is made.

radius

RADIUS is used for authentication

tacacs+

TACACS+ is used for authentication.

Example:

AAA authentication methods list named “TEST is created in the following example. This authentication first tries to connect with TACACS+ server. If no error is fed back by TACACS+ or no server is found, AAA will try using the enable password. Should error be fed back to such attempt (as no enable password is configured on the router), the user will be allowed to access the network without authentication.

aaa authentication login TEST tacacs+ enable none

The same list is created in the Example below, but the default list is set. If no other lists are designated, the list will be used for all the login authentication.

aaa authentication login default tacacs+ enable none

Relevant command:

aaa authentication password-prompt

The global configuration command “aaa authentication password-prompt should be used for changing the text display prompting the user password input. The no format of the command can be employed for reusing the default prompt text of the password.

aaa authentication password-prompt text-string

no aaa authentication password-prompt text-string

parameter:

test-string: It is used to prompt the user of the text displayed at the time of password input.

Default:

When the user-defined text-string is not used, the password prompt is “Password”.

Command mode:

global configuration mode

Explanation:

The displayed default literal information prompting the user password input can be changed by using the command “aaa authentication password-prompt. The command not only changes the password prompt of the enable password, it also changes the password prompt of login password. The no format of the command restores the password prompt to default value.

Password:

The command “aaa authentication password-prompt” does not change any prompting information provided by remote TACACS+ or RADIUS server.

Example:

The following Example will change the password prompt to YourPassword:

aaa authentication password-prompt YourPassword:

Relevant command:

aaa authentication username-prompt

enable password

aaa authentication ppp

The global configuration command “aaa authentication ppp can be used for designating one or multiple AAA authentication methods used for running serial interface of PPP. The no format of the command is used for closing authentication.

aaa authentication ppp {default | list-name} method1 [method2...]

no aaa authentication ppp {default | list-name} method1 [method2...]

parameter:

Default: It uses the authentication method list following the parameter as the default authentication method at the time of the user’s login.

list-nameIt is used to name the character string of authentication method list.

mehod1 [method2...]It is one of the methods described in Form 3 at the least.

Default:

If no default is set, the database of local users shall be examined for authentication. It has the same effect as the command below:

aaa authentication ppp default local

Command mode:

global configuration mode

Explanation:

The default list and naming list created by the command “aaa authentication ppp are used in the command ppp authentication. These lists contain four authentication methods at most. These authentication methods are used when the user connects the serial interface.

The list is created by the command aaa authentication ppp list-name method, of which the keyword list-name is used for naming any character string of the list. The parameter method designates the specific authentication methods. These methods are used in the authentication process on the sequence of configuration. Four methods can be entered at most. The keywords of the methods is described in Form 3.

Only when the said authentication method feeds back error will other authentication methods be used. Should the said authentication method feed back the failure, no other authentication methods will be used. “none” shall be designated as the last method of the command line to ensure the success of authentication even if all the authentication methods feed back error.

table3:PPP Method of AAA Authentication

Key Word

Description

group

The server group is used for authentication.

group-restrict

The server group is used for authentication. But when the user designates a server, the server group is disabled. 

local

The database of local user names is used for authentication.

local-case

The database of local user names is used for authentication (case sensitive for user name)

none

No authentication is made.

radius

RADIUS is used for authentication

tacacs+

TACACS+ is used for authentication.

Example:

AAA authentication methods list named “TEST is created in the following example for using the serial line of PPP. This authentication first tries connecting with TACACS+server. If error is fed back, the user will be allowed to access the network without authentication.

aaa authentication ppp TEST tacacs+ none

相关命令

ppp authentication

aaa authentication username-prompt

The global configuration command “aaa authentication username-prompt can be used for changing the text display prompting the user name input. The no format of the command is used for restoring the default prompting character string of the user name.

aaa authentication username-prompt text-string

no aaa authentication username-prompt text-string

parameter:

text-stringIt is used to prompt the user of the text to be displayed at the time of the user name input.

