Disabling TACACS+ Authentication on a Particular Line

Disabling TACACS+ Authentication on a Particular Line

Problem

You want to disable TACACS+ authentication on your router's console interface.

Solution

You can disable TACACS+ authentication on the router's console port, while leaving it active on the rest of the router lines:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default group tacacs+ local
Router1(config)#aaa authentication login OREILLY line
Router1(config)#line con 0
Router1(config-line)#login authentication OREILLY
Router1(config-line)#end
Router1#

Discussion

By default, when you configure a router to use AAA authentication, it automatically applies this authentication method to all lines. This means that you don't have to explicitly configure each line to use AAA authentication. Normally this default behavior is useful because it requires less configuration. But there are times when you may want to use different authentication methods on different lines. For instance, in our example we wanted to be able to access the router's console line with a simple password. But we didn't want this change to affect the AAA authentication on any of the VTY or AUX lines.

The first two lines in the example simply enable TACACS+ authentication for all login access to the router:

Router1(config)#aaa new-model
Router1(config)#aaa authentication login default group tacacs+ local

As soon as you enter these commands, every line on the router, including the console, will begin to use TACACS+ for authentication. The next command creates a new AAA authentication group called OREILLY that uses the local line password for authentication:

Router1(config)#aaa authentication login OREILLY line

This command doesn't do anything yet, though, because none of the router's lines belongs to this new authorization group. So we have to then configure the console line with the login authentication OREILLY command to associate this line with the authentication group:

Router1(config)#line con 0
Router1(config-line)#login authentication OREILLY

Now, when a user connects on the console, she uses the type of authentication specified for this group. In this case, if you look back at the group definition, you will see that the OREILLY group uses line authentication. However, because we have only associated the console line with this group, all of the other lines continue to use the TACACS+ authentication method.

If you wanted to, you could configure a different group for every line. But in general, we recommend using the default TACACS+ authentication method on all lines, even the console, unless there is a compelling reason to do otherwise. You don't need to worry about losing console access because of the central server, because you can always implement a password of last resort, as described in Recipe 4.3.

You can return the console to the default authentication group by simply changing the login authentication line again:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line con 0
Router1(config-line)#login authentication default
Router1(config-line)#end
Router1#

See Also