aaa authentication login
Configures the AAA authentication method for securing access to Telnet or SSH access to the CLI.
Syntax
Command Default
The AAA authentication method list is not configured.
By default, a user enters the User EXEC mode after a successful login through Telnet or SSH.
Parameters
- default
- Configures the default authentication method list.
- method-list
- Configures the following authentication methods.
- enable
- Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password command.
- line
- Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password command.
- local
- Authenticate using a local username and password you configured on the device. Local usernames and passwords are configured using the username command.
- none
- Does not use any authentication method. The device automatically permits access.
- radius
- Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command.
- tacacs
- Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.
- tacacs+
- Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command.
- privilege-mode
- Configures the device to enter the privileged EXEC mode after a successful login through Telnet or SSH.
Modes
Global configuration mode
Usage Guidelines
You can specify a primary authentication method and up to six backup authentication methods. If the configured primary authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. The user privilege level is based on the privilege level granted during login.
The no form of the command removes the authentication method.
Examples
The following example shows how to configure RADIUS as the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.
device(config)# aaa authentication login default radius local
The following example shows how to configure RADIUS as the primary authentication method and other backup authentication methods.
device(config)# aaa authentication login default radius tacacs tacacs+ enable local line none
The following example shows how to configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login.
device(config)# aaa authentication login privilege-mode