AAA Deny default

In preparing standards for configs, I almost always prefer explicit commands versus implicit commands. It’s not always easy in IOS, take AAA as a case in point. I want explicit commands under the VTY’s and the Console. However I don’t want the default login to be a valid authentication type. What that means is if someone removes the authentication from the VTY/Console, it will fall back to the default which is to deny any logins. Let’s take a look at the command structure for this.

Switch(config)#aaa authentication login default ?
  cache          Use Cached-group
  enable         Use enable password for authentication.
  group          Use Server-group
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support
  radius         Use RADIUS authentication.
  tacacs+        Use TACACS+ authentication.

There is no Null/Exempt/Block. There is none, but this prevents any authentication, effectively allowing all connections. So what do we do? We assign it a group that has no configuration. Let’s look at the rest of the AA config first.

aaa group server tacacs+ PACKETPROS-TACACS
server-private 10.1.0.5 key LeTsG0BrEwErS<
server-private 10.1.0.6 key LeTsG0BrEwErS
!
aaa authentication login CONSOLE local
aaa authentication login PP-AAA group PACKETPROS-TACACS local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group PACKETPROS-TACACS

We have two groups configured; CONSOLE an PP-AAA. CONSOLE just points to the local username database. PP-AAA points to a TACACS+ group called PACKETPROS-TACACS which has my two ISE servers in it. So now let’s set the default to a empty group.

aaa authentication login default NULL

I use the keyword of NULL, but you can put anything in you like as long as it doesn’t overwrite one of the other configured groups (CONSOLE and PP-AAA in this example). You will get an error in the log/syslog:

%AAAA-4-SERVUNDEF: The server-group "NULL" is not defined. Please define it.

If you don’t define it, it will fail authentication every single time since there are no authentication mechanisms configured. When trying to login you will receive the following on the console-

%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
% Authentication failed

On VTY’s you will just see % Authentication failed.

Final Configuration

aaa group server tacacs+ PACKETPROS-TACACS
server-private 10.1.0.5 key LeTsG0BrEwErS
server-private 10.1.0.6 key LeTsG0BrEwErS
!
aaa authentication login default NULL
aaa authentication login CONSOLE local
aaa authentication login PP-AAA group PACKETPROS-TACACS local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group PACKETPROS-TACACS

line con 0
login authentication CONSOLE

line vty 0 15
login authentication PP-AAA

If there is no login authentication command under the VTY or Console, you will not be able to login via that method so be careful!