Configuring AAA is relatively simple after understanding the basic process
shown in Figures
and
.
The AAA security services facilitate a variety of login authentication
methods. Use the aaa authentication login command to enable
AAA authentication. With the aaa authentication login
command, create one or more lists of authentication methods that are tried at
login. These lists are applied using the login
authentication line configuration command.
To configure login
authentication by using AAA, use the commands in this Figure
, beginning in
global configuration mode.
To specify that the authentication should
succeed even if all methods return an error, specify none
as the final method in the command line
. For example, to
specify that authentication should succeed even if, as in this example, the
TACACS+ server returns an error, enter the following command:
aaa authentication login default group tacacs+
none
 |
NOTE:
Because the none keyword enables any user logging
in to successfully authenticate, it should be used only as a backup method of
authentication.
|
To create a default list that is used when a named list is not
specified in the login authentication command, use the
default keyword followed by the methods that are to be used
in default situations. The default method list is automatically applied to all
interfaces.
Example: Configuring Authentication
The following
example creates an authentication list called "myway" that uses
TACACS+ as the first authentication method and local authentication as the
second. The authentication list is then applied to a line.
Switch(config)#aaa authentication login myway tacacs+
local
Switch(config)#line con
0
Switch(config-line)#login authentication
myway
Authentication