I received an email from a Cisco user that goes as follows:
Can you use the password configured on a VTY line as the method of authentication when AAA is enabled??
Here is the answer:
A/ Yes, this can be done and it’s in fact a best practice if you enable AAA authentication on a device but you do not want to use any authentication method-list for the VTY lines or Console ones.
Let’s say we enabled AAA on our router as we are planning to configure dot1x authentication in our network.
aaa authentication dot1x test group radius
Cool, we just enabled aaa new-model but what’s up with that?
In the background a few things will happen:
As soon as we enable aaa-new model, all of the lines (except for the console) will start using local authentication even if you have a password set into the vty lines.
What if we do not have a username or password defined?
Well.. you will not be able to login without one!
So when you enable aaa new-model make sure you have a username and password locally defined or make sure you are not going to authenticate the VTY lines (and if you have a password on them make sure the password on the line is used for the authentication method).
Let’s cover both options here:
1)Using no authentication for the lines:
aaa authentication login default none
line vty 0 4
login authentication default
2)Using the line password as the authentication mechanism
aaa authentication login default line
line vty 0 4