cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1549
Views
15
Helpful
4
Replies

Using AAA default is enough for one server?

enzo80
Level 1
Level 1

aaa authentication login default group tacacs+ local       does this line cover the rest below it?
aaa authentication login console group tacacs+ local           should i delete these?
aaa authentication login ssh group tacacs+ local                should i delete these?

 

from my understanding default covers all lines including console and vty right?

 

i saw this config online and wondering why they used the extra two crossed ones

 

never saw this one before: aaa authentication login ssh group tacacs+ local 

1 Accepted Solution

Accepted Solutions

@enzo80 in this instance "console" and "ssh" are custom defined aaa method lists, they need to be explicitly defined under the VTY lines, if not, they will not be used. The default method list is automatically applied to the VTY line and will be used if no custom defined method list is applied. A custom defined would override the default method list only if configured on the VTY line.

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame
aaa authentication login default local group tacacs+

check below document explained :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200606-aaa-authentication-login-default-local.html

 

If you looking different method on console - you make different options.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

enzo80
Level 1
Level 1

for example if i added:

 aaa authentication login default group tacacs+

aaa authentication login ssh group tacacs+ local 

 

and under line vty 0 4:

transport input ssh

 

if the user pass the first login line, does cisco OS read the second auth lines too?

 

 

...

@enzo80 in this instance "console" and "ssh" are custom defined aaa method lists, they need to be explicitly defined under the VTY lines, if not, they will not be used. The default method list is automatically applied to the VTY line and will be used if no custom defined method list is applied. A custom defined would override the default method list only if configured on the VTY line.