aaa authentication

Configures the AAA login sequence.

Syntax

aaa authentication login { default | ldap | local }

aaa authentication login { radius | tacacs+ } { local | local-auth-failback }

no aaa authentication login

Command Default

The default server is Local.

Parameters

login

Specifies the type of server that will be used for authentication, authorization, and accounting (AAA) on the device. The local server is the default. Specify one of the following options:

default: Specifies the default mode (local server). Authenticates the user against the local database only. If the password does not match or the user is not defined, the login fails.
ldap: Specifies the Lightweight Directory Access Protocol (LDAP) servers.
local: Specifies to use the local device database if prior authentication methods are inactive.
radius: Specifies the RADIUS servers.
tacacs+: Specifies the TACACS+ servers.
local: Specifies to use the local device database if prior authentication methods are inactive.
local-auth-failback: Specifies to use the local device database if prior authentication methods are not active or if authentication fails.

Modes

Global configuration mode

Usage Guidelines

This command selects the order of authentication sources to be used for user authentication during the login process. Two sources are supported: primary and secondary. The secondary source of authentication is optional and will be used if the primary source fails or is not available.

The authentication mode can only be set and cannot be added or deleted. For example, to change a configuration from "radius local" to radius only, execute the no aaa authentication login command to resets the configuration to the default mode, and then reconfigure the AAA mode with the desired setting.

In a configuration with primary and secondary sources of authentication, the primary mode cannot be modified alone. For example, you cannot change from “radius local" or "radius local-auth-fallback” to “tacacs+ local" or "tacacs+ local-auth-fallback” respectively. First remove the existing configuration and then configure it to the required configuration.

Examples

To change the AAA server to TACACS+ using the local device database as a secondary source of authentication:

device(config)# aaa authentication login tacacs+ local 
Broadcast message from root (pts/0) Tue Apr  5 16:34:12 2011...

To change the AAA server from TACACS+ and local to TACACS+ only (no secondary source):

device(config)# no aaa authentication login tacacs+ local 
device(config)# aaa authentication login tacacs+ 
device(config)# do show running-config aaa 
aaa authentication login tacacs+