Command:

aaa authentication login


Mode:

Router(config)#


Syntax:

aaa authentication login {default  | list-name} method1 [method2...]

no aaa authentication login {default  | list-name} method1 [method2...]


Syntax Description:

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

list-name 

Character string used to name the following list of authentication methods activated when a user logs in.

method 

At least one of the keywords described in the table: aaa authentication login Methods.

 

Command Description:

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.

Usage Guidelines

The default and optional list names created with the aaa authentication login command are used with the login authentication command. 

Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in the table.

If no list is specified on an interface with the login authentication command, a default list to be used can be specified with the default keyword followed by the methods.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.

Table: aaa authentication login Methods

Keyword

Description

enable

Uses the enable password for authentication.

krb5

Uses Kerberos 5 for authentication.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS to provide authentication services.

group tacacs+

Uses the list of all TACACS+ to provide authentication services.

krb5-telnet

Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

group | group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name.

local-case

Uses case-sensitive local username authentication

This command cannot be used with TACACS or extended TACACS.

 

Examples:

The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

 

Router(config)#aaa authentication login MIS-access group tacacs+ enable none

The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:

Router(config)#aaa authentication login default group tacacs+ enable none
  

The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:

Router(config)#aaa authentication login default krb5-telnet krb5


Misconceptions:

 

None


Related Commands:

 

aaa new-model

 

login authentication

 


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)