Default:

When there is no user-defined text-string, the prompting character string of the user name is Username.

Command mode:

global configuration mode

Explanation:

The command “aaa authentication username-prompt is used for changing the displayed character string prompting the user name input. The no format of the command changes the prompt of username into default value.

Username:

Some protocols (such as TACACS+) have the capability to cover the prompting information of local username. Under such circumstances, the use of the command “aaa authentication username-prompt will not change the prompting character string of username.

Note: The command “aaa authentication username-prompt does not change any prompting information provided by remote TACACS +server.

Example:

The following Example will change the prompt of username into the displayed character string.

aaa authentication username-prompt YourUsernam:

相关命令

aaa authentication password-prompt

aaa default-username

When the user is not authenticated, a default username will be set for the user. The command below can be used for changing the character string used by the default username. The “no” format of the command can be used to restore its default value.

aaa default-username username

no aaa default-username

parameter:

Username: character string of default username.

Default:

Under the default status, the default name is DEFAULT

Command mode:

global configuration mode

Explanation:

If the user carries out the authorized operation under the case of no authentication and uses default username, the service available for the user will be limited to the authority corresponding to the default username.

Example:

The following Example changes the default username into default-user.

aaa default-username default-user

相关命令

aaa directed-request

The command “aaa directed-request” can be used if the user is allowed to designate the AAA Server preferred to be used first through the format of username@host-ip-address. The “no” format of the command can be used to forbid this form.

aaa directed-requestno-truncate

no aaa directed-request

parameter:

no-truncate:It uses @host-ip-address as a part of the username instead of truncating it from the username.

Default:

Default does not allow use of the server designated by this method and is preferred to be used first

Command mode:

global configuration mode

Explanation:

Example:

The Example below allows use of the form of @host-ip-address to designate the AAA Server preferred to be used first, but @host-ip-address is not used as a part of the username.

aaa directed-request

 

aaa group server

The commands below are used to access to the configuration level of server group for supporting the configuration of AAA server group. The “no” format of the command is used to delete the configured server group.

aaa group server radius group-name

no aaa group server radius group-name

parameter:

group-nameCharacter string of the name of the server group 

Default:

no server Group

Command mode:

global configuration mode

Explanation:

Accessing to configuration level of server group by using the command, then adding the corresponding sever to the group.

Example:

aaa group server radius radius-group

The said command is used for adding a radiusserver group named ““radius-group.

相关命令

server

 

debug aaa authentication

The command “debug aaa authentication can be used for tracing the authentication process of the user. The no format of the command is used to close the debug information.

debug aaa authentication

no debug aaa authentication

parameter:

Default:

Closing debug information

Command mode:

Supervisor mode

Explanation:

The command can be used for tracing the authentication process of each user to find out the cause of the failure of authentication.

Example:

The Example below will open the debug information of authentication:

router#debug aaa authentication

AAA: Authen start (0x1f74208), user=, authen_type=ASCII, priv=0, method-list=default

AAA: Use authen method LOCAL (0x1f74208).

AAA: Authen CONT, need username.

AAA: Authen CONT, need password.

AAA: Authen ERROR (0x1f74208)! Use next method.

AAA: Authen FAIL(0x1f74208)! Method-list polling finish.

Output Information

Explanation

Authen start (0x1f74208), user=, authen_type=ASCII, priv=0, method-list=default

When the authentication starts, the username is unknown. ASCII is employed for authentication. The privileged level required for user’s access is 0. The default authentication methods list is used. UserID = 0x1f74208.

Use authen method LOCAL (0x1f74208)

The local authentication method is used. UserID = 0x1f74208.

Authen CONT, need username

Inquiring username. 

Authen CONT, need password

Inquiring password.

Authen ERROR (0x1f74208)! Use next method

The method of local “none” completes the authentication by using the next authentication method in the method list.

Authen FAIL(0x1f74208)! Method-list polling finish

After having polled all the authentication methods, the authentication fails here.

 

相关命令

enable password

The authentication password of the corresponding privileged level can be configured for authenticating the user accessible to privileged level through the command enable password. The no format of the command can be used for canceling the password.  

enable password { password | [encryption-type] encrypted-password } [level number]

no enable password [level number]

parameter:

password:plaintext of character-string of password

encryption-type: The type of password encryption

encrypted-password:Cipher text of password corresponding to and limited by encryption-type.

Level:The parameter of privileged level

numberThe specific value of the privileged level (1-15)

Default:

none

Command mode:

global configuration mode  

Explanation:

The password of router configuration contains no blank, namely at the time of using the command “enable password”, the blank shall not be entered when the plaintext of password needs to be entered directly. The length of plain password can not exceed 126 characters.

When no level parameter is entered, the default parameter is level 15. The higher the privileged level, the more the authority. If no password is configured to a privileged level, no authentication will be made when the user accesses this privileged level.

Currently there are only two encryption-types supported by our router system. The parameters in the commands are 0 and 7 respectively. 0 stands for 0, meaning no encryption. The following encrypted-password is entered directly using the plaintext of password. This method has the same effect as the method of direct input of password parameter without adding encryption-type. “7” represents a kind of algorithm defined by Our Company for encrypting. The encrypted cipher text of password is needed to be entered in the following encrypted-password. The cipher text can be copied from other configuration files of the router.  

Example:

The password added by the following Example for privileged level 10 is clever. The encryption-type applied is 0, namely the plaintext of password.

enable password 0 clever level 10

The password added by the following Example for the default privileged level (15) is Oscar. The encryption-type applied is 7, namely the encryption method. The cipher text of the password is needed to be entered.

enable password 7 074A05190326

Given the assumption that the cipher text of Oscar is 074A05190326, the value of the cipher text is obtained from the configuration file of another router.

相关命令

aaa authentication enable default

service password-encryption

 

ppp authentication

The configuration command “ppp authentication” can be used for employing CHAP pr PAP (or applying these two protocols simultaneously) and designating the interface to choose the sequence of CHAAP and PAP authentication. The “no” format of the command is used for closing the authentication.

ppp authentication {chap | chap pap | pap chap | pap | ms-chap} [list-name | default] [callin]

no ppp authentication

parameter:

chap

Activating CHAP on the serial interface.

pap

Activating PAP on the serial interface.

chap pap

Activating CHAP and PAP simultaneously. CHAP authentication is made before executing PAP authentication.

pap chap

Activating CHAP and PAP simultaneously. PAP authentication is made before executing CHAP authentication.

ms-chap

Activating MS-CHAP on the serial interface.

list-name

It is used together with AAA for designating the name of authentication methods list to be used. If the name of authentication methods list is designated, the system will use the default list. The list is created by the command “aaaa uthentication ppp” (optional)

Default

The name of authentication methods list created by the command “aaa authentication ppp” (optional)

callin

Designating the authentication for call-in.

Warning: If the methods list that is not configured through the command “aaa authentication ppp”, the method of “none” shall be used on the interface for running PPP.  

 

缺省:

Not activating PPP authentication

命令模式:

Interface Configuration mode

使用说明:

When CHAP or PAP authentication is activated (or these two authentications are activated simultaneously), the local router requires the identity authentication of remote equipments before they are allowed to transmit the data. PAP authentication requires the remote equipment to send the name and password that are to be used for comparing them with the lists in the database of local usernames or the matching items in the database of remote security server. CHAP authentication sends a challenge message to the remote equipment. The equipment uses the shared secret key encryption for the challenge message and feeds back the encrypted value and its name to the local router in its reply packet. The local router matches the feedback value and name with the secret information that is related to the name of the remote equipment and stored in the database of the local usernames or the database of the remote security server. It uses the stored secret key to encrypt the original challenge message and to verify whether the encrypted value matches or not.

 

PAP or CHAP (or two) can be activated in any sequence. If the two methods are activated simultaneously, the first designated method is needed during the link dialogue. When the terminal suggests the second method or rejects the first method, the second method shall be tried. Some remote equipment only supports CHAP, while some other remote equipment only supports PAP. The designation of the sequence of the methods shall be based on the capability of the right dialogue between the remote equipment and suitable method and the security level of the required data line. The username and password of PAP is transmitted in plaintext, which is likely to be intercepted in the midway and to be reused. CHAP has removed most of the known loopholes of security.

 

The activating or closing of PPP authentication does not affect the capability of local router to authenticate itself to the remote equipment.

If the automatic selection is used on TTY line, the command ppp authentication can be used to open PPP authentication for the corresponding interface.

 

MA-CHAP is the Microsoft version of CHAP. Just like the standard version of CHAP, MS-CHAP is based on PPP authentication. Under this circumstance, the authentication is made between a personal computer installed with Microsoft Windows NT or Microsoft Windows 95 and the router of Our Company or the access server used for network access server.

 

The activating or closing of PPP authentication does not affect the capability of the local router to authenticate itself to the remote equipment.

If the automatic selection is used on TTY line, the command ppp authentication is expected to be used to activate PPP authentication for the corresponding interface. 

 

 

Example::

CHAP is activated on the Asynchronous interface in the following Example by using the authentication list of MIS-access:

interface async 4

encapsulation ppp

ppp authentication chap MIS-access

相关命令:

aaa authentication ppp

username

 

ppp chap hostname

The interface configuration command “ppp chap hostname is used for creating the dial router group under the same hostname at the time of CHAP authentication. The no format of the command is used for closing the function.

ppp chap hostname hostname

no ppp chap hostname hostname

parameter:

hostname: The name sent in CHAP challenge.

Default:

No effect. The name of router is sent in any CHAP challenge.

Command mode:

Interface Configuration mode

Explanation:

Currently, the router dialing up to a group of access routers requires each possible router of this router group to have an item of username because each router makes a query by using its username. When a router is added to a group of dial routers, all the connected router shall be updated. The command “ppp chap hostname designates a common alias name for all the routers of the router group, so what should be done is to configure a username in the dial router. The command is usually used together with local CHAP authentication (at this time the router authenticates the terminal). The command can also be used for remote CHAP authentication.

Example:

The command in the Example below designates the dial interface 0 as the first item of the router group and designates PPP as the encapsulation method of interface use of all the members. The Example illustrates how to use the method of CHAP authentication in receiving call. The username ISPCorp will be sent in all CHAP challenge and reply packets.

interface dialer 0/0

encapsulation ppp

ppp authentication chap callin

ppp chap hostname ISPCorp

Relevant command:

aaa authentication ppp

ppp authentication

ppp chap password

ppp chap refuse

 

ppp chap password

The interface configuration command “ppp chap password is used for activating the secret password of CHAP on the router of the router group of the command not supported by the call and uses the password in response to the challenge of unknown terminal. The no format of the command can be used for closing the password of PPP CHAP.

ppp chap password secret

no ppp chap password secret

parameter:

secret: It is used for computing the secret password of response value of CHAP challenge sent by the unknown terminal.

Default:

none

 

Command mode:

Interface Configuration mode

Explanation:

The command allows the use of its unitary copy on any dial interface or Asynchronous group interface to replace the configuration of several username and password.

The command is only used in the remote CHAP authentication (at this time router authenticates the terminal) and does not affect local CHAP authentication.

Example:

The command in the Example below designates the number of ISDN BRI as 0. The encapsulation method on the interface is PPP. If CHAP challenge is received on the terminal and the name of the terminal is not found in the global username list, the encrypted secret key 7 1234567891 is decrypted and is used to create a CHAP response value.

interface bri 0/0

encapsulation ppp

ppp chap password 1234567891

Relevant command:

aaa authentication ppp

ppp authentication

ppp chap hostname

ppp chap refuse

 

ppp chap refuse

The interface configuration command ppp chap refuse shall be used for refusing the request of the terminal requiring CHAP authentication. The “no” format of the command shall be used for allowing CHAP authentication.

ppp chap refuse [callin]

no ppp chap refuse [callin]

parameter:

callin

 (optional) The keyword instructs the router to refuse to reply to the challenge of CHAP authentication, but it still requires the terminal to answer any CHAP challenge sent by the router  

Default:

none

Command mode:

Interface Configuration mode

Explanation:

The command instructs all the calls to close CHAP authentication, it means that all the terminals attempting to force the user to make authentication by using CHAP will be refused. When the keyword “callin” is used, CHAP authentication will be closed to the calling from the terminal while it will be executed to the calling to the terminal.

If the outbound PAP is activated (by using the command ppp pap sent-username), PAP will be recommended as the authentication method in the reject packet.

Example:

The command in the Example below designates the number of ISDN BRI as 0. The encapsulation method of the interface is PPP. The Example closes CHAP authentication request of the terminals calling for CHAP authentication.

interface bri 0/0

encapsulation ppp

ppp chap refuse

Relevant command:

aaa authentication ppp

ppp authentication

ppp chap hostname

 

ppp pap sent-username

The interface configuration command “ppp pap sent-username can be used for reactivating the remote PAP support for some interface and using “sent-username and password in PAP authentication request packet sent to the terminal. The no format of the command is used for closing remote PAP support.

ppp pap sent-username username password password

no ppp pap sent-username

parameter:

username

The username sent in PAP authentication request  

Password

It must include 1 to 25 capital letters, small letters or digital characters

Default:

Closing remote PAP support.

Command mode:

Interface Configuration mode

 

Explanation:

The commands are used for reactivating remote PAP support (for example, replying to request of the terminal for PAP authentication) and designating the parameters used for sending PAP authentication request.

Example:

The command in the Example below identifies the dial interface 0 as the start of rotary dial group and designates PPP as the encapsulation method of the interface. CHAP or PAP is used for authentication only when the call is received. If the terminal requires the router to carry out the authentication by using PAP, ISPCorp will be sent to the terminal as the username.

interface dialer 0/0

encapsulation ppp

ppp authentication chap pap callin

ppp chap hostname ISPCorp

ppp pap sent username ISPCorp fjhfeu

Relevant command:

aaa authentication ppp

ppp authentication

ppp chap hostname

ppp chap refuse

ppp chap password

 

server

The command is used for adding a server in an AAA server group. The “no” format of the command is used for deleting a server.

server A.B.C.D

no server A.B.C.D

parameter:

A.B.C.D:IP address of server

Default:

no server

Command mode:

Server Group Configuration Mode

Explanation:

20 different servers can be added to a server group at most.

Example:

server 12.1.1.1

The above command is used for adding the server whose address is 12.1.1.1 to server group.

相关命令

aaa group server  

 

show users

The command “show users can be used for showing the summary information of all the on-line users.

show users

parameter:

Default:

Command mode:

Supervisor mode

Explanation:

The command is used for showing all the on-line users, including the information below: port, username, service type, authentication method, time online and IP peer address.

Example:

#show users

Port User Service Auth_Meth Time Peer-address

===============================================================

0 someone exec unknown 2d06h01m(m) unknown

2 admin  ppp local 2d01h10m(m) 192.168.30.87

Area

Explanation

Port

The index number of Vty or ID of the interface where the user is located.

User

Character string of the username

Service

The service requested by the user.

Auth_Meth

Through which method the user obtains the authentication.

Time

The statistic time of the user online

Peer-address

IP address of remote host where the user is located.

