aaa authentication enable
Configures the AAA authentication method for securing access to the Privileged EXEC level and global configuration levels of the CLI.
Syntax
Command Default
The AAA authentication method list is not configured.
By default, the device prompts for a username and password.
Parameters
- default
- Configures the default authentication method list.
- method-list
- Configures the following authentication methods.
- enable
- Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password command.
- line
- Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password command.
- local
- Authenticate using a local username and password you configured on the device. Local usernames and passwords are configured using the username command.
- none
- Does not use any authentication method. The device automatically permits access.
- radius
- Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command.
- tacacs
- Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.
- tacacs+
- Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command.
- implicit-user
- Configures the device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and global configuration levels of the CLI.
Modes
Global configuration mode
Usage Guidelines
You can specify a primary authentication method and up to six backup authentication methods. If the configured primary authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
If enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and global configuration levels of the CLI, by default the device prompts for a username and password. You can configure the device to prompt only for a password. The device uses the username entered at login, if one is available. If no username was entered at login, the device prompts for both username and password.
The no form of the command removes authentication method.
Examples
The following example shows how to configure TACACS/TACACS+ as the primary authentication method for securing access to the Privileged EXEC and global configuration levels of the CLI. In this example, TACACS/TACACS+ is configured to be the primary authentication method for securing access. If TACACS/TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
device(config)# aaa authentication enable default tacacs local none
The following example shows how to configure RADIUS as the primary authentication method and other backup authentication methods.
device(config)# aaa authentication enable default radius tacacs tacacs+ enable local line none
The following example shows how to configure the device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and global configuration levels of the CLI.
device(config)# aaa authentication enable implicit-user