https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297886#M434949 <P>Hi!</P><P></P><P>Does anybody know why authentication always succeeds if I login to a router as "any_nonexistent_user" with the following config:</P><P></P><P>aaa new-model</P><P>aaa authentication login test local none</P><P>line vty 0 4</P><P> login authentication test</P><P></P><P>and doesn't succeed with the following config:</P><P></P><P>aaa new-model</P><P>aaa authentication login test group tacacs+ none</P><P>line vty 0 4</P><P> login authentication test</P><P></P><P>The user "any_nonexistent_user" really doesn't exist <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> in the local database.</P><P></P><P></P><P>Does this behaviour contradict the documentation: "The additional methods of authentication are used only if the previous method returns an error, not if it fails".</P><P></P><P>Regards,</P><P>Oleg Tipisov,</P><P>REDCENTER,</P><P>Moscow</P><P></P> Sun, 10 Mar 2019 14:38:12 GMT ovt 2019-03-10T14:38:12Z https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297886#M434949 <P>Hi!</P><P></P><P>Does anybody know why authentication always succeeds if I login to a router as "any_nonexistent_user" with the following config:</P><P></P><P>aaa new-model</P><P>aaa authentication login test local none</P><P>line vty 0 4</P><P> login authentication test</P><P></P><P>and doesn't succeed with the following config:</P><P></P><P>aaa new-model</P><P>aaa authentication login test group tacacs+ none</P><P>line vty 0 4</P><P> login authentication test</P><P></P><P>The user "any_nonexistent_user" really doesn't exist <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> in the local database.</P><P></P><P></P><P>Does this behaviour contradict the documentation: "The additional methods of authentication are used only if the previous method returns an error, not if it fails".</P><P></P><P>Regards,</P><P>Oleg Tipisov,</P><P>REDCENTER,</P><P>Moscow</P><P></P> Sun, 10 Mar 2019 14:38:12 GMT https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297886#M434949 ovt 2019-03-10T14:38:12Z https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297887#M434951 <HTML><HEAD></HEAD><BODY><P>I have witnessed this same behavior. It appears that the "local" auth type is an exception to the rule. If the user does not exist in the local list, then the next method is tried. This is not the case with tacacs or radius.</P></BODY></HTML> Tue, 20 Jan 2004 17:30:48 GMT https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297887#M434951 d.parks 2004-01-20T17:30:48Z https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297888#M434952 <HTML><HEAD></HEAD><BODY><P>If you look at this web site:<A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800c6c62.html#1017794" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800c6c62.html#1017794</A></P><P></P><P>and read this sample info: </P><P>The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.</P><P></P><P>aaa authentication login MIS-access group tacacs+ enable none </P><P></P><P></P><P>You will see that using the work 'none' will authenticate a user without requiring authentication</P></BODY></HTML> Tue, 10 Feb 2004 19:35:20 GMT https://community.cisco.com/t5/network-access-control/very-simple-aaa-question-for-aaa-gurus/m-p/297888#M434952 jay.silveus 2004-02-10T19:35:20Z