Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA authentication login novice question

Hi, 2 questions about AAA authentication since i'm quite confused with the available documentation and currently i have no devices available to test :

1) when "aaa new model" entered does login authentication immediately applies to all lines and defaults to router's local database (without any other command needed)?

2)if configure "aaa authentication login default none" does this mean that in vty (when no command applied to vty) no authentication is performed; telnet succeeds without any authentication?



Re: AAA authentication login novice question

HI, [Pls Rate if HELPS]

Answer to Question:1


The first command, aaa new-model, tells the router that you are using either TACACS+ or RADIUS for authentication.

FYI, If you do not want the console to authenticate with tacacs then try configuring this:

aaa authentication login consoleauth line

line con 0

login authentication consoleauth

To configure AAA authentication, perform the following tasks:

1. Enable AAA by using the aaa new-model global configuration command.

2. Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using a security server.

3. Define the method lists for Authentication by using an AAA authentication command.

4. Apply the method lists to a particular interface or line, if required.

Answer to Question:2


"aaa authentication login default none" command to get access to Router via Console / VTY without authentication. The List must all be applied to the Line / Con / Interface.

'none' means Uses no authentication.

Note: Normally we authorize all commands through TACACS+, but if the server is down, no authorization is necessary, hence the 'none'

The 'none' keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.

Hope I am Informative.

Please RATE if HELPS

Best Regards,

Guru Prasad R

Re: AAA authentication login novice question


1).It will be applied to all interfaces on incase you did not remove aaa commands individually.

For Example you have these in your router,

aaa new-model

aaa authentication login default group tacacs local

Now you disabled aaa by issuing command

no aaa new-model

Everything related to aaa would be disabled.

Then if you enter aaa new-model command again , all previous aaa entries would be enabled.

So best way to remove aaa is by ,

no aaa authentication login default group tacacs local

no aaa new-model

2). Yes if you use "none" then no authentication check will be performed and user will be authenticated without any check.



Do rate helpful posts

New Member

Re: AAA authentication login novice question

Guys, thanks for your help and time.

CreatePlease to create content