Security authentication on VTY lines

The authentication configured on the VTY line of a Cisco IOS device behaves differently when the aaa new-model command is enabled or disabled.

Without aaa new-model, the VTY will behave as follows:

The login command is used to instruct the VTY to ask for credentials when an attempt to login is made. If the command is simply login then it uses the password configured with the password command under the VTY configuration.

If the command is login local then it asks for a username and password based on the local user database regardless of whether or not the password was used.

Note if login is used and no password is set, it will still prompt for a password, but access will never be granted.

The following configuration will ask for a password whenever connectivity via Telnet is attempted using the password cisco.

line vty 0 4 password cisco login transport input all

The following configuration will give Telnet access immediately without asking for any credentials, even though a password is configured.

line vty 0 4 password cisco transport input all

The following configuration will ask for a username and password whenever connectivity via Telnet is attempted. The password cisco is completely ignored, and the local database is used for authentication, using username and password.

line vty 0 4 password cisco login local transport input all

The following configuration will prompt for a password because of the login command. The password to be used is the one configured using the password command but there is no such command here. As a result, such a configuration never allow a user to login.

line vty 0 4 login transport input all

With aaa new-model enabled, the VTY will behave as follows:

The VTY will always use the local database as the authentication source by default. The password configured within the VTY configuration is ignored. The login and login local commands are disabled and replaced with a login authentication command which specifies an authentication list (a list of acceptable sources for credentials).

So to answer your question, when you enable aaa new-model, the VTY will always use the local database as the source of credentials, thus it will use the username and password created using the username command in global configuration mode.

https://forum.networklessons.com/t/aaa-authentication-on-cisco-ios/1558/63?u=lagapides

https://networklessons.com/cisco/ccna-200-301//aaa-authentication-on-cisco-ios#Cisco_IOS