AAA Authentication Locking Out Administrative Access
Presenting Symptom
After configuring AAA authentication on a Cisco router, the network engineer is unable to log in via SSH or console, receiving 'Authentication failed' errors even with correct credentials.
Network Context
The scenario occurs in a small branch office with a single Cisco ISR 4321 router running IOS XE 16.9. The router provides WAN connectivity and is managed remotely via SSH. The engineer recently enabled AAA new-model and configured local authentication with a fallback to a RADIUS server, but inadvertently locked out all administrative access.
Diagnostic Steps
Attempt console access with correct credentials
Connect via console cable and try logging in with known username/passwordUser Access Verification\nUsername: admin\nPassword: \n% Authentication failed
If authentication fails even on console, the AAA configuration is likely misapplied, possibly with no local fallback or incorrect local username database.
Check AAA configuration via ROMmon or password recovery
Perform password recovery procedure to access ROMMON, then boot without startup-config: confreg 0x2142, reset, then copy startup-config running-configRouter#
Bypassing startup-config allows access. The running config will show the AAA configuration that caused the lockout.
Examine AAA authentication configuration
show running-config | section aaaaaa new-model\naaa authentication login default local group radius\naaa authentication login CONSOLE local\nline con 0\n login authentication CONSOLE\nline vty 0 4\n login authentication default
The default login method uses 'local group radius', but if RADIUS is unreachable and local authentication fails (e.g., no local user defined), access is denied. The console line uses a separate method 'CONSOLE' which should work, but if misconfigured, also fails.
Verify local user database
show running-config | include usernameusername admin privilege 15 secret 5 $1$xxxxx
If no username is defined, local authentication has no valid users. The 'local' method will fail, and if RADIUS is unreachable, authentication fails entirely.
Root Cause
The AAA authentication configuration uses 'login authentication default local group radius' but no local username is configured, and the RADIUS server is unreachable. Additionally, the console line is configured with 'login authentication CONSOLE' which also uses 'local' method, but again no local user exists, causing lockout on all access methods.
Resolution
Verification
1. 'show running-config | section aaa' should show correct methods.\n2. 'show running-config | include username' should show the local user.\n3. Test login via console and SSH: should succeed with the configured credentials.
Prevention
1. Always configure at least one local user with privilege 15 before enabling AAA new-model.\n2. Use 'local' as the first method in the authentication list to ensure fallback if remote servers are unreachable.\n3. Test AAA configuration from a separate management session before disconnecting.
CCNA Exam Relevance
On the CCNA 200-301 exam, AAA lockout scenarios appear in troubleshooting questions, often as multiple-choice or drag-and-drop ordering of steps. The exam tests understanding of AAA authentication methods, the importance of local fallback, and the password recovery procedure. Key fact: AAA new-model can lock out administrators if not configured with a local user and proper fallback.
Exam Tips
Remember that 'aaa new-model' immediately applies to all login methods; always have a local user configured first.
The password recovery procedure (config-register 0x2142) is a common exam topic for regaining access after AAA lockout.
Know the difference between 'login authentication default' and 'login authentication LISTNAME' and how to apply them to lines.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions