aaa authentication login

Syntax

aaa authentication login <CONNECTION-TYPE> {local | group <GROUP-LIST>}

no aaa authentication login <CONNECTION-TYPE>

Description

Defines authentication as being local (with the name local) (the default). Or defines a sequence of remote AAA server groups to be accessed for authentication purposes. Each available connection type (channel) can be configured individually as either local or using remote AAA server groups. All server groups named in your command, must exist. This command can be issued multiple times, once for each connection type. Local is always available for any connection type not configured for remote AAA authentication.

NOTE:

If you do not want local authentication to occur in cases where all AAA servers contacted reject the user's credentials, do not enable authentication fail-through (command aaa authentication allow-fail-through).

The no form of this command removes for the specified connection type, any defined remote AAA server group authentication sequence. Local authentication is available for connection types without a configured remote AAA server group list (whether default or for the specific connection type).

Command context

config

Parameters

<CONNECTION-TYPE>

One of these connection types (channels):

default
Defines a list of authentication server groups to be used for the default connection type. This configuration applies to all other connection types (console, https-server, ssh) that are not explicitly configured with this command. For example, if you do not use aaa authentication login console... to define the console authentication list, then this default configuration is used for console.
console

Defines a list of authentication server groups to be used for the console connection type.

https-server

Defines a list of authentication server groups to be used for the https-server (REST, Web UI) connection type.

ssh

Defines a list of authentication server groups to be used for the ssh connection type.

local

Selects local-only authentication when used without the group parameter.

group <GROUP-LIST>

Specifies the list of remote AAA server group names. Each name can be specified one time. Predefined remote AAA group names tacacs and radius are available. Although not a group name, predefined name local is available. User-defined TACACS+ and RADIUS server group names may also be used. The remote AAA server groups are accessed in the order that the group names are listed in this command. Within each group, the servers are accessed in the order in which the servers were added to the group. Server groups are defined using command aaa group server and servers are added to a server group with the command server.

If no AAA server is reachable, local authentication is attempted.

Authority

Administrators

Examples

Defining the default authentication sequence based on two user-defined TACACS+ server groups, then the default TACACS+ server group, and finally (if needed), local authentication.

switch(config)# aaa authentication login default group tg1 tg2 tacacs local

Defining the console authentication sequence based on two user-defined TACACS+ server groups, then the default TACACS+ server group, and finally (if needed), local authentication.

switch(config)# aaa authentication login console group tg2 tg3 tacacs local

Defining the ssh authentication sequence based on one user-defined TACACS+ server group and then the default TACACS+ server group.

switch(config)# aaa authentication login ssh group tg2 tacacs

Defining the default authentication sequence based on two user-defined RADIUS server groups, then the default RADIUS server group, and finally (if needed), local authentication.

switch(config)# aaa authentication login default group rg1 rg2 radius local

Defining the https-server authentication sequence based on one user-defined RADIUS server group and then the default RADIUS server group.

switch(config)# aaa authentication login https-server group rg1 radius

Setting local authentication for the default connection type:

switch(config)# aaa authentication login default local