AAA Authentication Using Local Credentials

February 25, 2023 - Reading time: 4 minutes

Cisco AAA (Authentication, Authorization, and Accounting) local authentication is a security feature that allows network administrators to control access to network devices and services by requiring users to provide valid credentials before accessing them. With local authentication, administrators can define user accounts and passwords locally on a network device, rather than relying on external authentication servers.

To configure Cisco AAA local authentication, follow these steps:

Console into a device and enter global configuration mode. Define the local user accounts by entering the "username" command followed by the username and password for each user. For example, to create a user account with the username "admin" and password "cisco123", enter the command:

Router(config)#username admin password cisco123 

Enable the AAA feature by entering the command "aaa new-model". This command enables the AAA subsystem and replaces the previous authentication, authorization, and accounting configuration commands with the new AAA configuration commands.

Router(config)#aaa new-model

Configure the authentication method by entering the command "aaa authentication login default local" in line configuration mode. This command specifies that the default authentication method for login access is local, which means that the router will use the locally defined usernames and passwords to authenticate users.

Router(config)#aaa authentication login default local

Note: The aaa new-model command enables the authentication mode immediately on all lines and interfaces except for the console line, line con 0. The user need to authenticated using credentials on the local database of the router once this is configured. By default, no user accounts are created so it is recommend that you define a username and password on the device before activating AAA to prevent being locked out remotely.

VTY line before:

Router0#sh run | beg vty

Building configuration...

Current configuration : 126 bytes
!
line vty 0 4
 password password123
 login
!
!
end

VTY line after the aaa new-model command:

Router0#sh run | beg vty

Building configuration...

Current configuration : 120 bytes
!
line vty 0 4
 password password123
!
!
end

Here are some ways to verify the configurations for AAA local authentication on a Cisco device:

  1. Use the "show running-config" command: This command shows the current running configuration of the device, including the AAA settings. You can use this command to verify that your AAA local authentication configuration is correct.

  2. Use the "show aaa" command: This command shows the current AAA settings for the device. You can use this command to verify that your AAA local authentication configuration is enabled and working.
    (version 1.91)


  3. Test authentication with a test user: You can create a test user account on the device and try to authenticate with it to verify that the AAA local authentication is working. 

It's important to keep in mind that verifying the AAA local authentication configuration is an ongoing process. You should regularly check the configuration to ensure that it is still working correctly and make changes as needed.

Please download the lab from this link.

AAA Authentication Using Local Credentials | PocketCLI

Download


>