Examples of authentication-method lists

The following examples show how to configure authentication-method lists. In these examples, the primary authentication method for each is "local". The device will authenticate access attempts using the locally configured usernames and passwords.

The command syntax for each of the following examples is provided in the Command Syntax section.

Example 1

To configure an authentication-method list for the Web Management Interface, enter a command such as the following. 

device(config)#aaa authentication web-server default local

This command configures the device to use the local user accounts to authenticate access to the device through the Web Management Interface. If the device does not have a user account that matches the user name and password entered by the user, the user is not granted access.

Example 2

To configure an authentication-method list for SNMP, enter a command such as the following. 

device(config)#aaa authentication snmp-server default local

This command allows certain incoming SNMP SET operations to be authenticated using the locally configured usernames and passwords. When this command is enabled, community string validation is not performed for incoming SNMP V1 and V2c packets. This command takes effect as long as the first varbind for SNMP packets is set to one of the following:

  • snAgGblPassword=" username password " (for AAA method local)
  • snAgGblPassword=" password " (for AAA method line, enable)
NOTE
Certain SNMP objects need additional validation. These objects include but are not limited to: snAgReload, snAgWriteNVRAM, snAgConfigFromNVRAM, snAgImgLoad, snAgCfgLoad and snAgGblTelnetPassword. For more information, see snAgGblPassword in the MIB Reference Guide.

If AAA is set up to check both the username and password, the string contains the username, followed by a space then the password. If AAA is set up to authenticate with the current Enable or Line password, the string contains the password only.

Note that the above configuration can be overridden by the command no snmp-server pw-check , which disables password checking for SNMP SET requests.

Example 3

To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command. 

device(config)#aaa authentication enable default local

This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.

Example 4

To configure the device to consult a RADIUS server first to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI, then consult the local user accounts if the RADIUS server is unavailable, enter the following command. 

device(config)#aaa authentication enable default radius local

Command Syntax

The following is the command syntax for the preceding examples.

Syntax: [no] aaa authentication { snmp-server | web-server | enable | login default } method 1 [ method 2-7 ]

The snmp-server | web-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

NOTE
TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters.

The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.

Table 12 Authentication method values

Method parameter

Description

line

Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password... command. Refer to Setting a Telnet password .

enable

Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password... command. Refer to Setting passwords for management privilege levels.

local

Authenticate using a local user name and password you configured on the device. Local user names and passwords are configured using the username... command. Refer to Local user account configuration.

tacacs

Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.

tacacs+

Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command.

radius

Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command. Refer to RADIUS security.

none

Do not use any authentication method. The device automatically permits access.

Parent topic: Authentication-method lists