AAA Authentication Process: AAA Authentication login

Today I am going to talk about the basic on aaa authentication login default local group tacacs+ on a Cisco Internetworking Operating System (IOS) Device. I will talk about the commands in CLI which will help network engineers to understand the same in IOS/IOS-XE images for routers/Switches.

Note: The IP address used here as an example is for demo purposes and have no relevance with any of the enterprise networks.

Fig 1.1-AAA Authentication Process

Configure these commands on the device in global configuration mode:

aaa new-model
aaa authentication login default local group tacacs+

Here the AAA method list is applied on all login attempts on all lines of the device, where first local database is checked and then if required, Terminal Access Controller Access Control System (TACACS) server is tried.

username cisco privilege 15 password 0 cisco
tacacs-server host
tacacs-server key cisco

Enable Debug TACACS and Debug AAA Authentication on the device under test.

NB#show debug 
General OS: 
TACACS access control debugging is on 
AAA Authentication debugging is on

Perform a telnet on the device:

NB#show ip interface brief | exclude unassigned 
 Interface                  IP-Address          OK?       Method    Status       Protocol 
 FastEthernet0/1     YES       DHCP      up              up       
 Loopback0              YES       manual    up              up   

 Trying ... Open 
 User Access Verification 
 Username: cisco 
 *Jul 23 09:34:37.023: AAA/BIND(0000001E): Bind i/f   
 *Jul 23 09:34:37.023: AAA/AUTHEN/LOGIN (0000001E): Pick method list 'default' 

You notice that it did not try to reach the TACACS server as username cisco was found locally.
Now, if you try to use a credential that is not configured locally on the box:

 Trying ... Open 
 User Access Verification 
 *Jul 23 09:36:01.099: AAA/BIND(0000001F): Bind i/f   
 *Jul 23 09:36:01.099: AAA/AUTHEN/LOGIN (0000001F): Pick method list 'default' 
 Username: cisco1 
 *Jul 23 09:36:11.095: TPLUS: Queuing AAA Authentication request 31 for processing 
 *Jul 23 09:36:11.095: TPLUS: processing authentication start request id 31 
 *Jul 23 09:36:11.095: TPLUS: Authentication start packet created for 31(cisco1) 
 *Jul 23 09:36:11.095: TPLUS: Using server 
 *Jul 23 09:36:11.095: TPLUS(0000001F)/0/NB_WAIT/47A14C34: Started 5 sec timeout 
 *Jul 23 09:36:16.095: TPLUS(0000001F)/0/NB_WAIT/47A14C34: timed out 
 *Jul 23 09:36:16.095: TPLUS(0000001F)/0/NB_WAIT/47A14C34: timed out, clean up 
 *Jul 23 09:36:16.095: TPLUS(0000001F)/0/47A14C34: Processing the reply packet 
 % Authentication failed

You notice that it tries to reach the TACACS server It is an expected default behaviour. There is no username cisco1 configured on the TACACS server, hence shows Authentication failed.

If the device has AAA Authentication login default group tacacs+ local in the configuration, it's first preference is TACACS. If the TACACS is reachable, but no user has configured on it, it will not fallback and try to search in the local database. It will display% Authentication failed message.