07-10-2006 02:57 PM - edited 03-10-2019 02:39 PM
aaa authentication login default group tacacs+ local
aaa authentication login TACACS group tacacs+ enable
line vty 0 4
login authentication TACACS
Base on the above configuration, I would assume if a user is telnet using one of the 5 vty lines then he/she is authenticated by "TACACS" method. But if a user is console in then he/she is authenticated by "default" method. Right?
Is there a reason why someone would have both methods "default" and "TACACS" on the router at the same time?
thx
07-10-2006 04:22 PM
Yes, that is correct. Logging in via the console will use the default method list for authentication.
The reason why it would be helpful to have both would be to have different authentication servers/methods to authentication your users based on what services they're trying to log into. You could have had "aaa authentication login default local" so that users who console in (or use an alternate line) would simply login with a local username/password rather than going to tacacs+.
If we were to use your configuration that you have listed, the reason why we would have both the "default" and the "TACACS" method lists would be to reference different servers as the fallback method used for each list. In other words, if the tacacs+ server were unreachable for some odd reason, then lines using the default list (in your case, the console line) would fall back and use the local database for authentication. For lines using the TACACS method list (in your case, the 5 vty lines), the fallback method would be to use the enable password.
Sorry if this sounds like rambling. Hope it helps.
Sincerely,
Annie
07-11-2006 08:04 AM
Annie,
Thank you so much for the clarification.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide