To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
aaa authentication enable default method1 [method2...]
no aaa authentication enable default method1 [method2...]
method At least one of the keywords described in Table 4.
If the default list is not set, only the enable password is checked. This has the same effect as the following command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
Global configuration
| Release | Modification | 10.3 | This command was introduced. |
|---|
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in Table 4. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the more system:running-config command to view currently configured lists of authentication methods.
| Keyword | Description |
| enable | Uses the enable password for authentication. |
| line | Uses the line password for authentication. |
| none | Uses no authentication. |
| tacacs+ | Uses TACACS+ authentication. |
| radius | Uses RADIUS authentication. |
This command cannot be used with TACACS or extended TACACS.
The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication enable default tacacs+ enable none
| Command | Description |
|---|---|
| aaa authentication local-override | Configures the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. |
| aaa authorization | Sets parameters that restrict network access to a user. |
| aaa new-model | Enables the AAA access control model. |
| enable password | Sets a local password to control access to various privilege levels. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.