Cisco’s solution is IP traffic export (sometimes referred to as Router IP Traffice Export, or RITE). Introduced in IOS 12.3(4)T, RITE allows for the replication of packets from one interface to another on software-switched platforms in the same manner SPAN operates on hardware-based switches. RITE allows us to “SPAN” across routed interfaces, even across disparate medium types.

Consider a scenario in which we need a sniffer or IDS to capture IP traffic traversing a PPP serial link between two routers.

We can enable RITE on R1 to replicate WAN traffic to the Ethernet sniffer. Only two items are needed to configure a minimal RITE profile:

• Physical output interface (the interface connected to our sniffer)
• Destination MAC address for the replicated packets (the MAC address of our sniffer)

We can see from the diagram that our sniffer is attached to FastEthernet0/0, and we’ll assume the MAC address of our sniffer is 00-01-02-03-04-05. (Note that as sniffers are generally run in promiscuous mode, any MAC should work in this case. However, RITE won’t accept a broadcast MAC address.)

Configuring our RITE profile on R1 is straightforward:

R1(config)# ip traffic-export profile MyProfile
R1(conf-rite)# interface f0/0
R1(conf-rite)# mac-address 0001.0203.0405

The above configuration is all that’s required for a minimal profile. Additionally, we’ll include the bidirectional parameter here to ensure that traffic from both directions is replicated (versus only inbound traffic).

R1(conf-rite)# bidirectional

We can also optionally specify an access list and/or sampling rate to limit the type and amount of traffic we capture, respectively, with the incoming and outgoing parameters.

R1(conf-rite)# incoming ?
  access-list  Apply standard or extended access lists to exported traffic
  sample       Enable sampling of exported traffic

R1(conf-rite)# incoming access-list ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

R1(conf-rite)# incoming sample ?
  one-in-every  Export one packet in every

Forgoing these options for this scenario, we are ready to apply our RITE policy to R1′s serial interface. Make sure that you exit RITE configuration before entering interface configuration to avoid modifying the interface parameter of the RITE profile.

R1(conf-rite)# exit
R1(config)# interface s0/0
R1(config-if)# ip traffic-export apply MyProfile 
R1(config-if)#
%RITE-5-ACTIVATE: Activated IP traffic export on interface Serial0/0

The command show ip traffic-export verifies our configuration:

R1# show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface     Serial0/0
    Export Interface        FastEthernet0/0
    Destination MAC address 0001.0203.0405
    bi-directional traffic export is on
Output IP Traffic Export Information    Packets/Bytes Exported    0/0
    Packets Dropped           0
    Sampling Rate             one-in-every 1 packets
    No Access List configured
Input IP Traffic Export Information Packets/Bytes Exported    15/1500
    Packets Dropped           0
    Sampling Rate             one-in-every 1 packets
    No Access List configured
    Profile MyProfile is Active

All IP traffic traversing R1′s Serial0/0 interface is now being replicated out R1′s FastEthernet0/0 interface toward our sniffer, with one observed exception. Only transit traffic is replicated; inbound traffic destined for R1 itself is also replicated, however outbound traffic generated locally by R1 is not. Also note that only IP traffic is being replicated, and we lose any lower-layer headers (like PPP) due to the change in medium.

What hardware makes up Cisco’s NAC solution?

On Cisco’s network security solutions Web page, you’ll find the following list of Cisco technologies, all of which play a part in the complete Cisco NAC solution:

• Advanced Services for Network Security
• Cisco Security Agent (CSA)
• Cisco Security Monitoring, Analysis and Response System (MARS)
• Cisco Trust Agent 2.0 (CTA)
• Cisco Secure Access Control Server for Windows (ACS)
• Cisco Secure Access Control Server Solution Engine (ACS)
• CiscoWorks Interface Configuration Manager (ICM)
• CiscoWorks Security Information Management Solution (CW-SIMS)
• NAC-enabled routers
• Router security
• Cisco VPN 3000 Series Concentrators
• Cisco Unified Wireless Network
• Cisco Catalyst switches

Let’s discuss some of the more critical pieces of Cisco’s NAC solution.

Cisco NAC-enabled routers

The recently released Cisco router NAT module enforces NAC at the remote branch locations or ancillary buildings of a campus. Apart from that, the NAC router module also improves the overall security of the network by making sure that all incoming users and devices comply with security policies.

Additionally, the Cisco NAC router module (part # NME-NAC-K9) brings the capabilities of Cisco NAC Appliance Server to Cisco 2800 and 3800 Series Integrated Services Routers. This module helps network administrators by not having to deploy NAC appliances across the board and it helps to consolidate the administrative tasks into fewer boxes.

Amazingly, this module is actually a 1 GHz Intel Celeron PC, with 512 MB RAM, 64 MB of Compact Flash, and an 80 GB SATA hard drive. All that fits onto a single 1-pound module that slides into a router and enforces your security policies. This module requires a 2800 or 3800 series router running IOS 12.4(11)T or later.

Cisco NAC Appliance

The single most popular piece of the Cisco NAC solution has been the Cisco NAC Appliance. As evident from the name itself, Cisco NAC Appliance is an appliance-based solution that offers fast deployment, policy management, and enforcement of security policies.

With the Cisco NAC Appliance, you can opt for an in-band or out-of-band solution. The in-band solution is for smaller deployments. As your network grows into a more campus environment, you may not be able to keep the in-band design. In that case, you can move to the out-of-band deployment scenario.

Here are some advantages of the Cisco NAC Appliance:

• Identity: At the point of authentication, the Cisco NAC Appliance recognizes users, as well as their devices and their responsibility in the network.
• Compliance: Cisco NAC Appliance also takes into account whether machines are compliant with security policies or not. This includes enforcing operating system updates, antivirus definitions, firewall settings, and antispyware software definitions.
• Quarantine: If the machines attempting to gain access don’t meet the policies of the network, the Cisco NAC Appliance can quarantine these machines and bring them into compliance (by applying patches or changing settings), before releasing them onto the network.

For more information about the Cisco NAC Appliance, see the Cisco NAC Appliance datasheet.

Cisco Secure Access Control Server (ACS)

The Cisco ACS Server could be called the “brain” of the Cisco NAC solution. It is here that users’ credentials are checked to see if they are valid, policies are sent back to be enforced, and activities are logged. The ACS server is called an AAA Server because it performs authentication, authorization, and accounting.

This server runs on an existing Windows server in your organization and can use other existing databases in your organization to verify users’ credentials. For example, most companies have ACS point toward their Windows Active Directory (AD) system to look up credentials. If those credentials are valid, then ACS can enforce network authorization polices on those users, with the help of the network hardware: NAC Appliance, Router NAC module, or ASA/PIX firewalls.

Cisco Security Agent (CSA)

Cisco CSA is a software client that is run on every machine in an organization. These clients talk to a centralized policy server. Together, these software applications know what software and activities occurring on each PC in the organization are or are not “normal.” The CSA agent may alert on or block certain activities that it sees as abnormal.

When compared to anti-virus software that depends on definition updates to stay current, Cisco touts that the CSA never needs updating because it is constantly “learning” and monitoring activities, not definitions of viruses.

For more information about the Cisco CSA solution, see the Cisco CSA datasheet.

Cisco Trust Agent (CTA)

You can think of the Cisco Trust Agent as the “NAC Client.” The CTA runs on each PC in the organization. It talks to the NAC Appliance, for example, to tell it about the state of the device attempting to access the network. For example, the CTA reports the version of the OS, patch level, the AV definition level, the firewall status, and more. According to Cisco, the CTA “interrogates devices.” You can obtain CTA free of charge from Cisco Systems.

CiscoWorks Security Information Management Solution (CW-SIMS)

The CiscoWorks Security Information Management Solution (CW-SIMS) is the centralized repository that all Cisco devices use for security logging and other information. According to Cisco, this application “integrates, correlates, and analyzes security event data from the enterprise network to improve visibility and provide actionable intelligence for strengthening an organization’s security.”

With so many security devices in your network, one application has to try to correlate all the logs and security information that is generated. According to Cisco, here are the features that the CW-SIMS offers:

• Comprehensive Correlation: Statistical, rules-based, and vulnerability correlation of events as they happen, in real time, across all integrated Cisco network devices.
• Threat Visualization: See a visual status and generate reports of all the security events as they happen across your network.
• Incident Resolution Management: SIMs integrates with common helpdesk packages to track security events until resolution.
• Integrated Knowledge Base: SIMS can be a source of knowledge about security issues and how they are resolved.
• Real-Time Notification: SIMS can notify security admins, in real time, when events occur.

For more information about the Cisco CW-SIMS solution, see the Cisco SW-SIMS datasheet.

Cisco Security Monitoring, Analysis, and Response System (MARS)

While MARS may seem similar to CW-SIMS, it is quite different. MARS actually understands the configuration and topology of your network. You can think of MARS as a “virtual security admin” for your network — working while you sleep.

MARS uses NetFlow data from Cisco routers to have a real-time understanding of network traffic. It knows what is considered normal and what is not; this is called behavioral analysis. With behavioral analysis, MARS can stop abnormal network traffic. MARS has over 150 audit compliance templates and will make recommendations on how to remediate threats to your network.

MARS is actually an appliance that you install on your network. This appliance comes in a variety of sizes and license levels based on the size of your network.

Summary

To be a complete solution that can fulfill the Cisco Self-Defending Network framework, the hardware and software of Cisco’s NAC solution must integrate well. With nine or more different pieces of hardware and software related to NAC, the challenge of acquiring (i.e., affording), learning to configure, deploying, and monitoring these solutions can be a large task for any organization. While having the centralized software applications like CW-SIMS and MARS can really bring it all together, those applications will take time, effort, and expertise to master. For this reason, I can relate to anyone who says that deploying a security solution is difficult.

NTP uses a hierarchical-based concept called a “stratum” to describe how many NTP “hops” away a machine is from an authoritative time source. A Stratum 0 source is the root and is based on an atomic clock, or series of them, and is incredibly accurate. A Stratum 1 clock would receive its source from a Stratum 0 clock and would therefore be one hop away. This pattern would follow for Stratum 2 and Stratum 3, etc.

Since NTP provides a critical resource for your network, you need to be certain that it is correct. The most desirable way to provide an accurate, secure time source would be to have a Stratum 1 clock source directly on your network. Short of that, the most common implementation currently used is to have a device on your network, typically a router, synchronize with a public Stratum 1 or 2 time source, and then act as the local network master clock source.

Internal devices, servers, and hosts can then synchronize their clocks with this network source. This hierarchy allows you to configure strict NTP (UDP port 123) rules on your firewall.

Security can also be improved by implementing NTP authentication between your routers and implementing NTP Access Control Lists.

Protecting your NTP deployment

NTP authentication operates a bit differently than what you may think and is often a point of confusion. With NTP authentication on Cisco routers, a key is defined on the source host (master clock) and is used to MD5 hash the response to queries. However, in the case of NTP, it is up to the client to request authentication rather than the router to demand it.

In this sense, the requesting client is verifying the integrity of the source rather than the source verifying the client validity. The net of this is that the router will also respond to queries that do not require authentication as well as those that do. However, if a client requests authentication and the router is not configured for it, the NTP synchronization will fail.

For reliability and security reasons, set up more than one router on your network to provide NTP synchronization, with each of them getting their time reference from a different Stratum 1 clock, and then set up peering with authentication between these routers.

Access Control Lists can also be great tools to protect your NTP deployment. You can implement a “peer group” ACL to define and control which IP addresses are allowed to peer with your router. Additionally, you can implement a “serve,” or “serve-only,” ACL to define which IP addresses or netblocks are allowed to make NTP queries to your router.

NTP accuracy is critical to your network. It takes a relatively small bit of time to set it up correctly and protect it with security measures, but your efforts will pay off big time

Peer-to-peer technologies, especially when employed with protocol obfuscation and/or encryption make it extraordinarily difficult to detect a botnet infestation. Unlike a security vendor, the overriding concern for a network or system administrator is to correctly identify infected hosts within the corporate network. Remediation would probably start from taking it offline, determining the point of infection, and rebuilding the affected system. What is clear is that most malware, and all botnet-client attacks involve the compromised host making an outbound connection at some point or other. Stopping, or at least detecting, suspicious activities on this front would certainly make for a more secure environment. Yet how could a network administrator, without access to special tools or annual, company-wide hard-disk formatting exercises hope to detect the presence of a botnet infestation in the first place? While not solutions per se, below are a couple of ideas that would help you reduce your exposure.

Allow only Web traffic; filter and log all URLs

The most draconian step possible would be to allow only for the passage of Web traffic through the corporate firewall. Obviously, this will do no good to protect against phishing attacks or applications that attempt to tunnel outgoing data via SSL or obfuscated as legitimate HTTP requests.  As such, it makes sense to filter outgoing connections according to blacklists maintained by sites such as URLBlacklist.com. You can find additional lists at Spam Links. In addition, all URLs should be logged and regularly sieved through for suspicious activity and connections. Ditto to non-HTTP connections, since they could contain clues to the presence of infected hosts within the network. Assuming this is a viable option for your organization, such a move would stop a large swath of threats in its steps. 

Allow only selective ports

Alas, we live in an imperfect world. A typical business might classify applications such as Skype and MSN as being crucial to business operations. In such cases, it would be unavoidable to open selective ports for legitimate applications. The restriction here would be to open only ports that are necessary and continue to filter and log outgoing connections where it is possible. While not a 100-percent guarantee, the availability of a protocol-aware firewall can also help filter out malware attempts to make outgoing connections via well-known ports. 

Modern computer security is a complex, multifaceted affair with no single or convenient solution. Actively configuring and monitoring one’s network is just another way to defend it from being hijacked. For today, I am assuming the availability of a firewall where it is at least possible to make fine-grained port configurations.

Even if you just need to remember an extra password, it can be annoying — but it doesn’t have to be. In fact, you can leverage the Windows AD username/password database to log in to your Cisco routers and switches.

This week, we’ll start off by discussing how to install, configure, and troubleshoot Windows’ Internet Authentication Service (IAS); next week, we’ll wrap it up by explaining how to configure your routers and switches to use the authentication.

Before we begin, let’s go over this article’s assumptions. For this configuration, we’ll use IAS, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy, which comes built into Windows 2000 Server and Windows Server 2003.

In addition, we’re assuming that you’ve already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

Install IAS

Start off by installing IAS if you haven’t already done so. For Windows Server 2003, follow these steps:

1. Log in as an administrator.
2. Go to Start | Control Panel, and double-click the Add Or Remove Programs applet.
3. Click Add/Remove Windows Components.
4. In the Windows Components Wizard, click Networking Services, and click Details.
5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
7. After IAS is installed, click Finish, and then Close.

To keep track of who can log in to your Cisco network devices, I suggest creating an AD group called ciscoadmin. Then, make your existing Windows account a member of the ciscoadmin group.

Configure IAS

Now that we’ve installed IAS, we need to configure it. Begin by going to Start | Control Panel and double-clicking the Administrative Tools applet. Double-click the Internet Authentication Service applet, as shown in Figure A.

Figure A

To begin configuring IAS, go to Start | Control Panel | Administrative Tools | Internet Authentication Service.

This will open the Internet Authentication Service window, as shown in Figure B.

Figure B

You must open the Internet Authentication Service window to configure IAS.

Now we need to add a RADIUS client. Follow these steps:

1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
2. In the New RADIUS Client dialog box, as shown in Figure C, enter a display name for the client (i.e., your router or switch). I suggest using the router’s hostname.
3. Enter the LAN IP address of the client.

Figure C

Enter a friendly name for the new client, and enter the IP address.

1. Click Next, and select Cisco for the Client-Vendor.
2. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used cisco as my test password.
3. Click Finish.

Figure D shows the Internet Authentication Service window with the newly added client.

Figure D

The Internet Authentication Service window displays the newly added client.

Next, we need to create a remote access policy. Follow these steps:

1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
2. In the right pane, right-click the default policy, and select Delete.
3. Right-click inside the right pane, and select New Remote Access Policy.
4. In the Remote Access Policy Wizard, click Next.
5. Click Set Up A Custom Policy, name it ciscoauth, and click Next.
6. Click Add, select Windows-Groups, and click Add, as shown in Figure E.

Figure E

Select Windows-Groups, and click the Add button.

Enter ciscoadmin (or whatever group you want to use). In this example, we’re using a local Windows server group. You can also use a Windows AD group — which, of course, is preferable. Figure F shows the Groups dialog group with the ciscoadmin group listed.

Figure F

The Groups dialog box will list the group you add.

Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in Figure G.

Figure G

Select Windows-Groups, and click the Add button.

1. Click Next, select Grant Remote Access Permission, and click Next.
2. Click Edit Profile, and select the Authentication tab.
3. Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in Figure H, and click OK.

Figure H

Select the Unencrypted Authentication (PAP/SPAP) check box only.

1. Next, select the Advanced tab.
2. Select Service-Type, and click Edit.
3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in Figure I, and click OK.

Figure I

Under Attribute Value, change it from Framed to Login.

Back on the Advanced tab, select Framed-Protocol, and click Remove. Figure J displays the resulting dialog box.

Figure J

All that’s left to do is click OK.

All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in Figure K.

Figure K

For corresponding Help topics, click Yes.

We’re almost there. Click Next, click Finish, and that’s it!

Troubleshoot IAS

When it comes to troubleshooting IAS, its logs can be very cryptic. For example, Figure L shows a log created while testing this article.

Figure L

IAS logs can be a little hard to interpret.

To help out with reading these logs, I use DeepSoftware.com’s IAS Log Viewer. Figure M shows a screenshot of this tool.

Figure M

IAS Log Viewer helps simplify logs.

Before we begin, let’s go over this article’s assumptions. We’re assuming that you’ve already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

For this article, I used a Cisco 871W router that’s running Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)XC2, RELEASE SOFTWARE (fc1). Specifically, it has this IOS file: c870-advipservicesk9-mz.124-4.XC2.

This router has a VLAN1 that four LAN Ethernet ports share by default. This is where I configured my IP address, as shown below:

interface Vlan1
ip address 192.168.1.100 255.255.255.0

interface FastEthernet0
no shutdown

Configure the router or switch

While I’m using a Cisco 871W router, you can also use a Cisco switch, and the configuration should be similar. You can even configure this type of RADIUS authentication on a Cisco PIX firewall or Adaptive Security Appliance (ASA).

To configure a router or switch to talk to the Windows IAS RADIUS server to authenticate logins for management, start by making sure you have a secret password enabled, as shown below:

enable secret 5 Secret!Pass1

Next, configure the router for RADIUS authentication. Listing A offers an example.

In this example, the IP address is the IP address of our Windows IAS RADIUS server, and the key is the key we entered when we configured the RADIUS client on the IAS server. In addition, we’ve configured the source interface to make sure the IP address of the RADIUS server matches the IP address of the RADIUS client we configured in IAS.

We also configured an authentication list called TRAuthList. While you can use the default authentication list, I don’t recommend it. The default list automatically applies to all login devices, including the console. So failure of the RADIUS authentication could also lock you out of the console.

I also suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here’s how to configure a local user:

R1-871W(config)# user netadmin pass secretpass1

Next, we need to configure all of our lines with the authentication list we created. For this example, we have the normal five lines (0 to 4), but your device may contain more. Here’s an example:

R1-871W(config)# line vty 0 4
R1-871W(config-line)#  login authentication TRAuthList

At this point, Windows AD authentication would work if we used Telnet to connect to the router or switch. However, for security’s sake, I recommend using SSH instead of Telnet, so now we need to configure SSH.

Start by making sure we have a hostname on the router. Here’s an example:

Router(config)# hostname R1-871W

Then, make sure there’s an IP domain name configured. Here’s an example:

R1-871W(config)# ip domain-name TechRepublic.com

Next, generate the crypto keys, as shown below, and answer all questions with their defaults:

R1-871W(config)# crypto key generate rsa

Finally, restrict VTY lines to use only SSH — not Telnet. Here’s an example:

R1-871W(config)# Line vty 0 4
R1-871W(config-line)# Transport input ssh

Test the configuration

I recommend leaving the console or other existing connection to the router up until you can verify that the new configuration works. In addition, don’t save the configuration until you make sure it works. If it doesn’t work, you can always remove it or reboot the device to go back to the previous configuration.

To test the new configuration, I connected to the router using SecureCRT, but you can also use PuTTY, which is free. Figure A displays the Session Options – New dialog box, which shows my connection settings. Note the SSH1 protocol — not SSH2.

Figure A

Notice that we are using SSH1, not SSH2.

Figure B displays the Enter Username dialog box, which I use to log in with my Windows username.

Figure B

Log in with your Windows username.

With that, I have successfully connected, as shown in Figure C. I used the show users command to show that it’s really me.

Figure C

Using the show users command displays a successful connection.

Troubleshoot the configuration

When it comes to troubleshooting the Cisco IOS side of this complex configuration, using the debugand testcommands is your best bet. Here’s an example:

Router# debug aaa authentication
AAA Authentication debugging is on

Router# debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Router#

Router# test aaa group radius ddavis MyPass1 port 1645 new-code

In addition to using the IAS log files, which I discussed in the previous article, this lets you see what’s going on in the background on both sides of this configuration (i.e., the router or switch and the RADIUS server). If you run across an error message that you don’t recognize, search the Web — someone else has likely run across it already and figured out the resolution.

What is AAA?

When it comes to network security, AAA is a requirement. Here is what each of these are used for and why you should care:

• Authentication: Identifies users by login and password using challenge and response methodology before the user even gains access to the network. Depending on your security options, it can also support encryption.
• Authorization: After initial authentication, authorization looks at what that authenticated user has access to do. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs, which would be specific to the individual user rights. In the Cisco IOS, you can define AAA authorization with a named list or authorization method.
• Accounting: The last “A” is for accounting. It provides a way of collecting security information that you can use for billing, auditing, and reporting. You can use accounting to see what users do once they are authenticated and authorized. For example, with accounting, you could get a log of when users logged in and when they logged out.

Why every network admin should care about AAA

Besides passing certification tests like the Cisco CCNA Security, AAA is a critical piece of network infrastructure. AAA is what keeps your network secure by making sure only the right users are authenticated, that those users have access only to the right network resources, and that those users are logged as they go about their business.

How do you configure AAA in the Cisco IOS?

Here are the steps to configuring AAA:

• Enable AAA
• Configure authentication, using RADIUS or TACACS+
• Define the method lists for authentication
• Apply the method lists per line/ per interface

It is important to note that Cisco IOS software attempts authentication with the next-listed authentication method only when there is no response from the previous method. If the security server or user database responds by denying the user access, the authentication process and the user will get a denied user prompt. To configure AAA, use the following statement in global configuration mode:

Router(config)# aaa new-model

From this point, most admins start configuring AAA by setting up authentication.

Here is one example of how to configure login authentication using the enable password.

Router(config)# aaa authentication login default enable

Perhaps you wanted to apply a method list only to a particular interface or set of interfaces. You would create a method list and then apply it to the interfaces. Here’s an example of an authentication method that will be applied only to an interface:

Router(config)# aaa authentication ppp default group radius group tacacs+ local
Router(config)# aaa authentication ppp apple group radius group tacacs+ local none
Router(config)# interface async 3
Router (config-if)# ppp authentication chap apple

There are literally hundreds of different ways to configure AAA, including group RADIUS and TACACS+. For more information, see the official Cisco IOS documentation article, “Configuring Authentication.”

Bye for now