aaa authentication arap




aaa authentication arap {default  | list-name} method1 [method2...]

no aaa authentication arap {default  | list-name} method1 [method2...]


Syntax Description:



Uses the listed methods that follow this argument as the default list of methods when a user logs in.


Character string used to name the following list of authentication methods tried when a user logs in.


One of the keywords described in the table: aaa authentication arap Methods.

Command Description:

To enable an AAA authentication method for AppleTalk Remote Access (ARA) using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.

Usage Guidelines

The list names and default that are set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when AAA is enabled. To allow guest logins, either the guest or auth-guest method listed in the table must be used. Only one of these methods must be used, they are mutually exclusive.

Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method# arguments identify the list of methods the authentication algorithm tries in the given sequence. For descriptions of method keywords, see Table: aaa authentication arap Methods.

If no list is specified on an interface or line with the arap authentication command, a default list to be used can be specified with the default keyword followed by the methods.

The additional methods of authentication are used only if the previous method returns an error, not if it fails.

Use the show running-config command to view currently configured lists of authentication methods.

Table: aaa authentication arap Methods




Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.


Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.


Uses the line password for authentication.


Uses the local username database for authentication.


Uses a group of TACACS+, RADIUS, or named server group for authentication.


Uses case-sensitive local username authentication.


The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:

Router(config)#aaa authentication arap MIS-access group tacacs+ none

The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:

Router(config)#aaa authentication arap default group tacacs+ none




This command can be used with TACACS or extended TACACS.

Related Commands:


aaa new-model


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)