aaa new-model
Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.
aaa new-modelWhen to Use This Command
- Enabling AAA to configure local authentication for console and VTY lines on a small office router.
- Setting up AAA with a RADIUS server for centralized user authentication in an enterprise network.
- Enabling AAA to implement command authorization for privilege levels on a production router.
- Preparing to configure accounting to log user commands for compliance auditing.
Command Examples
Enable AAA and configure local authentication
aaa new-modelRouter(config)# aaa new-model Router(config)#
The command enables AAA. No output is shown if successful; the prompt returns to global config mode. After this, AAA commands become available.
Enable AAA with a warning about default login
aaa new-modelRouter(config)# aaa new-model WARNING: Default login authentication list is now 'default'. Use 'login authentication default' to configure. Router(config)#
The warning indicates that after enabling AAA, the default login authentication method changes. You must configure an authentication list to avoid lockout.
Understanding the Output
The 'aaa new-model' command itself produces no persistent output. However, it immediately changes the device's behavior: all login authentication defaults to a local database or configured method. The warning message (if seen) reminds you to define an authentication list. After enabling, you must configure at least one authentication method (e.g., 'aaa authentication login default local') or risk being locked out. Always verify with 'show running-config | include aaa' to confirm AAA is enabled.
CCNA Exam Tips
CCNA exam tip: 'aaa new-model' must be entered before any other AAA command; it's a prerequisite.
CCNA exam tip: After enabling AAA, the default login authentication becomes 'default' — if not configured, you may be locked out.
CCNA exam tip: The exam may test that 'aaa new-model' is required for RADIUS/TACACS+ configuration.
CCNA exam tip: Remember that 'aaa new-model' affects all lines (console, VTY, AUX) immediately.
Common Mistakes
Mistake 1: Forgetting to configure an authentication list after 'aaa new-model', causing lockout.
Mistake 2: Enabling AAA but not applying 'login authentication' to lines, leaving them with no authentication.
Mistake 3: Using 'aaa new-model' without understanding it changes default login behavior, leading to unexpected access issues.
Related Commands
aaa authentication login default group radius local
Configures AAA authentication for login using a RADIUS server group as the primary method, falling back to local authentication if the RADIUS server is unreachable.
show running-config
Displays the current active configuration in DRAM, showing all non-default settings.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions