aaa-login

Configures user authentication modes associated with this management policy. Use this command to define how user credential validation is conducted on behalf of the Management Access policy. Setting up an authentication scheme by policy allows for policy member credential validation collectively, as opposed to authenticating users individually.

Supported in the following platforms:

Syntax

aaa-login [local|radius|tacacs]
aaa-login local
aaa-login radius [external|fallback|fallthrough|policy <AAA-POLICY-NAME>]
aaa-login tacacs [accounting|authentication|authorization {fallback}|fallback|
fallthrough|policy <AAA-TACACS-POLICY-NAME>]

Parameters

aaa-login local
local Sets local as the preferred authentication mode. Local authentication uses the local username/password database to authenticate a user.
Note: By default the local authentication mode is enabled.
aaa-login radius [external|fallback|fallthrough|policy <AAA-POLICY-NAME>]
radius Enables external RADIUS server authentication as the primary authentication mode. If enabling external RADIUS server authentication, configure one of the following options: external, fallback, or fallthrough.
external Enables external RADIUS server as the primary authentication mode. When configured, client authentication requests are forwarded to an external RADIUS server. However, this option does not provide fallback to local database authentication in case the server is unreachable or if the server rejects the authentication request.
fallback Configure this option to revert to local database authentication in case the external RADIUS server is unreachable.

When this option is enabled, RADIUS authentication is attempted first. However, if the external RADIUS server is unreachable the local database is used to authenticate the user.

fallthrough Configure this option to revert to local database authentication in the following scenarios:
  • If the external RADIUS server is unreachable.
  • If the external RADIUS server rejects the user authentication request.

When this option is enabled, RADIUS authentication is attempted first. However, if the external RADIUS server is unreachable or rejects the authentication request the local database is used to authenticate the user.

policy <AAA-POLICY-NAME> Associates a AAA policy with this management policy.

If enabling external RADIUS server authentication, associate a AAA policy. Controllers, service platforms and access points not using their local RADIUS resource will need to inter-operate with a RADIUS and LDAP Server (AAA Servers) to provide a user database containing user authentication data. The AAA policy points to this external RADIUS server resource.

  • <AAA-POLICY-NAME> – Specify the AAA policy name (should be existing and configured).
Note: For more information on configuring AAA policy, see AAA Policy.
aaa-login tacacs [accounting|authentication|authorization|fallback|fallthrough|
policy <AAA-TACACS-POLICY-NAME>]
tacacs Enables external Terminal Access Control Access-Control System (TACACS) server authentication. If enabling external TACACS server authentication, configure the following parameters: accounting, authentication, authorization, fallback, or fallthrough.
accounting Configure to enable TACACS accounting on login.
authentication Configure to enable TACACS authentication on login.
authorization {fallback} Configure to enable TACACS authorization on login.
  • fallback - Optional. Configure this option to enable fallback on TACACS authorization failure. This option is only available with TACACS Authorization.
fallback Select this option to revert to local database authentication in case the external TACACS server is unreachable.

When this option is enabled, TACACS authentication is attempted first. However, if the external TACACS server is unreachable the local database is used to authenticate the user.

fallthrough Select this option to revert to local database authentication in the following scenarios:
  • If the external TACACS server is unreachable.
  • If the external TACACS server rejects the user authentication request.

When this option is enabled, TACACS authentication is attempted first. However, if the external TACACS server is unreachable or rejects the authentication request the local database is used to authenticate the user.

policy <AAA-TACACS-POLICY- NAME> Associates a AAA TACACS policy with this management policy.

If enabling external TACACS server authentication, associate a AAA TACACS policy. The AAA TACACS policy points to the external TACACS server resource.

  • <AAA-TACACS-POLICY-NAME> – Specify the TACACS policy name (should be existing and configured).
Note: For more information on configuring AAA TACACS policy, see AAA-TACACS Policy.

Usage Guidelines

Use AAA login to determine whether management user authentication must be performed against a local user database or an external RADIUS server.

Examples

nx9500-6C8809(config-management-policy-test)#aaa-login radius policy test
nx9500-6C8809(config-management-policy-test)#show context
management-policy test
 http server
 no ssh
 aaa-login radius policy test
nx9500-6C8809(config-management-policy-test)#

Related Commands

no Removes the TACACS server policy settings