Courseiva
AAAGlobal Config

aaa authentication login default group radius local

Configures AAA authentication for login using a RADIUS server group as the primary method, falling back to local authentication if the RADIUS server is unreachable.

Syntax·Global Config
aaa authentication login default group radius local

When to Use This Command

  • Centralized authentication of remote administrators via a RADIUS server with local backup
  • Enforcing TACACS+ or RADIUS authentication for console and VTY lines in a secure enterprise network
  • Providing fallback authentication when the RADIUS server is down to prevent lockout
  • Integrating with Cisco ISE or FreeRADIUS for multi-factor authentication

Command Examples

Basic RADIUS authentication with local fallback

aaa authentication login default group radius local
Router(config)# aaa authentication login default group radius local
Router(config)#

No output is displayed upon successful configuration. The command sets the default login authentication list to first try RADIUS servers defined under 'radius server' or 'aaa group server radius', then fall back to local usernames if RADIUS is unavailable.

Verifying AAA authentication configuration

show running-config | include aaa authentication login
aaa authentication login default group radius local

The output confirms the command is present in the running configuration. The 'default' keyword applies this authentication method to all lines (console, VTY, AUX) unless overridden by a named list.

Understanding the Output

This command does not produce direct output; it modifies the running configuration. To verify, use 'show running-config | section aaa' or 'show aaa sessions'. The key fields in the configuration line are: 'aaa authentication login' (command), 'default' (applies to all lines), 'group radius' (use RADIUS servers), 'local' (fallback to local database). If RADIUS servers are not reachable, the router will prompt for local credentials. A common verification is to test login from a VTY line and observe debug output with 'debug aaa authentication'.

CCNA Exam Tips

1.

CCNA exam tip: The order of methods matters — 'group radius local' tries RADIUS first, then local. Reversing them would check local first.

2.

CCNA exam tip: 'default' applies to all lines unless a named list is applied to a specific line with 'login authentication <name>'.

3.

CCNA exam tip: If RADIUS servers are not configured, the command will still accept but authentication will fail and fall back to local.

4.

CCNA exam tip: For CCNA, remember that 'local' uses usernames configured with 'username' command, while 'enable' uses the enable password.

Common Mistakes

Mistake 1: Forgetting to configure RADIUS server details (e.g., 'radius server' or 'aaa group server radius') — the command will fall back to local but not use RADIUS.

Mistake 2: Using 'local' before 'group radius' — this causes local authentication to be attempted first, defeating the purpose of centralized authentication.

Mistake 3: Not applying the authentication list to VTY lines — if a named list is used instead of 'default', it must be explicitly applied with 'login authentication <name>' under line configuration.

Related Commands

aaa new-model

Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions