cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
5
Helpful
5
Replies

AAA Authentication login

ciscogirl1
Level 1
Level 1

I am looking for help on what happens with the below example if the TACACS server fails and you try to console into the device. I am assuming that the next order would be "aaa authentication login line-only line" but I'm not understanding what the "line-only" means. I can't find that reference in any of the docs.

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login line-only line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Hi Darcy,

You have two AAA groups setup; default and line-only. Depending on which one you apply to the console will determine how you authenticate. If you choose default, it will try TACACS first then fail to the enable password. If you use line-only, you will use the password assigned under the console configuration.

Hope that helps.

Collin,

If there are no groups assigned under the console does it go in order, enable password, password assigned under console?

line con 0

session-timeout 5

password 7 XXXXXXX

Thanks!

If there is no AAA group assigned, it will not use a password to enter user mode, it will just let you in. To enter privilege mode, you will have to enter the enable password. It's a good practice to configure AAA and use local authentication as a minimum. That way console connections must enter a username and password to gain access.

Collin,

Thank you for your answer it answered my question. I got it,

Darcy

Jagdeep Gambhir
Level 10
Level 10

Hi,

We have defined "aaa authentication login default group tacacs+ enable" this will take care of telnet, http and console authentication

Now lets say you don't want console to be authenticated via tacacs, so you need to make another method list for console,

aaa authentication login line-only line

and apply it to console interface

Switch(config)#line con 0

Switch(config-line)#login authentication line-only

Now when ever you login via console it will only ask for line password.

When you login via telnet, it will first ask for tacacs user and if it is down it will prompt for enable password.

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: