Character-mode connections
describe character-based access, including access via the VTY,
TTY, AUX (auxiliary), and CON (console) ports. Although such access might be through a
packet-based network—Telnet, for example—the connection is still viewed as being character
based. The AAA commands that configure character-mode access are as follows:
login
exec
nasi
connection
arap
enable
command
Character-mode access usually includes connections only to the router or network device.
Table 32.1 includes explanations of these commands.
TABLE 3 2 . 1
Character-Mode Authentication and Authorization Commands
Command Description
aaa authentication enable
default tacacs+ enable
Uses TACACS+ to determine whether the user can access
enabled mode. If TACACS+ is unavailable, the local enable
password will be used.
aaa authorization exec
tacacs+ local
Determines whether the user is allowed access to the EXEC
shell. This example provides for TACACS+ authentication, and
should TACACS+ fail, it permits authorization via the local
database. The local database is populated with the
username
command.
aaa authorization command
n
tacacs+ local
Runs authorization for all commands at privilege level
n
(a
number between 0 and 15). Every line entered by a user can be
controlled and authorized by TACACS+, although performance
can suffer.
username
user
password
password
Creates or adds to the local database with a username of
user
and the password of password. This database is stored in the
router’s configuration file in NVRAM (nonvolatile random
access memory), and it can be accessed upon authentication
failure depending on configuration.