Solved: username and password configuration on cisco switches

baselzind · ‎07-26-2016

i found a set of username and password commands that involves aaa as the following:

aaa new-model
aaa authentication login XXXX local
!
aaa session-id common

line vty 0 4
login authentication LOCAL

i know usually the user name and password is configured by the command username XXXX password xxxx and "login local" under the vty . so what difference does these aaa command make?

Francesco Molino · ‎07-26-2016

Hi

When you're using login local, that means ONLY local database is used to authenticate users. With login authentication, that means you're using AAA and you can combine radius/tacacs database + local in case of failure.

In your case case you are just using local database then at the end of the day it is the same but, you can specify another aaa source and configure your vty lines to use local for some lines and aaa for others OR as I said before combine both and then try radius first and local as second step.

Hope this answered your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Richard Burts · ‎07-26-2016

Using login local under the vty is a quite simplistic approach to authenticating users which allows you to use only the local database of user ID and password. Using aaa gives you the ability to use more sophisticated approaches to authentication. As mentioned in the previous post it allows you to use centralized authentication servers such as Radius or TACACS. And it allows you to specify a primary authentication method and also alternate authentication methods if the primary method does not work. Using aaa also gives you the ability to use authentication and accounting in addition to the authentication processing. In the partial config that you post the result is the same as using login local.

HTH

Rick

HTH

Rick

View solution in original post

Francesco Molino · ‎07-26-2016

Hi

When you're using login local, that means ONLY local database is used to authenticate users. With login authentication, that means you're using AAA and you can combine radius/tacacs database + local in case of failure.

In your case case you are just using local database then at the end of the day it is the same but, you can specify another aaa source and configure your vty lines to use local for some lines and aaa for others OR as I said before combine both and then try radius first and local as second step.

Hope this answered your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎07-26-2016

Using login local under the vty is a quite simplistic approach to authenticating users which allows you to use only the local database of user ID and password. Using aaa gives you the ability to use more sophisticated approaches to authentication. As mentioned in the previous post it allows you to use centralized authentication servers such as Radius or TACACS. And it allows you to specify a primary authentication method and also alternate authentication methods if the primary method does not work. Using aaa also gives you the ability to use authentication and accounting in addition to the authentication processing. In the partial config that you post the result is the same as using login local.

HTH

Rick

HTH

Rick