I am a little confused as to how logging into the router works with AAA and the local username database.
First of all I have AAA Authentication enabled and using a TACACS+ server. I have created one username xxx password xxxx for emergency access and to not lockme out of the router.
now, if I apply :
line con 0
login authentication default
it will use the AAA method for logging in. I have it set to use AAA to authenticat and loggin withthe username password. and as a fall back to use the local username password database. (will that use the one emergancy username password I created earlier?
what if I add "login authentication default" to the vty line will that use the local username and password (emergency account) if AAA fails?
what if I need to add other users to use the vty? (will use AAA) but when AAA fails once I create the other users with the privilege level they need do I need to apply it to the vty line?
also do I need the login local command on the console and vty if I am using AAA? (if AAA fails)
It would be easier to answer your question well if we knew a few details of how you have configured aaa. But I will explain a few things and hope that they answer your question. If they do not then please provide some details and clarify your questions.
First let me explain that you do not need to configure login authentication default on either the console or the vty. When you configure aaa new-model both the console and the vty automatically become authentication default.
You might configure login authentication on the console or the vty if you wanted to specify some method list other than default on them.
Second let me explain that when you have configured aaa new-model that you can no longer configure login local. Login local only works when aaa is not enabled.
I am assuming from your description that you have configured authentication something like this:
aaa authentication login default group tacacs+ local
if that is not what you have configured then please clarify what is configured.
If you have configured this then both the console and the vty will attempt to use tacacs to authenticate the user and if tacacs is not available then the router will authenticate from the local user database. If there is a single name in the local user database then the router will authenticate with that single name. If you configure several names in the database then the router will check the entered name against all of the names in the database.
If this does not answer your questions then please clarify what you have configured and what your question is.
sorry I had trouble asking my question, I figured out what I needed to know I think.
Just a question, so when: "When you configure aaa new-model both the console and the vty automatically become authentication default. "
if I do a "show run" the command listing would show:
"line con 0
login authentication default"
I looked at some configurations and saw this line and assumed you had to enter it that way. I did know that aaa new-model automatically did that. Was confused a bit to see it in the show run listing of best practices configuration listings.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :