aaa authentication login default group tacacs+ local
aaa authentication login TACACS group tacacs+ enable
line vty 0 4
login authentication TACACS
Base on the above configuration, I would assume if a user is telnet using one of the 5 vty lines then he/she is authenticated by "TACACS" method. But if a user is console in then he/she is authenticated by "default" method. Right?
Is there a reason why someone would have both methods "default" and "TACACS" on the router at the same time?
Yes, that is correct. Logging in via the console will use the default method list for authentication.
The reason why it would be helpful to have both would be to have different authentication servers/methods to authentication your users based on what services they're trying to log into. You could have had "aaa authentication login default local" so that users who console in (or use an alternate line) would simply login with a local username/password rather than going to tacacs+.
If we were to use your configuration that you have listed, the reason why we would have both the "default" and the "TACACS" method lists would be to reference different servers as the fallback method used for each list. In other words, if the tacacs+ server were unreachable for some odd reason, then lines using the default list (in your case, the console line) would fall back and use the local database for authentication. For lines using the TACACS method list (in your case, the 5 vty lines), the fallback method would be to use the enable password.
Sorry if this sounds like rambling. Hope it helps.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...