https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206692#M127028 <P>Hi,</P><P></P><P>i have the following config :</P><P></P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login NO_LOGIN none</P><P>aaa authentication login ADMINS group radius local</P><P>aaa authentication login CONSOLE group radius local</P><P>aaa authorization exec NO_AUTHOR none</P><P>aaa authorization exec ADMINS group radius local</P><P>aaa authorization exec CONSOLE group radius local</P><P>!</P><P>enable secret cisco</P><P>username cisco privilage 15 secret cisco</P><P>!</P><P>line con 0</P><P> password 7 05080F1C2243</P><P> authorization exec CONSOLE</P><P> login authentication CONSOLE</P><P>line vty 0 4</P><P> password 7 045802150C2E0C</P><P> authorization exec ADMINS</P><P> logging synchronous</P><P> login authentication ADMINS</P><P>line vty 5 15</P><P> password 7 060506324F41</P><P> authorization exec ADMINS</P><P> logging synchronous</P><P> login authentication ADMINS</P><P></P><P>When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.</P><P></P><P>when issuing the command # <SPAN style="font-size: 10pt;">aaa authorization console&nbsp;&nbsp; (using telnet from other switch)</SPAN></P><P><SPAN style="font-size: 10pt;">the problem is solved.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?</SPAN></P> Mon, 11 Mar 2019 03:27:03 GMT mhawas 2019-03-11T03:27:03Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206692#M127028 <P>Hi,</P><P></P><P>i have the following config :</P><P></P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login NO_LOGIN none</P><P>aaa authentication login ADMINS group radius local</P><P>aaa authentication login CONSOLE group radius local</P><P>aaa authorization exec NO_AUTHOR none</P><P>aaa authorization exec ADMINS group radius local</P><P>aaa authorization exec CONSOLE group radius local</P><P>!</P><P>enable secret cisco</P><P>username cisco privilage 15 secret cisco</P><P>!</P><P>line con 0</P><P> password 7 05080F1C2243</P><P> authorization exec CONSOLE</P><P> login authentication CONSOLE</P><P>line vty 0 4</P><P> password 7 045802150C2E0C</P><P> authorization exec ADMINS</P><P> logging synchronous</P><P> login authentication ADMINS</P><P>line vty 5 15</P><P> password 7 060506324F41</P><P> authorization exec ADMINS</P><P> logging synchronous</P><P> login authentication ADMINS</P><P></P><P>When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.</P><P></P><P>when issuing the command # <SPAN style="font-size: 10pt;">aaa authorization console&nbsp;&nbsp; (using telnet from other switch)</SPAN></P><P><SPAN style="font-size: 10pt;">the problem is solved.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?</SPAN></P> Mon, 11 Mar 2019 03:27:03 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206692#M127028 mhawas 2019-03-11T03:27:03Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206693#M127032 <HTML><HEAD></HEAD><BODY><P>There are a couple of parts to this explanation.</P><P>First thing is to understand that going directly into privilege mode is dependent on authorization granting that.</P><P>Second thing to understand is that by default Cisco does not perform authorization for sessions on the console. The reason for that is to provide some protection against the situation where authorization is mis-configured and you could get locked out from executing commands on the IOS device. If you want authorization to be performed on console sessions then you must manually configure aaa authorization console.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 07 Jun 2013 01:07:49 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206693#M127032 Richard Burts 2013-06-07T01:07:49Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206694#M127036 <HTML><HEAD></HEAD><BODY><P>aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list <STRONG>"aaa authorization exec CONSOLE group radius local"</STRONG> for console and try to apply it on line console 0, it will throw an error that without <STRONG>"aaa authorization console"</STRONG> all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.</P><P></P><P>command refrence</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046">http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046</A></P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Fri, 07 Jun 2013 06:41:21 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console/m-p/2206694#M127036 Jatin Katyal 2013-06-07T06:41:21Z