aaa authentication login

Configures the AAA authentication method for securing access to Telnet or SSH access to the CLI.

Syntax

aaa authentication login default method-list [ method-list ... ]

no aaa authentication login default method-list [ method-list ... ]

aaa authentication login privilege-mode

no aaa authentication login privilege-mode

Command Default

The AAA authentication method list is not configured.

By default, a user enters the User EXEC mode after a successful login through Telnet or SSH.

Parameters

default

Configures the default authentication method list.

method-list

Configures the following authentication methods.

enable: Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password command.
line: Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password command.
local: Authenticate using a local username and password you configured on the device. Local usernames and passwords are configured using the username command.
none: Does not use any authentication method. The device automatically permits access.
radius: Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command.
tacacs: Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.
tacacs+: Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command.

privilege-mode

Configures the device to enter the privileged EXEC mode after a successful login through Telnet or SSH.

Modes

Global configuration mode

Usage Guidelines

You can specify a primary authentication method and up to six backup authentication methods. If the configured primary authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.

By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. The user privilege level is based on the privilege level granted during login.

The no form of the command removes the authentication method.

Examples

The following example shows how to configure RADIUS as the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.

device(config)# aaa authentication login default radius local

The following example shows how to configure RADIUS as the primary authentication method and other backup authentication methods.

device(config)# aaa authentication login default radius tacacs tacacs+ enable local line none

The following example shows how to configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login.

device(config)# aaa authentication login privilege-mode

Contents