To enable AAA authentication to determine if a user can access the
privileged command level, use the aaa authentication enable default global
configuration command. Use the no form of this command to disable this
authorization method.
Usage Guidelines
Use the aaa authentication enable default command to create a
series of authentication methods that are used to determine whether a user can
access the privileged command level. Method keywords are described in the table
below. The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To specify that the authentication
should succeed even if all methods return an error, specify none as
the final method in the command line.
If a default authentication routine is not set for a function, the default
is none and no authentication is performed. Use the show
running-config command to view currently configured lists of
authentication methods.
|
Table: aaa authentication enable Default Methods
|
Keyword
|
Description
|
|
enable
|
Uses the enable password for authentication.
|
|
line
|
Uses the line password for authentication.
|
|
none
|
Uses no authentication.
|
|
group tacacs+
|
Uses the list of all TACACS+ to provide authentication
services.
|
|
group radius
|
Uses the list of all RADIUS to provide authentication
services.
|
|
group | group-name
|
Uses a subset of RADIUS or TACACS+ servers for
authentication as defined by the server group group-name.
|
|
The following example creates an authentication
list that first tries to contact a TACACS+
server. If no server can be found, AAA tries to
use the enable password. If this attempt also returns
an error (because no enable password is configured
on the server), the user is allowed access
with no authentication.
Router(config)#aaa authentication enable default group tacacs+ enable none