Local Authentication in addition to Tacacs+ for RAS users?

a-mughal · ‎11-16-2001

I have configured my NAS (Cisco Router 3660) for RAS users via Tacacs+ (Cisco Freeware). I wish to configure my NAS in a way that some of the RAS users do not use Tacacs+ Authentication, but can connect only via Local Authentication, with separate Dialer Interfaces than Tacacs+.

Is it possible? Please help me in solving this issue.

Thanks.

jekrauss · ‎11-27-2001

You can specify desired authentication methods as either the default method or a named method list. When you configure a default method, it generally applies "by default" to all interfaces. A named method list however must be applied to the interface.

For example, in the following configuration, the users who connect to the first 8 async lines will authenticate using the TACACS server. The users who connect to the next 8 async lines will authenticate locally.

username mughal password GMBH

aaa new-model

aaa authentication ppp default if-needed tacacs

aaa authentication ppp mymethod if-needed local

aaa authorization network tacacs

Interface Group-Async1

ip unnumbered Ethernet0

encapsulation ppp

async mode interactive

peer default ip address pool async

no cdp enable

ppp authentication chap

group-range 1 8

Interface Group-Async2

ip unnumbered Ethernet1

encapsulation ppp

async mode interactive

peer default ip address pool async

no cdp enable

ppp authentication chap mymethod

group-range 9 16

HTH

Jeff