Hi Georg,

Here's wat i done :

aaa new-model

aaa authentication login default group tacacs+ local enable

aaa authentication login CONSOLE local

aaa authentication enable default group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host

tacacs-server key

!

line con 0

login authentication CONSOLE

transport input none

line aux 0

line vty 0 5

Like i said, i enter "login authentication default" and "account"... it works but "sh run" doesn't shows it...

By the way, the vty authentication for enable mode is using tacacs+, even my console is using that and how can i configure to use local if i'm using con0?

Thanks,

Steven

If you use aaa to authenticate enable mode, there is not any way to authenticate differently based on whether you are on the console. It is possible to authenticate differently for user mode, but not for enable mode.

I do not understand the part of your question about authentication and accounting work but do not show up in the show run. Can you be more specific about what is happening?

HTH

Rick

Thanks for the info on the authentication enable mode part. Actually what i'm trying to do is this :

1) Users will have their own telnet username/password/enable password... via tacacs+

2) Console access is using local username/password/enable password (no tacacs+ involve)

How can i achieve both?

For the part on authentication... as u can see from my config, i have a aaa authentication default and CONSOLE login. When i issue "login authentication CONSOLE" to line con 0, i can see it in the running-config. But when i issue "login authenticate default" to line vty 0 5, it just doesn't show in the sh run. That's what i meant. Find it strange too.

Rgds,

Steven

I can respond to several parts of your message.Part of what you want can be done and part can not. As you have configured it does work to have different authentication to user mode depending on where you are logging in - use tacacs if logging in from vty and different authentication to user mode if logging in on the console. Also as you point out, if you are using tacacs you can have a unique (personal) password per user.

What you can not do is to have tacacs authenticate enable mode for vty and not for console. aaa only recognizes one way to authenticate for enable - you can use tacacs for everything or the router password for everything. But aaa does not provide the ability to differentiate the point of origination to differentiate how to authenticate for enable.

I am not clear why you want to differentiate authentication for enable, but perhaps there is a compromise that will get close to what you need. When you define authentication for enable you can define a primary method and a backup method. Perhaps you could define tacacs as the primary and enable password as the backup. The effect would be that if you were on the console and entered the enable command, the router would first attempt to use tacacs but if there were a problem it would accept the enable password.

As for the command not showing up in running config there is an easy explanation for this. On the vty the command "login authentication default" is the default for vty. Most of the time commands with default values do not show up in running config.

HTH

Rick

Thanks guys for ur help...