相关命令

username

 

service password-encryption

The command can be used for encrypting the relevant password in the system. The “no” format of the command can be used for canceling the encryption of the new set password.  

service password-encryption

no service password-encryption

parameter:

Default:

The password in the system is not encrypted.

Command mode:

global configuration mode  

Explanation:

Currently in the implement of the router system of Our Company, the command is related to the commands of “username password、enable password and password. If the command is not configured (i.e. under default status) and the said three commands are stored in the plaintext of the password, the plaintext of the configured password can be shown in the command “show running-config”. Once the command is configured, the password configured in the said three commands will be encrypted. The plaintext of the configured password is not shown in the command “show running-config”. The command “no service password-encryption” can not restore the display of the plaintext of the password. So the configured password shall be confirmed before the command is used for encryption. The command “no service password-encryption” is effective only to the password configured after the command is used and has no effect on the encrypted password configured before the command is used.

 

Example:

router_config#service password-encryption

The command is used for encrypting the configured plaintext password and encrypting the plaintext password after the command is used.

相关命令

username username password

enable password

password

 

username

The command can be used for adding the user to the database of local users, authentication of local method and authorization. The no format of the method can be used for deleting the corresponding user.

username username [password { password | [encryption-type] encrypted-password }] [trust-host ip_address] [user-maxlinks number] [callback-dialstring string] [callback-line line] [callback-rotary rotary] [nocallback-verify] [autocommand command]

no username username

parameter:

username:     

Character String of User Name

password

 The password corresponding to the user

password

Plaintext of character string of password

encryption-type

The type of password encryption

encrypted-password

The ciphertext of the password corresponding to the encryption type limited by encryption-type.  

trust-host:   

The trust-host corresponding to the user.

ip_address:

 IP address of trust-host, the authentication can be passed only when the user logs in the router from the host.

user-maxlinks

The maximum links to the router, the same user can create at the same time (Statistic is made only to the user passing the local authentication.

number

The number of links created at the same time.

callback-dialstring          

Callback the telephone number

string          

Character string of telephone number

callback-line  

The line used for callback

line

 Line number

callback-rotary

Callback rotary configuration 

rotary        

rotary number 

nocallback-verify:

Callback is not verified.

autocommand:   

When the user logs in the router, the designated command will be executed automatically.

command       

Automatic execution of character string of the command.

 

Default:

No user

Command mode:

global configuration mode

Explanation:

When there is no password parameter, the password will be interpreted as null character string. The trust-host bundles up the user and specific host together. When the user logs in the router from another host, the user will have the “none” method to pass the authentication. “user-maxlinks limits the number of dialogues the same user set up with the router at the same time. However, when a dialogue of the user is not authenticated by the local authentication method, the dialogue will not be included. The command show users can be used for examining the kind of authentication the users uses to pass.

The password of router configuration of Our Company contains no blank, namely at the time of using the command “enable password”, the blank shall not be entered when the plaintext of password needs to be entered directly.

Currently there are only two encryption-types supported by our router system. The parameters in the commands are 0 and 7 respectively. 0 stands for 0, meaning no encryption. The plaintext of password is entered directly in the following encrypted-password. This method has the same effect as the method of direct input of password parameter without adding encryption-type. 7 represents a kind of algorithm defined by Our Company for encrypting. The encrypted ciphertext of password is needed to be entered in the following encrypted-password. The ciphertext can be copied from other configuration files of the router.

Example:

The local user is added in the Example below. The username is someone, the password is someother.

username someone password someother

The local user is added in the Example below, the username is Oscar, the password is Joan. The encryption type applied is 7, namely the encryption method, the ciphertext of the password is needed to be entered.

enable password 7 1105718265

Given the assumption that the ciphertext of Joan is 1105718265, the value of the ciphertext is obtained from the configuration files of other routers.

相关命令

aaa authentication login

aaa authentication pp