Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:
  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.

Please read our Blog Commenting Policy before writing a comment.


  1. If you use the default list you don't have to make any changes to the Console or VTY lines. They will automatically use the default aaa list. For example:

    aaa new-model
    aaa authentication login default group local

    You can also use this in your corporate network:

    aaa new-model
    aaa authentication login default group TACACS+ local

    No passwords on lines, no authentication commands on lines. Nice and clean.

  2. if i have two local users , and want to restrict one of them to telnet access ,how can i do that ?

  3. Ali Murtaza Solangi08 July, 2010 14:23

    i mistakenly configure AAA client (Cisco Catalyst 3560) without
    aaa authentication login default group tacacs+ LOCAL
    and a local user name and password is existing on device but now i could not access that switch..
    niether through remote access / console port.
    so is there any way to recover password for that switch?

    Thanks in advance

  4. Ivan Pepelnjak08 July, 2010 14:46

    The first link will probably give you what you need:

  5. When you configure aaa authentication login MyList local, does the Radius server have to be configured with the group name "MyList" also? In addition, I have aaa configured as:
    radius-server host
    radius-server host
    aaa new-model
    aaa authenication login default radius local

    With these configs in place and the necessary configs on the server, I am able to log into the devices via ssh but can no longer console into devices locally. Do I need to add:
    Line con 0
    login auth default

    Will this allow me to log in via the console port and authenticate via radius if necessary?
    Also, I have an emergency username configured at priv level 0 secret. if AAA fails, will I still be able to access the device as login local is no longer an option under line con 0 since aaa has been configured.


Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.