11.17. AAA Commands

Command Purpose

Use this command to enable the authentication, authorization, accounting (AAA) access control model.

Use the no form of this command to disable AAA model

Prerequisites

Command Syntax

aaa new-model

no aaa new-model

Command Mode

Global Config

Default

None

Usage

Enables the AAA access control model

Examples

The following example shows how to enable AAA access control model:

Switch# configure terminal
Switch(config)# aaa new-model

Related Commands

show aaa status

Command Purpose

Use this command to set authentication, authorization, accounting (AAA) authentication at login.

Use the no form of this command to disable authentication at login

Prerequisites

Command Syntax

aaa authentication login ( default | LISTNAME ) { enable | line | none | radius | local | tacacs-plus }

no aaa authentication login ( default | LISTNAME )

Command Mode

Global Config

Default

None

Usage

Use the aaa authentication login Global Config command to specify one or more AAA methods for use on ports running IEEE 802.1x.

Examples

The following example shows how to set authentication at login:

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication login default local radius none

Related Commands

show aaa method-lists authentication

Command Purpose

Set authentication, authorization, accounting (AAA) authorization at login.

Prerequisites

Command Syntax

aaa authorization exec ( default | LISTNAME ) { none | radius | local | tacacs-plus }

no aaa authorization exec ( default | LISTNAME )

Command Mode

Global Config

Default

None

Usage

Use the aaa authorization exec Global Config command to specify one or more AAA authorization methods for use on ports running IEEE 802.1x.

Examples

The following example shows how to set authorization at login:

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authorization exec default local radius none

Related Commands

None

Command Purpose

Set authentication, authorization, accounting (AAA) accounting at login.

Prerequisites

Command Syntax

aaa accounting exec ( default | LISTNAME ) ( ( ( start-stop | stop-only ) { radius | tacacs-plus } ( none | ) ) | none )

no aaa accounting exec ( default | LISTNAME )

Command Mode

Global Config

Default

None

Usage

Use the aaa accounting exec Global Config command to specify one or more AAA accounting methods for use on ports running IEEE 802.1x.

Examples

The following example shows how to set accounting exec:

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa accounting exec default start-stop tacacs-plus none

Related Commands

None

Command Purpose

Set authentication, authorization, accounting (AAA) accounting at login.

Prerequisites

Command Syntax

aaa accounting commands ( default | LISTNAME ) ( ( tacacs-plus ( none | ) ) | none )

no aaa accounting commands ( default | LISTNAME )

Command Mode

Global Config

Default

None

Usage

Use the aaa accounting commands Global Config command to specify one or more AAA accounting methods for use on ports running IEEE 802.1x.

Examples

The following example shows how to set accounting commands:

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa accounting commands default tacacs-plus none

Related Commands

None

Command Purpose

Set the mapping range in AAA server and switch.

Prerequisites

Command Syntax

aaa privilege mapping LEVEL1 LEVEL2 LEVEL3

no aaa privilege mapping

Command Mode

Global Config

Default

0: The server privilege 0 mapping to switch level 1

1: The server privilege 1 mapping to switch level 2

9: The server privilege 2~9 mapping to switch level 3

Other: The server privilege 10~15 mapping to switch level 4

Usage

Use the aaa privilege mapping Global Config command to set the mapping range in AAA server and switch.

Examples

The following example shows how to set accounting commands:

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa privilege mapping 0 1 14

Related Commands

None

Command Purpose

Enable authentication, authorization, accounting (AAA) authentication for logins.

Prerequisites

Command Syntax

login authentication ( default | LISTNAME )

no login authentication

Command Mode

Line Configuration

Default

None

Usage

None

Examples

The following example shows how to enable authentication for logins:

Switch# configure terminal
Switch(config)# line vty 0 7
Switch(config-line)# login authentication default

Related Commands

show aaa method-lists authentication

Command Purpose

Enable authentication, authorization, accounting (AAA) authorization for logins.

Prerequisites

Command Syntax

authorization exec ( default | LISTNAME )

no authorization exec

Command Mode

Line Configuration

Default

None

Usage

None

Examples

The following example shows how to enable authorization for logins:

Switch# configure terminal
Switch(config)# line vty 0 7
Switch(config-line)# authorization exec default

Related Commands

None

Command Purpose

Enable authentication, authorization, accounting (AAA) accounting for logins.

Prerequisites

Command Syntax

accounting exec ( default | LISTNAME )

no accounting exec

Command Mode

Line Configuration

Default

None

Usage

None

Examples

The following example shows how to enable accounting for logins:

Switch# configure terminal
Switch(config)# line vty 0 7
Switch(config-line)# accounting exec default

Related Commands

None

Command Purpose

Enable authentication, authorization, accounting (AAA) accounting for logins.

