AAA new-model – What does it do?

To enable AAA we need the AAA new-model command but what does it really do? Many of us makes assumptions about this command.

By default if we have an empty config then we will be able to use the console and get straight into enable mode (priv15). If we try to telnet in (VTY) then we can’t login since no password has been set. If we set a password then we can login to priv 1 but we won’t be able to enable since no enable password has been set.

When configuring AAA we use method lists. We can use the list called ‘default’ or create our own. The sneaky thing about aaa new-model is that when we enable this the ‘default’ list goes active which is applied to the VTY. What surprised me is that this is not applied to the console. Someone had a theory that Cisco wanted to apply it to both console and VTY but too many users got locked out of their routers so they had to back on this implementation, true or not, I don’t know.

When aaa new-model has been enabled the device will ask for local authentication. If we haven’t defined any users then no access for you (VTY-nazi). Console will still work though, we will have to enable to enter priv 15 as usual.
Now if we define a user we will be able to login remotely as well, we do need to configure an enable password to get into priv 15 though.

For the lab I have seen that if people get a task with AAA they will create a new method list with no authentication and no authorization and apply it to the console and VTY. As I pointed out we should not have to enable this to the console but better safe than sorry I guess. This can be configured in the following way:

aaa new-model
aaa authentication login VTY none
aaa authorization exec VTY non
line con 0
login authentication VTY
authorization exec VTY
line vty 0 4
line authentication VTY
authorization exec VTY

How would you configure this, what do you do in real life? Post in comments.

6 thoughts on “AAA new-model – What does it do?”

  1. I wouldn’t use the “none” option at the end of the aaa commands. I would either use local or point it to a server group if I have access to ACS. The none if I remember correctly is not checking against configured users.

  2. By using no aaa nem-model I delete aaa, and then i can not enter to router through telnet or ssh, but i have to enter. I do not know what to do , please help

  3. After enabling ” AAA new-model ” you have to set Username CISCO Password CISCO
    SET #crypto key generate rsa
    set byte-#1024
    youwill get message

    #ssh enabled

    #line vty 0 4
    #transport input all/ssh
    #passward cisco


  4. This is what I use.

    username priv 15 secret
    ip domain-name
    crypto key generate rsa

    aaa new model
    aaa authentication login default local
    aaa authentication enable default enable

    line vty 0 4
    transport input ssh

Leave a Reply

Your email address will not be published. Required fields are marked *