Showing results for 
Search instead for 
Did you mean: 

How to define Login Local for Console 0?


hi friends
i config below commands to configure AAA authenticate with Microsoft Active Directory 2008(CIsco Device Integrate with AD microsoft for telnet and ssh and both can login to console by AD and local username)
but while i unplugged Cisco Devices(Router and switches)from Network
i can't login to console
it's better to say i don't know how to login into cosole line whenever i don't connect to AD for Authenticate

aaa new-model
aaa group server radius ABCD
server-private auth-port 1645 acc-port 1646 key KEYPASS (where is AD ip adn KEYPASS is my shared key)

aaa authentication login default group ABCD
aaa authorization exec default group ABCD

line vty 0 4
login authentication default
transport input telnet ssh

line console 0
i only type it----> login authentication default

so i want any times that i don't connect to My AD or Network and physically access To Switches Or Router
i connect Console Port and without Looking Up To Active Directory Users i can Log into Console

so could you please help me which command shoud I type to do that ?

thanks a lot

5 Replies 5



For console you need to create a separate authentication profile or modify existing one.

aaa authentication login default group ABCD local 


aaa authentication login console local

line con 0

login authentication console

Thanks & Best regards

lots of thanks dear

sorry i have only 2 other questions pleas answer me

1-if i create separate authentication as YOU said above can i connect to console

both when Network cable is plugin and when ever i have physical access to it without any Network(i mean Switche No connect to Network or my Active Directory for authenticate)



2-what is the meaning of %backup authentication

 how i should solve it?

when ever i telnet to this Switch(that i explained for you)from anywhere By CMD windows

i face to this error %backup Authentication 

unfortunately i have multiple line vty  

i do below task for all:

e.g :line vty 0 3

no login

no transport input


line vty 4

no login

no tran input


and just type:

line vty 0 4 AND line vty 5 15

login authentication default

transport input telnet 

but again i have that problem

what should i do

really thanks <3



Please find below answer of your queries:


  1. If you create separate profile for console like I mentioned in email, then in all means whether your switch is on network or out of network the console access is always use local password.

aaa authentication login console local

line con 0

 login authentication console


  1. You should always use as a Backup authentication server, in case of failure of AD/Tacacs the user will be authenticate with Backup authentication Server (either its local, enable & etc).

For e.g: aaa authentication login default group ABCD local

Where ABCD is your AD Server (Primary Authentication Server)

While local is your Backup Authentication Server.


Due to you using default profile which is automatically applied on the switch lines (vty/con/aux ports).


It’s always recommended to use separate profile (console authentication to local & AD/Tacacs authentication for telnet/SSH) instead of using default profile.

Normally companies using Telnet/SSH for switch management/any configuration change. Console will only use in case of some troubleshooting (i.e hardware failure, switch is out of network authentication or you can’t manage switch remotely etc) if you put authentication as follows:

AD/Tacacs only - then you can’t access the switch.

Primary AD/ Tacacs & Secondary local – Switch first try to authenticate first AD/Tacacs & in case of failure it will authenticate locally.

And if you also using authorization at same time then users each command need to be authorize from AD/Tacacs & then local and as result in case of failure you feel slowness and took lot of time.


Thanks & Best regards;


lots of thanks engineer really best info for me and surely for other

best regard

thanks a lot

paul driver
VIP Expert VIP Expert
VIP Expert


If you using the deafut aaa group for authentication/authorization then as stated this will apply to you console login also.

However this can be negated entirely if need be EVEN when your AD is available and changed to either having no access or use the local user database or even a special keyboard character (ios ver applicable)

No access creds required even when AD server available
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console

line console 0
privilege level 15
login authentication NOAUTH 
authorization exec NOAUTH

Local access creds required even when AD server available
aaa authentication login L_AUTH local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization console

username stan privilege 15 secret stan
line console 0
login authentication L_AUTH
authorization exec L_AUTH

Local access
  via a keyboard character "@"

aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console

line console 0
privilege level 15
authorization exec NOAUTH
login authentication NOAUTH
activation-character 64


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: