Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

multiple aaa authentication statements

aaa authentication login default group tacacs+ local

aaa authentication login TACACS group tacacs+ enable

line vty 0 4

login authentication TACACS

Base on the above configuration, I would assume if a user is telnet using one of the 5 vty lines then he/she is authenticated by "TACACS" method. But if a user is console in then he/she is authenticated by "default" method. Right?

Is there a reason why someone would have both methods "default" and "TACACS" on the router at the same time?


New Member

Re: multiple aaa authentication statements

Yes, that is correct. Logging in via the console will use the default method list for authentication.

The reason why it would be helpful to have both would be to have different authentication servers/methods to authentication your users based on what services they're trying to log into. You could have had "aaa authentication login default local" so that users who console in (or use an alternate line) would simply login with a local username/password rather than going to tacacs+.

If we were to use your configuration that you have listed, the reason why we would have both the "default" and the "TACACS" method lists would be to reference different servers as the fallback method used for each list. In other words, if the tacacs+ server were unreachable for some odd reason, then lines using the default list (in your case, the console line) would fall back and use the local database for authentication. For lines using the TACACS method list (in your case, the 5 vty lines), the fallback method would be to use the enable password.

Sorry if this sounds like rambling. Hope it helps.



New Member

Re: multiple aaa authentication statements


Thank you so much for the clarification.