1. if I configured router IOS with aaa as "aaa authentication login default tacacs+ radius local", can I still configured line ( CTY, TTY, VTY and AUX ) with lower level security using "password" and "login"?
2. If I used the same aaa login authentication as question 1, what would happen if all network connection down but out-of-band (console) is still alive. earlier, I got into this situation that network down and I still can get into out-of-band but it did not prompt me for the local username and password ( because router can not access to tacacs+ and radius server )???
aaa authentication login default tacacs+ radius local
Then this establishes the default method for logging in to user mode. If you want to establish a different (perhaps lower) method for some connections (console, vty, or whatever) you can configure another authentication method. For example if you want to specify login with the line password for the console you might configure something like this:
line console 0
login authentication admin
aaa authentication login admin line
I am not clear what you are describing in questin 2. If the router can not get to the tacacs or radius server do you have local user ID and password configured or do you want to use the line passwords? Local authentication (as you show it configured) requires configuration of user names and passwords on the router. I suspect that if you change the suggested configuration to use line instead of local that you would achieve what you want.
For the first question, I totally agree with you for configuration with "login authentication " on console, vty... What I mean is that after AAA authentication configured in the router, the router by default is going to use AAA for all access to router? And if that is the case, then the router won't allow me to configure "password" and "login" for the line instead I need to use "password" and "login authentication " for line access login authentication. Is that right?
For the second question, I appoligize for not being clear and not being valid also. Afer I posted the question, it reminds me that when I got oob to console port and the default prompt - username ( regular tacacs+ prompt login ) to login the router while the network was down, I used the tacacs+ login info instead of the local username and password that had been configured in router. Anyway, thanks for the response..
for point number 1: yes, after you enable aaa new-model you can no longer configure "login" for the console or vty. It must be login authentication. You can still configure "password" which is what the "line" method will check in aaa.
for point number 2: you can specify "local" in aaa and then it will use whatever you have configured on the local router for username & password or you can specify "line" & it will use the password that you have configured on the console or on the vty.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :