Cisco CCNA (640-553) Security Training

Using the “aaa authentication ppp” command

By Charles Ross CCNA - CCNP #CSCO10444244

In today’s article, I’m going to quickly inform you about the Cisco IOS global configuration mode command named “aaa authentication ppp”. 

CCNA’s (like you) use the “aaa authentication ppp” command to indicate one or more

authentication methods for use on serial interfaces that are running the Point-to-Point Protocol or PPP,

In other words, if you have serial interfaces that are running PPP; you can use the “aaa authentication ppp” global configuration command to specify which AAA authentication methods the router will use.

Below is the command’s syntax:

aaa authentication ppp {default | list-name} method1 [method2...]

As you can see, the keyword “default” is also used. The “default” keyword is used to inform the router that all authentication methods that follow are to be used as the default authentication methods when users attempt login.

Also, notice that the command can use the “list-name” argument; this argument is the name of the list of authentication methods tried when a user attempts login.

If you decide, to use the command like you see below:

Router(config)#aaa authentication ppp default 

The router will only use (check) its local user database for authentication of (ppp) users.

Below are the most current aaa authentication methods (keywords) that can be used:

• if-needed – Use this keyword, if you want to tell the router to don’t authenticate; if the user has already been authenticated on a tty line.

• Krb5 – Use this keyword, if you want the router to use Kerberos 5 for authentication; (but remember this keyword can only be used when using the Password Authentication Protocol or PAP).

• local – Use this keyword, if you want the router to use its local user database for authentication.

• local-case – Use this keyword, if you want the router to use case-sensitivity for local username authentication.

• none – Use this keyword, if you want the router to not provide any authentication at all.

• cache group-name – Use this keyword, if you want the router to use a cache server group for authentication.

• group-radius – Use this keyword, if you want the router to use the list of all RADIUS servers for authentication.

• group tacacs+ -- Use this keyword, if you want the router to use the list of all TACACS+ servers for authentication.

• group group-name – Use this keyword, if you want the router to use a subset of RADIUS and TACACS+ servers for authentication.

Remember, if you need to use more than one authentication method (keyword); the router will not use those additional authentication methods in sequence, unless the first method returns an error, not if it fails. Also, the maximum number of authentication methods (keywords) you can use is 4 (four). 

And, like with mostly all Cisco IOS commands; you can use the word “no” in front of the command to remove (disable) the configured command; like you see below:

Router(config)#no aaa authentication ppp default 

And, to use the “aaa authentication ppp” command your router(s) must be running Cisco IOS 12.0(5)T or higher.

I hope this article was very informative and helped you quickly understand the usage of the aaa authentication ppp command. If you need to learn more; I suggest you visit my website, (www.ccnaittechtips.com) were you’ll find the latest information regarding the Cisco CCNA (640-553) Security exam techniques.

To your success,

Charles Ross

CCNA- CCNP #CSCO10444244

http://www.ccnaittechtips.com