multiple aaa authentication statements

situwayne · ‎07-10-2006

aaa authentication login default group tacacs+ local

aaa authentication login TACACS group tacacs+ enable

line vty 0 4

login authentication TACACS

Base on the above configuration, I would assume if a user is telnet using one of the 5 vty lines then he/she is authenticated by "TACACS" method. But if a user is console in then he/she is authenticated by "default" method. Right?

Is there a reason why someone would have both methods "default" and "TACACS" on the router at the same time?

thx

annnguy · ‎07-10-2006

Yes, that is correct. Logging in via the console will use the default method list for authentication.

The reason why it would be helpful to have both would be to have different authentication servers/methods to authentication your users based on what services they're trying to log into. You could have had "aaa authentication login default local" so that users who console in (or use an alternate line) would simply login with a local username/password rather than going to tacacs+.

If we were to use your configuration that you have listed, the reason why we would have both the "default" and the "TACACS" method lists would be to reference different servers as the fallback method used for each list. In other words, if the tacacs+ server were unreachable for some odd reason, then lines using the default list (in your case, the console line) would fall back and use the local database for authentication. For lines using the TACACS method list (in your case, the 5 vty lines), the fallback method would be to use the enable password.

Sorry if this sounds like rambling. Hope it helps.

Sincerely,

Annie

situwayne · ‎07-11-2006

Annie,

Thank you so much for the clarification.