Security authentication on VTY lines
The authentication configured on the VTY line of a Cisco IOS device behaves differently when the
aaa new-model command is enabled or disabled.
aaa new-model, the VTY will behave as follows:
login command is used to instruct the VTY to ask for credentials when an attempt to login is made. If the command is simply
login then it uses the password configured with the
password command under the VTY configuration.
If the command is
login local then it asks for a username and password based on the local user database regardless of whether or not the
password was used.
login is used and no password is set, it will still prompt for a password, but access will never be granted.
The following configuration will ask for a password whenever connectivity via Telnet is attempted using the password
line vty 0 4 password cisco login transport input all
The following configuration will give Telnet access immediately without asking for any credentials, even though a password is configured.
line vty 0 4 password cisco transport input all
The following configuration will ask for a username and password whenever connectivity via Telnet is attempted. The password
cisco is completely ignored, and the local database is used for authentication, using username and password.
line vty 0 4 password cisco login local transport input all
The following configuration will prompt for a password because of the
login command. The password to be used is the one configured using the
password command but there is no such command here. As a result, such a configuration never allow a user to login.
line vty 0 4 login transport input all
aaa new-model enabled, the VTY will behave as follows:
The VTY will always use the local database as the authentication source by default. The password configured within the VTY configuration is ignored. The
login local commands are disabled and replaced with a
login authentication command which specifies an authentication list (a list of acceptable sources for credentials).
So to answer your question, when you enable
aaa new-model, the VTY will always use the local database as the source of credentials, thus it will use the username and password created using the
username command in global configuration mode.