To enable AAA we need the AAA new-model command but what does it really do? Many of us makes assumptions about this command.

By default if we have an empty config then we will be able to use the console and get straight into enable mode (priv15). If we try to telnet in (VTY) then we can’t login since no password has been set. If we set a password then we can login to priv 1 but we won’t be able to enable since no enable password has been set.

When configuring AAA we use method lists. We can use the list called ‘default’ or create our own. The sneaky thing about aaa new-model is that when we enable this the ‘default’ list goes active which is applied to the VTY. What surprised me is that this is not applied to the console. Someone had a theory that Cisco wanted to apply it to both console and VTY but too many users got locked out of their routers so they had to back on this implementation, true or not, I don’t know.

When aaa new-model has been enabled the device will ask for local authentication. If we haven’t defined any users then no access for you (VTY-nazi). Console will still work though, we will have to enable to enter priv 15 as usual.
Now if we define a user we will be able to login remotely as well, we do need to configure an enable password to get into priv 15 though.

For the lab I have seen that if people get a task with AAA they will create a new method list with no authentication and no authorization and apply it to the console and VTY. As I pointed out we should not have to enable this to the console but better safe than sorry I guess. This can be configured in the following way:

aaa new-model
aaa authentication login VTY none
aaa authorization exec VTY non
line con 0
login authentication VTY
authorization exec VTY
line vty 0 4
line authentication VTY
authorization exec VTY

How would you configure this, what do you do in real life? Post in comments.

AAA new-model – What does it do?
Tagged on:         

7 thoughts on “AAA new-model – What does it do?

  • May 22, 2012 at 8:28 pm
    Permalink

    I wouldn’t use the “none” option at the end of the aaa commands. I would either use local or point it to a server group if I have access to ACS. The none if I remember correctly is not checking against configured users.

    Reply
  • June 16, 2013 at 3:54 pm
    Permalink

    Yup, I would use ‘local’ instead of ‘none’ too..

    Reply
  • July 31, 2014 at 12:31 am
    Permalink

    By using no aaa nem-model I delete aaa, and then i can not enter to router through telnet or ssh, but i have to enter. I do not know what to do , please help

    Reply
  • January 21, 2015 at 6:52 pm
    Permalink

    After enabling ” AAA new-model ” you have to set Username CISCO Password CISCO
    SET IP DOMAIN NAME XXXXX
    SET #crypto key generate rsa
    set byte-#1024
    youwill get message

    #ssh enabled

    set
    #line vty 0 4
    #transport input all/ssh
    #passward cisco
    #login

    Arjun

    Reply
  • October 14, 2015 at 8:16 am
    Permalink

    This is what I use.

    username priv 15 secret
    ip domain-name
    crypto key generate rsa

    aaa new model
    aaa authentication login default local
    aaa authentication enable default enable

    line vty 0 4
    transport input ssh

    Reply
    • October 14, 2015 at 8:35 am
      Permalink

      the console uses the local login

      Reply
  • September 6, 2016 at 3:02 pm
    Permalink

    hi,
    I have set the username **** privilege 5 secret **** & applied aaa via console. now unable to access switch through console.
    After entering enable showing authentication error.

    can someone help me to resolve the issue.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *