cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

aaa authentication enable default group tacacs+ enable

cassinhee
Beginner
Beginner

I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command

aaa authentication enable default group tacacs+ enable

what will happen if I login via console? Will I be required to enter any username/password?

Below is my configuration

aaa new-model

aaa authentication login authvty group TACACS + local

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 authvty TACACS+ local

TACACS-server host IP

Tacacs-server key key

Ip tacacs source-interface VLAN 3

aaa accounting send stop-record authentication failure

aaa accounting delay-start

aaa accounting exec authvty start-stop group tacacs+

aaa accounting commands 15 authvty start-stop group tacacs+

aaa accounting connection authvty start-stop group tacacs+

line vty 0 15

login authentication authvty

authorization commands 15 authvty

accounting connection authvty

accounting commands 15 authvty

accunting exec authvty

Any suggestion will be appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions

It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.

If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:

************************************************************

*** Username: cisco, Password: cisco (priv 15f - local) ****

************************************************************

Unauthorized use is prohibited.

Enter your name here: user1

Enter your password now:

Router#

The config more or less looks like:

aaa new-model

aaa authentication banner ^CUnauthorized use is prohibited.^C

aaa authentication password-prompt "Enter your password now:"

aaa authentication username-prompt "Enter your name here:"

aaa authentication login default group radius

aaa authentication login CONSOLE local

HTH

AK

View solution in original post

10 REPLIES 10

a.kiprawih
Rising star
Rising star

If you set:

aaa authentication enable default group tacacs+ enable

which carry 'default' keyword, all access (console, vty) will have to go TACACS authentication.

If you want to skip it, you need to define

dedicated/separate group name (never use default) and point it to 'local'.

HTH

AK

when I try this command, there is only default available.

another question is, if I use the following commands,

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ local

what exactly 'default' will works on, I know it includes vty, console, aux, how about other interfaces, such as dsl dial-in interface?

Thanks!

Default will include all, unless if you specified different method which is using different name.

That's why sometimes you need, for example, separate authentication for console where physical security is no longer an issue. So, if you're unable to login via telnet, ssh or https, Console access (with user given privilege 15 access right) can provide last resort access method.

example:

aaa authentication local CONSOLE local --> authenticate using local user account only

aaa authentication login authvty group TACACS + local

HTH

AK