Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:
  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.

Recent posts in the same categories

5 comments:

  1. Nick Walton 19 January 2009 09:18
    If you use the default list you don't have to make any changes to the Console or VTY lines. They will automatically use the default aaa list. For example:

    aaa new-model
    aaa authentication login default group local

    You can also use this in your corporate network:

    aaa new-model
    aaa authentication login default group TACACS+ local

    No passwords on lines, no authentication commands on lines. Nice and clean.
  2. Anonymous 12 April 2010 00:26
    if i have two local users , and want to restrict one of them to telnet access ,how can i do that ?
  3. Ali Murtaza Solangi 08 July 2010 14:23
    i mistakenly configure AAA client (Cisco Catalyst 3560) without
    aaa authentication login default group tacacs+ LOCAL
    and a local user name and password is existing on device but now i could not access that switch..
    niether through remote access / console port.
    so is there any way to recover password for that switch?

    Thanks in advance
  4. Ivan Pepelnjak 08 July 2010 14:46
    The first link will probably give you what you need:

    http://www.google.com/search?q=catalyst+3560+recover+password
  5. JoAnn 20 October 2011 14:22
    When you configure aaa authentication login MyList local, does the Radius server have to be configured with the group name "MyList" also? In addition, I have aaa configured as:
    radius-server host 111.111.111.111
    radius-server host 222.222.222.222
    radius-server key PASSWORDXXXXXXXXXXXXXXXXXX
    aaa new-model
    aaa authenication login default radius local

    With these configs in place and the necessary configs on the server, I am able to log into the devices via ssh but can no longer console into devices locally. Do I need to add:
    Line con 0
    login auth default

    Will this allow me to log in via the console port and authenticate via radius if necessary?
    Also, I have an emergency username configured at priv level 0 secret. if AAA fails, will I still be able to access the device as login local is no longer an option under line con 0 since aaa has been configured.
Add comment
Home
Sidebar