Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

auth-order

system aaa auth-order—Configure the order is which the software tries different authentication methods when verifying user access to an overlay network device through an SSH session or a console port. When verifying a user's login credentials, the software starts with the method listed first. Then, if the login credentials do not match, it tries the next authentication method.

To configure the authentication for the "admin" user, use the admin-auth-order command.

The default authentication order is local, then radius, and then tacacs. With the default authentication order, the authentication process occurs in the following sequence:

  • The authentication process first checks whether a username and matching password are present in the running configuration on the local device.
  • If local authentication fails, and if you have not configured authentication fallback (with the auth-fallback command), the authentication process stops. However, if you have configured authentication fallback, the authentication process next checks the RADIUS server. For this method to work, you must configure one or more RADIUS servers with the system radius server command. If a RADIUS server is reachable, the user is authenticated or denied access based on that server's RADIUS database. If a RADIUS server is unreachable and if you have configured multiple RADIUS servers, the authentication process checks each server sequentially, stopping when it is able to reach one of them. The user is then authenticated or denied access based on that server's RADIUS database.
  • If the RADIUS server is unreachable (or all the servers are unreachable), the authentication process checks the TACACS+ server. For this method to work, you must configure one or more TACACS+ servers with the system tacacs server command. If a TACACS+ server is reachable, the user is authenticated or denied access based on that server's TACACS+ database. If a TACACS+ server is unreachable and if you have configured multiple TACACS+ servers, the authentication process checks each server sequentially, stopping when it is able to reach one of them. The user is then authenticated or denied access based on that server's TACACS+ database.
  • If the TACACS+ server is unreachable (or all TACACS+ servers are unreachable), user access to the local Viptela device is denied.

You can configure one, two, or three authentication methods in the preferred order, starting with the one to be tried first. If you configure only one authentication method, it must be local.

In Releases 17.1 and earlier, when you log in as "admin" from a console port, you are authenticated locally. No other authentication methods can be used.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► AAA

Command Hierarchy

system
aaa
    auth-order (local | radius | tacacs)   

Options

Default Authentication Order
The default authentication order is local, then radius, and then tacacs​.
Locally Configured Username and Password
local
Verify users based on the username and password configured on the local overlay network device. If you specify only one authentication method, it must be local.
RADIUS Authentication
radius
Verify users based on usernames and passwords configured on a RADIUS server. RADIUS authentication is performed only if a RADIUS server is configured with the system radius server command.
TACACS+ Authentication
tacacs
Verify users based on usernames and passwords configured on a RADIUS server. RADIUS authentication is performed only if a RADIUS server is configured with the system tacacs server command.

Operational Commands

show aaa usergroup
show users

Example

Set the authentication order to be RADIUS first, followed by local authentication:

Viptela# config
Entering configuration mode terminal
Viptela(config)# system aaa radius local
Viptela(config-aaa)# commit and-quit
Commit complete.
Viptela# show running-config system aaa
system
 aaa
  auth-order local radius
 !
!

Release Information

Command introduced in Viptela Software Release 14.1.
In Release 17.2, support authentication order process for console connections.

  • Was this article helpful?