HostedDB - Dedicated UNIX Servers
index_143
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 143   For more information about AAA accounting, including RADIUS and TACACS+ attributes, see the Security Configuration Guide. Method Lists Method lists are used to specify one or more security protocols or mechanisms for AAA.  Method lists also specify the sequence in which the security mechanisms should be used.  These lists can be used to provide backup mechanisms for when the primary security method is unavailable.  For AAA the Cisco IOS software will use the first method listed to perform the authentication, authorization, or accounting as appropriate.  If the Cisco IOS software is unable to complete the task due to failure to communicate with the security server or mechanism then the Cisco IOS will try the next method in the list.  This continues until there is a successful communication with a listed method or the list is exhausted.  If the list is exhausted then the mechanism will fail.  In the case of authentication and authorization the user will be denied access.  In the case of accounting the auditing event will not occur, except for wait- start accounting which will also deny the user access for the service.  Note:  a negative response from a security server will also deny access in the case of authentication and authorization and the next method in the list will not be attempted. Method lists can be given a specific name or can use the keyword default.  When a method list is specified using the default keyword the list will be automatically applied to all the appropriate interfaces and lines.  Named access lists can then be defined and then applied to the particular interface or line to override the default behavior.  This also means that a named method list will have no effect on a interface or line unless it has been applied to it.  Methods requiring only a password should never be placed ahead of methods requiring a username and password, since the user will never be prompted for a username.  A special case, seems to exist for the local database in that if a username does not exist the next method will be attempted.   (RADIUS, TACACS+, and Kerberos security servers will deny access if the username does not exist and the server is available.) The following example shows a named method list for AAA authentication, and default lists for authorization and accounting for network traffic: aaa authentication login remoteauthen radius local aaa authorization network default radius local aaa accounting network default start-stop radius 4.6.2.    Router Access Control The previous section introduced authentication, authorization, and accounting mechanisms and how method lists are used to define the security protocol to use for a service.  This section will cover details of configuring AAA for controlling access to the router.  Section 4.6.3 briefly covers a dial-in user example.  Cisco's ACS Version 2.3 was used for testing RADIUS and TACACS+ security servers.  Section 4.6.4 describes security server protocols in more detail.