cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1270
Views
15
Helpful
4
Replies

Using AAA default is enough for one server?

enzo80
Beginner
Beginner

aaa authentication login default group tacacs+ local       does this line cover the rest below it?
aaa authentication login console group tacacs+ local           should i delete these?
aaa authentication login ssh group tacacs+ local                should i delete these?

 

from my understanding default covers all lines including console and vty right?

 

i saw this config online and wondering why they used the extra two crossed ones

 

never saw this one before: aaa authentication login ssh group tacacs+ local 

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@enzo80 in this instance "console" and "ssh" are custom defined aaa method lists, they need to be explicitly defined under the VTY lines, if not, they will not be used. The default method list is automatically applied to the VTY line and will be used if no custom defined method list is applied. A custom defined would override the default method list only if configured on the VTY line.

View solution in original post

4 Replies 4

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend
aaa authentication login default local group tacacs+

check below document explained :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200606-aaa-authentication-login-default-local.html

 

If you looking different method on console - you make different options.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

enzo80
Beginner
Beginner

for example if i added:

 aaa authentication login default group tacacs+

aaa authentication login ssh group tacacs+ local 

 

and under line vty 0 4:

transport input ssh

 

if the user pass the first login line, does cisco OS read the second auth lines too?

 

 

...

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@enzo80 in this instance "console" and "ssh" are custom defined aaa method lists, they need to be explicitly defined under the VTY lines, if not, they will not be used. The default method list is automatically applied to the VTY line and will be used if no custom defined method list is applied. A custom defined would override the default method list only if configured on the VTY line.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers