Security authentication on VTY lines
The authentication configured on the VTY line of a Cisco IOS device behaves differently when the aaa new-model
command is enabled or disabled.
Without aaa new-model
, the VTY will behave as follows:
The login
command is used to instruct the VTY to ask for credentials when an attempt to login is made. If the command is simply login
then it uses the password configured with the password
command under the VTY configuration.
If the command is login local
then it asks for a username and password based on the local user database regardless of whether or not the password
was used.
Note if login
is used and no password is set, it will still prompt for a password, but access will never be granted.
The following configuration will ask for a password whenever connectivity via Telnet is attempted using the password cisco
.
line vty 0 4 password cisco login transport input all
The following configuration will give Telnet access immediately without asking for any credentials, even though a password is configured.
line vty 0 4 password cisco transport input all
The following configuration will ask for a username and password whenever connectivity via Telnet is attempted. The password cisco
is completely ignored, and the local database is used for authentication, using username and password.
line vty 0 4 password cisco login local transport input all
The following configuration will prompt for a password because of the login
command. The password to be used is the one configured using the password
command but there is no such command here. As a result, such a configuration never allow a user to login.
line vty 0 4 login transport input all
With aaa new-model
enabled, the VTY will behave as follows:
The VTY will always use the local database as the authentication source by default. The password configured within the VTY configuration is ignored. The login
and login local
commands are disabled and replaced with a login authentication
command which specifies an authentication list (a list of acceptable sources for credentials).
So to answer your question, when you enable aaa new-model
, the VTY will always use the local database as the source of credentials, thus it will use the username and password created using the username
command in global configuration mode.
Links
https://networklessons.com/cisco/ccna-200-301//aaa-authentication-on-cisco-ios#Cisco_IOS