Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA logins and line access

I am a little confused as to how logging into the router works with AAA and the local username database.

First of all I have AAA Authentication enabled and using a TACACS+ server. I have created one username xxx password xxxx for emergency access and to not lockme out of the router.

now, if I apply :

line con 0

login authentication default

it will use the AAA method for logging in. I have it set to use AAA to authenticat and loggin withthe username password. and as a fall back to use the local username password database. (will that use the one emergancy username password I created earlier?

what if I add "login authentication default" to the vty line will that use the local username and password (emergency account) if AAA fails?

what if I need to add other users to use the vty? (will use AAA) but when AAA fails once I create the other users with the privilege level they need do I need to apply it to the vty line?

also do I need the login local command on the console and vty if I am using AAA? (if AAA fails)

hope you understand my question guys

Hall of Fame Super Silver

Re: AAA logins and line access


It would be easier to answer your question well if we knew a few details of how you have configured aaa. But I will explain a few things and hope that they answer your question. If they do not then please provide some details and clarify your questions.

First let me explain that you do not need to configure login authentication default on either the console or the vty. When you configure aaa new-model both the console and the vty automatically become authentication default.

You might configure login authentication on the console or the vty if you wanted to specify some method list other than default on them.

Second let me explain that when you have configured aaa new-model that you can no longer configure login local. Login local only works when aaa is not enabled.

I am assuming from your description that you have configured authentication something like this:

aaa authentication login default group tacacs+ local

if that is not what you have configured then please clarify what is configured.

If you have configured this then both the console and the vty will attempt to use tacacs to authenticate the user and if tacacs is not available then the router will authenticate from the local user database. If there is a single name in the local user database then the router will authenticate with that single name. If you configure several names in the database then the router will check the entered name against all of the names in the database.

If this does not answer your questions then please clarify what you have configured and what your question is.



New Member

Re: AAA logins and line access

sorry I had trouble asking my question, I figured out what I needed to know I think.

Just a question, so when: "When you configure aaa new-model both the console and the vty automatically become authentication default. "

if I do a "show run" the command listing would show:

"line con 0

login authentication default"

I looked at some configurations and saw this line and assumed you had to enter it that way. I did know that aaa new-model automatically did that. Was confused a bit to see it in the show run listing of best practices configuration listings.

CreatePlease to create content