Configuring AAA Authentication

First example will be using local database, then tacacs and radius.
First step for all three variations is creating username and a password localy (in server cases it will serve as backup authentification, if server fails):

R1(config)#username Admin1 password cisco

Enabling AAA

R1(config)#aaa new-model

Then we have 2 options: either create our own list, MYTelnet in this example or use default keyword:

R1(config)#aaa authentication login ? WORD Named authentication list. default The default authentication list. R1(config)#aaa authentication login MYTelnet ? enable Use enable password for authentication. group Use Server-group. local Use local username authentication. none NO authentication. R1(config)#aaa authentication login MYTelnet group tacacs group radius local

So, aaa authentication login -> name of the type of logins :MYTelnet -> order:group tacacs, group radius, local

Or:

aaa authentication login default -> no specified name -> order:local

Applying authenication method default (warning will appear if there was no aaa authentication login command prior applying it to interface):

R1(config)#li c 0 R1(config-line)#login authentication default AAA: Warning authentication list default is not defined for LOGIN

Applying authenication method MYTelnet:

R1(config)#line vty 0 4 R1(config-line)#login authentication MYTelnet

link to Cisco site

Tacacs Example:

Precising server Ip address and a key (password) to enter the server (not to enter a router, but for router to enter server)

R2(config)#tacacs-server host 192.168.2.2 R2(config)#tacacs-server key tacacspa55

We want Server-group tacacs+ to be default, then authenitacating from local database. Also, the keyword default in "The default authentication list" means that it will be default method for all methods , (including vty, console), so if we dont want authentication via console or telnet to be another type and different from each other, there is no need to apply it separetely.

R2(config)#aaa new R2(config)#aaa authe login ? WORD Named authentication list. default The default authentication list. R2(config)#aaa authe login default ? enable Use enable password for authentication. group Use Server-group. local Use local username authentication. none NO authentication. R2(config)#aaa authentication login default group tacacs+ local

Commands for debugging:

R1#debug aaa authentication R1#debug tacacs authentication R1#show debugging

Output

R1#show debugging General OS: TACACS+ authentication debugging is on AAA Authentication debugging is on AAA Authorization debugging is on R1# R1# *Mar 1 01:33:11.428: AAA/BIND(00000006): Bind i/f *Mar 1 01:33:11.428: AAA/AUTHEN/LOGIN (00000006): Pick method list 'default' *Mar 1 01:33:11.432: TPLUS: Queuing AAA Authentication request 6 for processing *Mar 1 01:33:11.432: TPLUS: processing authentication start request id 6 *Mar 1 01:33:11.436: TPLUS: Authentication start packet created for 6() *Mar 1 01:33:11.436: TPLUS: Using server 172.16.1.192 *Mar 1 01:33:11.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: Started 5 sec timeout *Mar 1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out *Mar 1 01:33:16.440: TPLUS(00000006)/0/NB_WAIT/83C593B4: timed out, clean up *Mar 1 01:33:16.440: TPLUS(00000006)/0/83C593B4: Processing the reply packet *Mar 1 01:33:23.471: AAA/AUTHOR (00000006): Method=If-authen for method list id=00000000Skip author *Mar 1 01:33:25.298: AAA: parse name=tty66 idb type=-1 tty=-1 *Mar 1 01:33:25.302: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0 *Mar 1 01:33:25.302: AAA/MEMORY: create_user (0x83FE0350) user='ccna' ruser='NULL' ds0=0 port='tty66' rem_addr='172.16.1.254' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) *Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): port='tty66' list='' action=LOGIN service=ENABLE *Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): non-console enable - default to enable password *Mar 1 01:33:25.302: AAA/AUTHEN/START (103502052): Method=ENABLE *Mar 1 01:33:25.302: AAA/AUTHEN(103502052): Status=GETPASS *Mar 1 01:33:29.000: AAA/AUTHEN/CONT (103502052): continue_login (user='(undef)') *Mar 1 01:33:29.000: AAA/AUTHEN(103502052): Status=GETPASS *Mar 1 01:33:29.000: AAA/AUTHEN/CONT (103502052): Method=ENABLE *Mar 1 01:33:29.032: AAA/AUTHEN(103502052): Status=PASS *Mar 1 01:33:29.032: AAA/MEMORY: free_user (0x83FE0350) user='NULL' ruser='NULL' port='tty66' rem_addr='172.16.1.254' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)