Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

AAA authentication configuration

Hi,

If following configuration is done what will be effect?

aaa new-model

username operation priv 7 password cisco

enable secret cisco@1234

aaa authentication login TEST group tacacs+ local.

( tacacs+ server is down so local user database will be used)

line console 0

password Admin@login

aaa authentication TEST

line vty 0 4

password operatio@login.

case:

1: vty access : as there is no list or default configured telnet access will be denied. Or it will still ask aaa authentication username / password. Am I correct ?

case 2 : If connected to console port, first console password will be asked or directly username / password will be asked.

Please share the experience.

Thanks in advance. sorry cant try it on production devices. :(

Subodh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: AAA authentication configuration

Subodh

1) since there is no authentication list specified on the vty ports then they will use the default authentication. With aaa new-model the default for vty is local authentication. So the router should prompt for ID and password - and if you give the ID and password as configured then you should successfully access the vty.

2) since there is an authentication list specified for the console then the router will use the methods in the list when you access the console port. If the TACACS server is available then the router will authenticate using the server. If the server is not available then the router will authenticate with the local user ID and password. The router will not authenticate using the console password.

HTH

Rick

1 REPLY
Hall of Fame Super Gold

Re: AAA authentication configuration

Subodh

1) since there is no authentication list specified on the vty ports then they will use the default authentication. With aaa new-model the default for vty is local authentication. So the router should prompt for ID and password - and if you give the ID and password as configured then you should successfully access the vty.

2) since there is an authentication list specified for the console then the router will use the methods in the list when you access the console port. If the TACACS server is available then the router will authenticate using the server. If the server is not available then the router will authenticate with the local user ID and password. The router will not authenticate using the console password.

HTH

Rick

265
Views
0
Helpful
1
Replies
CreatePlease to create content