Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1413
Views
15
Helpful
4
Replies

Using AAA default is enough for one server?

Go to solution
enzo80
Level 1
Level 1

‎12-03-2021 06:02 AM

aaa authentication login default group tacacs+ local       does this line cover the rest below it?
aaa authentication login console group tacacs+ local           should i delete these?
aaa authentication login ssh group tacacs+ local                should i delete these?

 

from my understanding default covers all lines including console and vty right?

 

i saw this config online and wondering why they used the extra two crossed ones

 

never saw this one before: aaa authentication login ssh group tacacs+ local 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-04-2021 06:20 AM

@enzo80 in this instance "console" and "ssh" are custom defined aaa method lists, they need to be explicitly defined under the VTY lines, if not, they will not be used. The default method list is automatically applied to the VTY line and will be used if no custom defined method list is applied. A custom defined would override the default method list only if configured on the VTY line.

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-03-2021 06:09 AM - edited ‎12-03-2021 06:12 AM 

aaa authentication login default local group tacacs+

check below document explained :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200606-aaa-authentication-login-default-local.html

 

If you looking different method on console - you make different options.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
enzo80
Level 1
Level 1

‎12-04-2021 03:49 AM

for example if i added:

 aaa authentication login default group tacacs+

aaa authentication login ssh group tacacs+ local 

 

and under line vty 0 4:

transport input ssh

 

if the user pass the first login line, does cisco OS read the second auth lines too?

 

 

Go to solution
MHM Cisco World
VIP
VIP
In response to enzo80

‎12-04-2021 03:57 AM - edited ‎12-04-2021 07:52 AM

...

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-04-2021 06:20 AM

@enzo80 in this instance "console" and "ssh" are custom defined aaa method lists, they need to be explicitly defined under the VTY lines, if not, they will not be used. The default method list is automatically applied to the VTY line and will be used if no custom defined method list is applied. A custom defined would override the default method list only if configured on the VTY line.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents