aaa authentication

Configures the Authentication, Accounting, and Authorization (AAA) log-in sequence.

Syntax

aaa authentication login { default | ldap | local | oauth2| radius | tacacs+} { local | local-auth-fallback }

no aaa authentication login

Command Default

The default server is Local.

Parameters

login

Specifies the type of server that will be used for AAA on the device. The local server is the default. Specify one of the following options.

default: Specifies the default mode (local server). Authenticates the user against the local database only. If the password does not match or the user is not defined, the login fails.
ldap: Specifies the Lightweight Directory Access Protocol (LDAP) servers.
local: Specifies the local device database if previous authentication methods are inactive.
oauth2: Specifies the OAuth2 token.
radius: Specifies the RADIUS servers.
tacacs+: Specifies the TACACS+ servers.
local-auth-fallback: Specifies the local device database if previous authentication methods are not active or if authentication fails.

Modes

Global configuration mode

Usage Guidelines

This command selects the order of authentication sources to be used for user authentication during the login process. Two sources are supported: primary and secondary. The secondary source of authentication is optional and will be used if the primary source fails or is not available.

The authentication mode can only be set and cannot be added or deleted. For example, to change a configuration from "radius local" to radius only, execute the no aaa authentication login command to resets the configuration to the default mode, and then reconfigure the AAA mode with the desired setting.

In a configuration with primary and secondary sources of authentication, the primary mode cannot be modified alone. For example, you cannot change from “radius local" or "radius local-auth-fallback” to “tacacs+ local" or "tacacs+ local-auth-fallback” respectively. First remove the existing configuration and then configure it to the required configuration.

With OAuth2 authentication, the log-in request from the north-bound interface uses the OAuth2 token as a password. The device authenticates the user based on the validity of the OAuth2 token. Only in OAuth2 authentication, the local and local-auth-fallback options allow fallback to the local database if the secondary source of authentication is configured as "local" or "local-auth-fallback".

If login fails through the primary source because none of the configured servers respond or the login is rejected by the server, authentication is done again through the secondary source or local option.

When “local-auth-fallback” option is specified, local authentication is tried only when the primary AAA authentication service (TACACS+/Radius/LDAP) is either “unreachable” or “not available”.  Unlike the “local” option, local authentication is not be attempted if the authentication with primary service fails.

Use the no form of the command to restore the authentication mode to local mode.

Examples

This example changes the AAA server to TACACS+ using the local device database as a secondary source of authentication.

device# configure terminal
device(config)# aaa authentication login tacacs+ local 
Broadcast message from root (pts/0) Tue Apr  5 16:34:12 2011...

This example changes the AAA server from TACACS+ and local to TACACS+ only (no secondary source).

device# configure terminal
device(config)# no aaa authentication login tacacs+ local 
device(config)# aaa authentication login tacacs+ 
device(config)# show running-config aaa 
aaa authentication login tacacs+

This example configures OAuth2 authentication.

device# configure terminal
device(config)# aaa authentication login oauth2 local-auth-fallback

This example resets authentication mode to the default.

device# configure terminal
device(config)# no aaa authentication login oauth2 local-auth-fallback