AAA Authentication login

Unanswered Question
Jul 12th, 2009

I am looking for help on what happens with the below example if the TACACS server fails and you try to console into the device. I am assuming that the next order would be "aaa authentication login line-only line" but I'm not understanding what the "line-only" means. I can't find that reference in any of the docs.

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login line-only line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Mon, 07/13/2009 - 05:27

Hi Darcy,

You have two AAA groups setup; default and line-only. Depending on which one you apply to the console will determine how you authenticate. If you choose default, it will try TACACS first then fail to the enable password. If you use line-only, you will use the password assigned under the console configuration.

Hope that helps.

darcy Mon, 07/13/2009 - 06:15


If there are no groups assigned under the console does it go in order, enable password, password assigned under console?

line con 0

session-timeout 5

password 7 XXXXXXX


Collin Clark Mon, 07/13/2009 - 06:27

If there is no AAA group assigned, it will not use a password to enter user mode, it will just let you in. To enter privilege mode, you will have to enter the enable password. It's a good practice to configure AAA and use local authentication as a minimum. That way console connections must enter a username and password to gain access.

darcy Fri, 07/17/2009 - 10:44


Thank you for your answer it answered my question. I got it,


Jagdeep Gambhir Mon, 07/13/2009 - 06:31


We have defined "aaa authentication login default group tacacs+ enable" this will take care of telnet, http and console authentication

Now lets say you don't want console to be authenticated via tacacs, so you need to make another method list for console,

aaa authentication login line-only line

and apply it to console interface

Switch(config)#line con 0

Switch(config-line)#login authentication line-only

Now when ever you login via console it will only ask for line password.

When you login via telnet, it will first ask for tacacs user and if it is down it will prompt for enable password.



Do rate helpful posts


This Discussion