Configuring CLI Authentication on a Cisco Router

Example 5-12 Configuring a RADIUS Server
R2(config)#aaa new-model
R2(config)#radius-server host 10.3.3.3
R2(config)#radius-server key R@D_key1
Configuring CLI Authentication on a Cisco Router
Example 5-13 shows how to configure character mode AAA to authenticate
a CLI session on a router’s console and vty ports. In this example, a user on
the console port will be authenticated using the AAA list called
CUSTOM_LIST. The user will be authenticated against the TACACS+
server if it is available. If it is unavailable, the enable secret or enable password
will be accepted instead. A user on one of the vty lines, on the other
hand, will be authenticated using the default list. The default list authenticates
first against the TACACS+ server (if it is available). If the server is
unavailable, the vty user will be authenticated against the local
username/password database. If a security server is the sole authentication
method, you could get locked out of the router in the event that the security
server is unavailable. For this reason, it is important to use either local
authentication or enable password authentication as a fallback method.
Example 5-13 Configuring AAA CLI Authentication
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+ local
R2(config)#aaa authentication login CUSTOM_LIST group tacacs+
enable
R2(config)#line con 0
R2(config-line)#login authentication CUSTOM_LIST
R2(config-line)#exit
R2(config)#line vty 0 4
R2(config-line)#login authentication default