User's Manual
87
Configuring Login Authentication Using AAA
The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login
command to enable AAA authentication no matter which of the supported login authentication methods you
decide to use. With the aaa authentication login command, you create one or more lists of authentication
methods that are tried at login. These lists are applied using the login authentication line configuration
command. After the authentication method lists are configured, you can apply these lists by running login
authentication. You can run the following command in global configuration mode to start the configuration:
Command Purpose
aaa authentication login
{
default
| list-
name}method1 [method2...]
Enables AAA globally.
line
{
console
|
vty
} line-number [ending-
line-number]
Enter the configuration mode of a line.
login authentication
{
default
| list-name}
Applies the authentication list to a line or set
of lines. (In the line configuration mode)
The list-name is a character string used to name the list you are creating. The key word method specifies the
actual method of the authentication method. The additional methods of authentication are used only if the
previous method returns an error, not if it fails. To specify that the authentication should succeed even if all
methods return an error, specify none as the final method in the command line.
The default parameter can create a default authentication list, which will be automatically applied to all
interfaces. For example, to specify that authentication should succeed even if (in this example) the TACACS+
server returns an error, enter the following command:
aaa authentication login default group radius
Note:
Because the none keyword enables any user logging in to successfully authenticate, it should be
used only as a backup method of authentication.
If you cannot find the authentication method list, you can only login through the console port. Any other way of
login is in accessible.
The following table lists the supported login authentication methods:
Keyword Notes:
enable Uses the enable password for authentication.
group name Uses named server group for authentication.
group radius Uses RADIUS for authentication.
group tacacs+ Uses group tacacs+ for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
localgroup Uses the local strategy group username database for authentication.
local-case Uses case-sensitive local user name authentication.
none Passes the authentication unconditionally.
(1) Using the enable password to carry on the login authentication: