aaa authentication login default


aaa authentication login default {local | group <GROUP-LIST>}

no aaa authentication login default


Defines authentication as being local (with the name local). Or defines a sequence of remote AAA servers to be interrogated for authentication purposes.

The no form of this command removes any defined remote AAA server authentication sequence, returning the switch to local authentication only.

Command context




Selects local-only authentication.

group <GROUP-LIST>

Specifies the list of remote AAA server group names. Predefined remote AAA group names tacacs or radius are available. User-defined TACACS and RADIUS server group names may also be used. The remote AAA servers are interrogated in the order that the group names are listed in this command.

If no AAA server is reachable, local authentication is attempted.




Defining an authentication sequence based on a user-defined TACACS+ server group, then the default TACACS+ server group, and finally (if needed), local authentication.

switch(config)# aaa authentication login default group tacacs_user1 tacacs local

Enabling local authentication:

switch(config)# aaa authentication login default local