Verify Login Behaviour with and without AAA

Available Languages

Download Options

  • ePub     (65.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (65.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 25, 2017
Document ID:200173

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction


This document explains the behavior of "login local" command when Authentication, Authorization Accounting (AAA) is enabled or disabled on a router. 

Prerequisites

Requirements

Cisco recommends that you have basic knowledge of following topics:

  • AAA Configuration on Cisco Routers
  • Radius/TACACS

Components used


The information in this document is based on the testing carried out in various Cisco IOS version 12.2(22), 12.4T, 15.1M, 15.3M etc. However, this document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Following is the minimum required configuration to verify this behavior:

  • At least one Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) server is reachable from router under test.
  • Router under test is recognized as a client of the AAA server.
  • Same pre-shared secret key is configured on the Cisco router/switch and the remote AAA servers.
  • Global pool of RADIUS servers or Named subset of RADIUS or TACACS+ servers configured on the router under test.
  • Local User database configured on the router under test.

Verify

When 'login local' is configured under 'line vty x', users will be able to login using local username and password configured on the router. But when 'aaa new-model' is configured, there is no configuration under 'line vty x' because now the default login method is AAA.

Once the configuration is saved and AAA is removed using 'no aaa-new model', the login method will switch back to line authentication. Line authenticaltion is when router just checks for the line password and not the configured global username password. Now you wont see 'login local' under 'line vty x' which was configured prior enabling AAA, instead you would see 'login'.

Note: Disabling AAA with "no aaa new-model" is not recommended.

 Following steps will show this behavior in detail:

Login local configured on router:

Router#show run | begin line vty
line vty 0 4
 login local 

Enable AAA on router:

Router(config)#aaa new-model 

Router#show run | begin line vty
line vty 0 4

Save the configuration

Router#wr 
Building configuration...
[OK]

Disable AAA

Router#conf t
Router(config)#no aaa new-model 
Changing configuration back to no aaa new-model is not supported.
Continue?[confirm]

Check login method

Router#show run | begin line vty
line vty 0 4
 login

Conclusion

When you remove "AAA new-model", the default method will be "login" under line and not “login local”. This behavior is seen on all Cisco IOS versions.




Revision History

Revision Publish Date Comments
1.0
21-Apr-2016
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Lijesh N C
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products