when I try this command, there is only default available.

another question is, if I use the following commands,

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ local

what exactly 'default' will works on, I know it includes vty, console, aux, how about other interfaces, such as dsl dial-in interface?

Thanks!

Default will include all, unless if you specified different method which is using different name.

That's why sometimes you need, for example, separate authentication for console where physical security is no longer an issue. So, if you're unable to login via telnet, ssh or https, Console access (with user given privilege 15 access right) can provide last resort access method.

example:

aaa authentication local CONSOLE local --> authenticate using local user account only

aaa authentication login authvty group TACACS + local

HTH

AK

BTW, you need to apply it the same way how you apply the 'authvty' on vty interface.

how about this command

aaa authentication enable default group tacacs+ local

will this also works on dial-in interface?

Thanks for your help

1)Following the configuration for ppp authentication on dial-in router. this is through radius server

aaa new-model

aaa authentication login default local

aaa authentication ppp qwe group radius

aaa authorization network qwe start-stop group radius

interface interface

ppp authentication chap callin qwe

ppp authorization qwe

ppp accounting qwe

My configuration will be as follows and this is via TACACS+ server

aaa new-model

aaa authentication login default group TACACS + local

aaa authentication enable default group tacacs+

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

TACACS-server host host

Tacacs-server key key

Ip tacacs source-interface

3) will this second configuration cause any effect on the ppp authentication/authorization?

Thanks

kai

I have configured a router to support dial in/ppp connections and it is very similar to what you have in your posting. It sends dial/ppp requests to a radius server for authentication and sends administrative users (console and vty) to a TACACS server for authentiation. The two authentication functions (radius and TACACS) operate independtly and do not have any effect on each other.

HTH

Rick

The radius authentication/authorization for the dial-in router looks fine.

As for the second config, it is also correct as well if you do not define anything on the interface. The 'default' keyword will kick-in the authentication/authorization for you.

Except here you're using TACACS+ instead of common RADIUS protocol to authenticate the passing-through access. Also, maybe you need to consider adding the optional "if-authenticated" keyword as well. This allows the already authenticated user to just login without being asked (if suddenly being kicked out or session hang) for his/her username/pwd again.

Rick was also right pointing it out.

Pls rate all post(s).

HTH

AK

Thanks AK and Rick! This is really big help for me. I have been struggling on this for a while.

Another question is when I use the following commands

1)aaa authentication banner rrr

2)aaa authentication user-prompt rrr

3)aaa authentication password-prompt rrr

the first one seems never works

the second and third only works when the tacacs+ server does not work, which means only when backup authentication is used, these two will work

thx