authenticate telent access locally

Unanswered Question
Nov 2nd, 2008


I'm trying to authenticate telnet accesses to my core sw 4503 but to no avail, I've tried the same config on sw 3560 amazingly worked fine.

I know its straight forward config but it bugged me

1- create username/password

2- under line vty --> login local

any suggestions !!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Sun, 11/02/2008 - 03:14

Hello Abu,

the config is fine but only if your device is not already using aaa new-model

you can verify with

sh run | inc aaa

if you find a line like

aaa new-model

you need to declare a list of authentication


conf t

aaa authentication login default local

aaa authentication enable default enable


aaa authentication login Locale local

line vty 0 4

login authentication Locale


you do:

no aaa new-model

and use the classic pre-AAA config

Hope to help


Abu-Mahmoud Sun, 11/02/2008 - 04:26

Hi Giuseppe,

thx for ur input..

I've tried both ways,

1- with ** aaa new-model ** approach

I got the error msg ** % Authentication failed. **

2- with ** login local ** approach

I got the error msg ** % Login invalid **

any comments !!

Giuseppe Larosa Sun, 11/02/2008 - 04:50

Hello Abu,

1) % Authentication failed.

make sure the device is not asking to a tacacs+ server or radius first

the aaa authentication login provides an ORDERED list of methods: first method is used and only if unavailable the second is used:


aaa authentication login default tacacs local

the local is used only if the tacacs is not configured or it is unreachable: during AAA tests I had to use tricks to verify the fallback to local mode when the server cannot answer

use multiple vty sessions to test, this is really handy.

Also it can be useful to know the supervisor model and IOS version you are running

For example on our 4506s we have:

aaa new-model

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting update newinfo

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 1 ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+


aaa session-id common

line vty 0 3

access-class 24 in

exec-timeout 15 0

accounting commands 1 ACS

accounting commands 15 ACS

accounting exec ACS

login authentication ACS

Hope to help



This Discussion