To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name} method1 [method2...]
default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name Character string used to name the list of authentication methods activated when a user logs in.
method At least one of the keywords described in Table 5.
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication login default local
On the console, login will succeed without any authentication checks if default is not set.
Global configuration
| Release | Modification | 10.3 | This command was introduced. |
|---|
The default and optional list names that you create with theaaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication login list-namemethodcommand for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 5.
To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.
| Keyword | Description |
| enable | Uses the enable password for authentication. |
| krb5 | Uses Kerberos 5 for authentication. |
| line | Uses the line password for authentication. |
| local | Uses the local username database for authentication. |
| none | Uses no authentication. |
| radius | Uses RADIUS authentication. |
| tacacs+ | Uses TACACS+ authentication. |
| krb5-telnet | Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. |
This command cannot be used with TACACS or extended TACACS.
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable none
The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:
aaa authentication login default KRB5-TELNET krb5
| Command | Description |
|---|---|
| aaa authentication local-override | Configures the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. |
| aaa new-model | Enables the AAA access control model. |
| login authentication | Enables AAA authentication for logins. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.