Configures the Authentication, Accounting, and Authorization (AAA) log-in sequence.
The default server is Local.
Global configuration mode
This command selects the order of authentication sources to be used for user authentication during the login process. Two sources are supported: primary and secondary. The secondary source of authentication is optional and will be used if the primary source fails or is not available.
The authentication mode can only be set and cannot be added or deleted. For example, to change a configuration from "radius local" to radius only, execute the no aaa authentication login command to resets the configuration to the default mode, and then reconfigure the AAA mode with the desired setting.
In a configuration with primary and secondary sources of authentication, the primary mode cannot be modified alone. For example, you cannot change from “radius local" or "radius local-auth-fallback” to “tacacs+ local" or "tacacs+ local-auth-fallback” respectively. First remove the existing configuration and then configure it to the required configuration.
With OAuth2 authentication, the log-in request from the north-bound interface uses the OAuth2 token as a password. The device authenticates the user based on the validity of the OAuth2 token. Only in OAuth2 authentication, the local and local-auth-fallback options allow fallback to the local database if the secondary source of authentication is configured as "local" or "local-auth-fallback".
If login fails through the primary source because none of the configured servers respond or the login is rejected by the server, authentication is done again through the secondary source or local option.
When “local-auth-fallback” option is specified, local authentication is tried only when the primary AAA authentication service (TACACS+/Radius/LDAP) is either “unreachable” or “not available”. Unlike the “local” option, local authentication is not be attempted if the authentication with primary service fails.
Use the no form of the command to restore the authentication mode to local mode.
This example changes the AAA server to TACACS+ using the local device database as a secondary source of authentication.
device# configure terminal device(config)# aaa authentication login tacacs+ local Broadcast message from root (pts/0) Tue Apr 5 16:34:12 2011...
This example changes the AAA server from TACACS+ and local to TACACS+ only (no secondary source).
device# configure terminal device(config)# no aaa authentication login tacacs+ local device(config)# aaa authentication login tacacs+ device(config)# show running-config aaa aaa authentication login tacacs+This example configures OAuth2 authentication.
device# configure terminal device(config)# aaa authentication login oauth2 local-auth-fallbackThis example resets authentication mode to the default.
device# configure terminal device(config)# no aaa authentication login oauth2 local-auth-fallback