Configuring AAA Authentication and AAA Authorization for Vty Lines

To configure AAA new model authentication and authorization for inbound sessions to vty lines on your router:

Note: Before you configure AAA authentication and AAA authorization, you need to configure a RADIUS and/or TACACS+ authentication server. Note that several of the steps in the configuration procedure are optional.

1. Specify AAA new model authentication.
   host1(config)#aaa new-model
2. Create an authentication list that specifies the types of authentication methods allowed.
   host1(config)#aaa authentication login my_auth_list tacacs+ line enable
3. (Optional) Specify the privilege level by defining a method list for authentication.
   host1(config)aaa authentication enable default tacacs+ radius enable
4. (Optional) Enable authorization, and create an authorization method list.
   host1(config)aaa authorization commands 15 boston if-authenticated tacacs+
5. (Optional) Disable authorization for all Global Configuration commands.
   host1(config)#no aaa authorization config-commands
6. Specify the range of vty lines.
   host1(config)#line vty 6 10host1(config-line)#
7. (Optional) Apply an authorization list to a vty line or a range of vty lines.
   host1(config-line)#authorization commands 15 boston
8. Specify the password for the vty lines.
   host1(config-line)#password xyz
9. Apply the authentication list to the vty lines you specified on your router.
   host1(config-line)#login authentication my_auth_list

Related Documentation

• Vty Line Authentication and Authorization Overview
• Configuring Simple Vty Line Authentication
• aaa authentication enable default
• aaa authentication login
• aaa authorization
• aaa authorization config-commands
• aaa new-model
• authorization
• line
• login
• login authentication
• password