https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803581#M213764 <HTML><HEAD></HEAD><BODY><P>Thanks for sharing your experience about authorization problems.I find that many people do not understand well the importance of configuring if-authenticated when configuring authorization. Your post is a good reminder about this important part of the configuration. Many of us have learned these lessons the hard way and we all can benefit from a reminder about the problem. </P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 13 Jan 2012 17:47:58 GMT Richard Burts 2012-01-13T17:47:58Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803577#M213760 <P>Hi,</P><P></P><P>I don't really understand the need of the command "<STRONG>aaa authorization console"</STRONG>.</P><P>We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:</P><P><SPAN style="font-family: courier new,courier;">aaa authorization exec default group tacacs+ if-authenticated </SPAN></P><P><SPAN style="font-family: courier new,courier;">aaa authorization commands 15 default group tacacs+ if-authenticated </SPAN></P><P></P><P><SPAN style="font-family: courier new,courier;">Am I wrong? Or do these lines apply only to the VTY linse?<BR /></SPAN></P><P><SPAN style="font-family: courier new,courier;">Thanks by advance<BR /></SPAN></P> Mon, 11 Mar 2019 01:31:45 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803577#M213760 parisdooz12 2019-03-11T01:31:45Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803578#M213761 <HTML><HEAD></HEAD><BODY><P>In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 07 Nov 2011 18:55:11 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803578#M213761 Richard Burts 2011-11-07T18:55:11Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803579#M213762 <HTML><HEAD></HEAD><BODY><P>perfect, thanks!</P></BODY></HTML> Thu, 10 Nov 2011 19:59:38 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803579#M213762 parisdooz12 2011-11-10T19:59:38Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803580#M213763 <HTML><HEAD></HEAD><BODY><P>I learned this locking out form console today in the hard-way</P><P></P><P>we use as standard</P><P></P><PRE style="padding-left: 30px;">aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default local group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated </PRE><P></P><P>and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.</P><P>So no way to log in without the hard way rebooting and reconfiguring again</P></BODY></HTML> Fri, 13 Jan 2012 14:47:13 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803580#M213763 dg185302 2012-01-13T14:47:13Z https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803581#M213764 <HTML><HEAD></HEAD><BODY><P>Thanks for sharing your experience about authorization problems.I find that many people do not understand well the importance of configuring if-authenticated when configuring authorization. Your post is a good reminder about this important part of the configuration. Many of us have learned these lessons the hard way and we all can benefit from a reminder about the problem. </P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 13 Jan 2012 17:47:58 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-console-command/m-p/1803581#M213764 Richard Burts 2012-01-13T17:47:58Z