SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:

  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.


  1. If you use the default list you don't have to make any changes to the Console or VTY lines. They will automatically use the default aaa list. For example:

    aaa new-model
    aaa authentication login default group local

    You can also use this in your corporate network:

    aaa new-model
    aaa authentication login default group TACACS+ local

    No passwords on lines, no authentication commands on lines. Nice and clean.

  2. if i have two local users , and want to restrict one of them to telnet access ,how can i do that ?

  3. Ali Murtaza Solangi08 July, 2010 14:23

    i mistakenly configure AAA client (Cisco Catalyst 3560) without
    aaa authentication login default group tacacs+ LOCAL
    and a local user name and password is existing on device but now i could not access that switch..
    niether through remote access / console port.
    so is there any way to recover password for that switch?

    Thanks in advance

  4. Ivan Pepelnjak08 July, 2010 14:46

    The first link will probably give you what you need:

  5. When you configure aaa authentication login MyList local, does the Radius server have to be configured with the group name "MyList" also? In addition, I have aaa configured as:
    radius-server host
    radius-server host
    aaa new-model
    aaa authenication login default radius local

    With these configs in place and the necessary configs on the server, I am able to log into the devices via ssh but can no longer console into devices locally. Do I need to add:
    Line con 0
    login auth default

    Will this allow me to log in via the console port and authenticate via radius if necessary?
    Also, I have an emergency username configured at priv level 0 secret. if AAA fails, will I still be able to access the device as login local is no longer an option under line con 0 since aaa has been configured.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.