AAA Authentication on Cisco IOS

Hello Raghu

Thanks for your feedback, it’s much appreciated! I will let @ReneMolenaar know of your request and he’ll get back to you.

Thanks again!


I found this question on OCG book.

Your routers is configured as follows:

R1#show run | i aaa|username
aaa new-model
username ENARSI password 0 EXAM
R1# show run | s vty
line vty 0 4
password cisco
transport input all

Based on the configuration, what will occour when someone uses Telnet to reach the router?

  1. Authentication will fail because there is no AAA method list
  2. The user will be required to use line password cisco.
  3. The user will be required to use the username ENARSI with the password EXAM
  4. Something else…

The answer is the number 3.

Can you explain to me why 2 is not correct ? (Telnet not require username as I know)


Hello Giovanni

It all has to do with the behavior of the device with and without the aaa new-model command.

Without aaa new-model, the VTY will behave as follows:

The login command is used to instruct the VTY to ask for credentials when an attempt to login is made. If the command is simply login then it uses the password configured with the password command under the VTY configuration. If the command is login local then it asks for a username and password based on the local user database regardless of whether or not the password was used. Note if login is used and no password is set, it will still prompt for a password, but access will never be granted.

The following configuration will ask for a password whenever connectivity via Telnet is attempted using the password cisco.

line vty 0 4
 password cisco
 transport input all

The following configuration will give Telnet access immediately without asking for any credentials, even though a password is configured.

line vty 0 4
 password cisco
 transport input all

The following configuration will ask for a username and password whenever connectivity via Telnet is attempted. The password cisco is completely ignored, and the local database is used for authentication, using username and password.

line vty 0 4
 password cisco
 login local
 transport input all

With aaa new-model enabled, the VTY will behave as follows:

The VTY will always use the local database as the authentication source by default. The password configured within the VTY configuration is ignored. The login and login local commands are disabled and replaced with a login authentication command which specifies an authentication list (a list of acceptable sources for credentials).

So to answer your question, when you enable aaa new-model, the VTY will always use the local database as the source of credentials, thus it will use the username and password created using the username command in global configuration mode.

Note that Telnet can be configured to not require a password, but the aaa new-model mode of configuration does not allow this.

I hope this has been helpful!


1 Like

Agree with Raghu. Installation/Setup videos or a Lesson of topics like Free Radius etc will be very helpful!

Hello Rahul

Thanks for voicing your opinion about this, it’s always helpful to get such feedback. For a more immediate response from Rene, I suggest you go to the following Member Ideas page and make your suggestion there. YOu may find that others have made similar suggestions and if so, you can add your voice to theirs.

I hope this has been helpful!


Configured AAA but i am getting below error

Attempting authentication test to server-group tacacs+ using tacacs+
**No authoritative response from any server**.

Able to reach tacacs server

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Hello Pavanc

There are several things that may cause this behavior. One is if the IP address is incorrect, but I’m assuming that you’ve checked this already. :slight_smile:

Other issues may have to do with the actual AAA configuration. Take a look at the following Cisco community threads that may have some clues as to how you can proceed:

Also, try using the debug aaa authentication and debug aaa tacacs commands to check the AAA events and communication that takes place from your router. Also, if you can, check to see if your TACACS server actually receives packets when you try to authenticate. All of these should help in your troubleshooting process. Let us know how you get along!

I hope this has been helpful!


Once I configured “aaa authentication login default group radius local” and save the config, the local username and password is not able to login anymore. I assume it should fallback to the local user authentication if the connection to RADIUS server is not available. Could you please explain why the local account doesn’t work?

This is my configuration for the local user:

username admin secret 5 $1$ZOZH$FDOAYVEquweBvlape9aL.0
line con 0
 exec-timeout 1 0
 password 7 0523130D6249561D4903111B08093B29242A
 logging synchronous
 login local
line vty 0 4
 exec-timeout 3 0
 password 7 013B1306180E1E1B714A48001A0028060E00
 logging synchronous
 login local
 transport input ssh
line vty 5 15

Hello Siwen

Indeed the command aaa authentication login default group radius local will cause the router to fall back on the local user database for authentication if the RADIUS server is unavailable. To be clear, that means that to fall back to the local database, the RADIUS server must fail to respond to the request. If the RADIUS server responds and denies access, the authentication will not fall back to the local database. The user will simply be denied.

If that local username and password are not also configured in the RADIUS server, then the RADIUS server will simply deny access. So the behavior you see is expected. If you want the same credentials to operate when the RADIUS server is up and running, then you can add the same username and password as credentials in the RADIUS server as well.

I hope this has been helpful!


Hi @ReneMolenaar @lagapidis ,
I have a very simple query.
We are configuring fallback methods with aaa authentication cmds.does this fallback method work when we fail authentication with the primary one? or it is when we loose connectivity to primary server?

simply think that our primary method is RADIUS server and fallback is local database.
we have configured user ‘admin’ in local database only.
can we log in to the device with username as ‘admin’ when we have reachability to RADIUS server?

Hello Nipun

If authentication fails due to incorrect credentials with the primary method, the fallback method will NOT be tried. The fallback mechanism comes into effect only when the primary server is unreachable or unresponsive, not when authentication fails due to incorrect credentials.