Prerequisites

Command Syntax

accounting commands ( default | LISTNAME )

no accounting commands

Command Mode

Line Configuration

Default

None

Usage

None

Examples

The following example shows how to enable accounting for logins:

Switch# configure terminal
Switch(config)# line vty 0 7
Switch(config-line)# accounting commands default

Related Commands

None

Command Purpose

Use this command to show authentication, authorization, accounting (AAA) authentication method lists.

Prerequisites

Command Syntax

show aaa method-lists authentication

Command Mode

Privileged EXEC

Default

None

Usage

This command is used to show authentication, authorization, accounting (AAA) authentication method lists.

Examples

The following example shows how to show authentication method lists:

Switch# show aaa method-lists authentication

authen queue = AAA_ML_AUTHEN_LOGIN
    name = default  state = ALIVE :   radius
authen queue = AAA_ML_AUTHEN_LOGIN
    name = group_a  state = ALIVE :   radius  local  line  enable  none
authen queue=AAA_ML_AUTHEN_LOGIN
    name = group_b  state = ALIVE :   local  line  none

Related Commands

aaa authentication login

Command Purpose

Use this command to show authentication, authorization, accounting (AAA) status.

Prerequisites

Command Syntax

show aaa status

Command Mode

Privileged EXEC

Default

None

Usage

This command is used to show authentication, authorization, accounting (AAA) status.

Examples

The following example shows how to show authentication, authorization, accounting status:

Switch# show aaa status

aaa stats:
    Authentication enable

Related Commands

aaa new-model

Command Purpose

Use this command to show privilege mapping relationship with server privilege.

Prerequisites

Command Syntax

show aaa privilege mapping

Command Mode

Privileged EXEC

Default

None

Usage

This command is to show privilege mapping relationship with server privilege.

Examples

The following example shows how to show authentication method lists:

Switch# show aaa privilege mapping

    Server     Switch     Server
=====================================
         0          1          0
         1          2          1
      2~10          3         10
     11~15          4         15

Related Commands

aaa privilege mapping

Command Purpose

Use this command to enable or disable login security function.Use the no form of this command to disable login-security function.Use the no form of this command to recover to default value.

Prerequisites

Command Syntax

login-security enable

no login-security enable

Command Mode

Global Config

Default

Enable

Usage

When disable login-secuirty function, all users record will be reset, that is, to clear fail counts of users in unlocked state and unlock users in locked state.

Examples

The following example shows how to enable login-security function:

Switch# configure terminal
Switch(config)# login-security enable

The following example shows how to disable login-security function:

Switch# configure terminal
Switch(config)# no login-security enable

Related Commands

None

Command Purpose

Use this command to configure login security lock parameters of max fail times and lock statistic time.Use the no form of this command to recover it to default value.

Prerequisites

Command Syntax

login-security max-fail-num MAX_FAIL_NUM PERIOD

no login-security max-fail-num

Command Mode

Global Config

Default

5

Usage

None

Examples

The following example shows how to configure maximum number of login failure and failure record period in login-security:

Switch# configure terminal
Switch(config)# login-security max-fail-num 7 9

The following example shows how to recover maximum number of login failure and failure record period to default value:

Switch# configure terminal
Switch(config)# no login-security max-fail-num

Related Commands

None

Command Purpose

Use this command to confugure lock duration of login-security.Use the no form of this command to recover it to default value.

Prerequisites

Command Syntax

login-security lock-duration LOCK_PEROID

no login-security lock-duration

Command Mode

Global Config

Default

5

Usage

Duration during which a user is locked, 0 means forever

Examples

The following example shows how to configure lock duration:

Switch# configure terminal
Switch(config)# login-security lock-duration

The following example shows how to recover lock duration to default value:

Switch# configure terminal
Switch(config)# no login-security lock-duration

Related Commands

None

Command Purpose

Use this command to show records of users which failed to login before.

Prerequisites

Command Syntax

show login-security

Command Mode

Privileged EXEC

Default

None

Usage

None

Examples

The following example shows how to display information of login-security and login failure records:

Switch# show login-security

Switch# show login-security 
 Login Security:             Enable
 Max Fail Number:            5
 Fail Period:                5 min
 Lock Duration:              5 min

Login Security Records:
User name                   Local   Locked   Resume Time(s)  Fail Count
======================================================================
admin                            1       0         0                1          
abcdefg                          0       1         295              0     

Related Commands

None

Command Purpose

Use this command to clear users’ failure records or unlock users in locked state.

Prerequisites

Command Syntax

clear login-security record ( USERNAME | )

Command Mode

Privileged EXEC

Default

None

Usage

If specify no username, clear all records. If a username is specified, clear the record for this username.

Examples

The following example shows how to clear login failure records:

Switch# clear login-security record admin1

Related Commands

None