Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:

  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.

5 comments:

  1. If you use the default list you don't have to make any changes to the Console or VTY lines. They will automatically use the default aaa list. For example:

    aaa new-model
    aaa authentication login default group local

    You can also use this in your corporate network:

    aaa new-model
    aaa authentication login default group TACACS+ local

    No passwords on lines, no authentication commands on lines. Nice and clean.

    ReplyDelete
  2. if i have two local users , and want to restrict one of them to telnet access ,how can i do that ?

    ReplyDelete
  3. Ali Murtaza Solangi08 July, 2010 14:23

    i mistakenly configure AAA client (Cisco Catalyst 3560) without
    aaa authentication login default group tacacs+ LOCAL
    and a local user name and password is existing on device but now i could not access that switch..
    niether through remote access / console port.
    so is there any way to recover password for that switch?

    Thanks in advance

    ReplyDelete
  4. Ivan Pepelnjak08 July, 2010 14:46

    The first link will probably give you what you need:

    http://www.google.com/search?q=catalyst+3560+recover+password

    ReplyDelete
  5. When you configure aaa authentication login MyList local, does the Radius server have to be configured with the group name "MyList" also? In addition, I have aaa configured as:
    radius-server host 111.111.111.111
    radius-server host 222.222.222.222
    radius-server key PASSWORDXXXXXXXXXXXXXXXXXX
    aaa new-model
    aaa authenication login default radius local

    With these configs in place and the necessary configs on the server, I am able to log into the devices via ssh but can no longer console into devices locally. Do I need to add:
    Line con 0
    login auth default

    Will this allow me to log in via the console port and authenticate via radius if necessary?
    Also, I have an emergency username configured at priv level 0 secret. if AAA fails, will I still be able to access the device as login local is no longer an option under line con 0 since aaa has been configured.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.