This makes sense because if someone tries to log in using brute force and fail, you can consider them an illegitimate user. If you were legitimate, you would know the password. So you don’t want to give an illegitimate user that may continue their brute force attack a second chance to try to connect again. So when a user provides incorrect credentials for the primary method, the device will return an authentication failure and will not proceed to try the fallback method.

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

I hope this has been helpful!


1 Like

Hi Rene,

Our C9200 use mgmt port , and we would like to do TACACS authentication through the management interface. But not work.

If authenticate to tacacs through Vrf, what commands need to be added?

Hello Eric

What kind of error message are you getting? Can you also inform us about the VRF configuration you have?

In general, if you want to add a TACACS server from a particular VRF, you can do the following:

(config)# tacacs server TACACS-SERVER
(config-server-tacacs)# address ipv4 vrf MGMT
(config-server-tacacs)# key <shared-secret>
(config-server-tacacs)# exit

Here you can see that the particular VRF on which the server is can be indicated. Here it is indicated as MGMT.

If you need any more information, please feel free to let us know!

I hope this has been helpful!


Hello, everyone!

Please, are there any free RADIUS/TACACS+ softwares that I could use? I am running Windows for which I couldn’t install FreeRADIUS, the Elektron RADIUS link doesn’t do anything when I click “Download” and ClearBox felt a little complicated to set up when it came to RADIUS specifically.

Thank you in advance.

Hello David

What was the problem when you tried to install it? If you do a search online for “free radius server for windows” you should find quite a few resources to help you successfully install it.

The truth is that there aren’t that many free options for RADIUS servers for Windows. It’s even more difficult to find a free version of TACACS+ even on Linux. Even so, some RADIUS options that may be worth searching for include:

  • TekRADIUS: It’s a Windows-based RADIUS server that’s available in both free and paid versions. The free version has some limitations, but it might meet your needs.
  • Radiator: It’s a highly configurable and flexible RADIUS server that runs on Windows, Linux, MacOS, Solaris, and more. It’s not free, but they offer a 30-day trial.

Indeed Elektron RADIUS seems to be difficult to find these days. I’ll let Rene know to take a look and see if he can revise the content of this particular lesson which includes this software.

Let us know if you get any of the above working!

I hope this has been helpful!


Hello, everyone!

When it comes to RADIUS, authentication and authorization are combined.

In other words, if I was to access a Cisco device, the moment I would authenticate, I’d also be authorized, right? Basically, RADIUS passes all the authorization parameters the moment we are authenticated (pass on a priv level, and so on).

But why isn’t RADIUS capable of accounting for Cisco CLI commands? That function isn’t combined with the other two As and there is a specific port designated for it - 1813.

Thank you.


Hello David

You’re correct in saying that RADIUS combines authentication and authorization. When a user is authenticated, RADIUS does pass on the authorization parameters.

As for your question regarding RADIUS not being capable of accounting for Cisco CLI commands, it’s not exactly that RADIUS can’t do it, but rather that it’s not designed to do so. RADIUS was primarily designed to provide centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service, but, and this is key, it’s not specifically designed to log every single command that a user types into a Cisco device.

However, you can configure Cisco devices to send accounting information to a RADIUS server. This includes start-stop records, system events like reloads or reboots, and network service events like PPP or ARAP. But, it doesn’t include command-level accounting, which is where TACACS+ comes in.

TACACS+ is another AAA protocol that does support command accounting. This means that TACACS+ can log every command entered by a user, providing a higher level of detail than RADIUS. This is why many organizations choose to use TACACS+ for device administration and RADIUS for network access.

I hope this has been helpful!


Hello, thanks a lot for this lesson and i hope you’re doing great.
I have a question about the usernames and passwords that have been configured .
so, "REMOTE_ADMIN MY_PASSWORD " is the credentials used to access RADIUS server however in event of failure the local credentials must be used; but i’m confused because you configured two (02) usernames and passwords. This is the first one "username LOCAL_ADMIN password MY_PASSWORD " and this is the second one “enable password LOCAL_ENABLE”.
Can you please tell which one will be used if the AAA server ( RADIUS) fails ?
or correct me if i’m wrong


Hello Chris

All Cisco devices have two levels or modes that are used to give specific privileges to users when using the CLI. Unless otherwise configured, when you initially log in with your username and password (regardless of whether you are using the local or RADIUS method), you are in user mode, which is depicted by a “>” prompt.

In order to obtain the capability of configuring additional parameters, you must enter privileged mode, which is a second level of security that the IOS has. In order to enter Privileged mode, you must enter the “enable” password. Once done, you get the privileged mode prompt which is “#”. More info on this can be found here:

Now in the lesson, Rene configured the user name, password, and enable password to be used and authenticated by the RADIUS server. These were REMOTE_ADMIN, MY_PASSWORD, and REMOTE_ENABLE. These credentials are to be used when the device has access to the RADIUS server and all is functioning correctly.

In the event that connectivity to the RADIUS server is lost, the device must fall back on the local credentials. This includes the local username, password, and enable password. And these are configured as LOCAL_ADMIN, MY_PASSWORD, and LOCAL_ENABLE.

So you see, the MY_PASSWORD and the LOCAL_ENABLE are two different entities, just like those configured for RADIUS. They are the user’s password, and the enable password, which must be configured locally in order to gain access to the device in the event that the RADIUS server fails.

I hope this has been helpful!


1 Like

I understood, thank you so much.

1 Like