https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747435#M25072 <P>It works, many thanks.</P> <P>&nbsp;</P> <P>Alex</P> Thu, 15 Nov 2018 15:03:49 GMT Labin08 2018-11-15T15:03:49Z https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747246#M25070 <P>Hello all,</P> <P>&nbsp;</P> <P>I authenticate my switches over an ISE acting as radius server.</P> <P>&nbsp;</P> <P>When I connect with ssh, everything works well. My radius server return priv15 and I am logged directly in privilege 15.</P> <P>But the weird thing when I try to connect through the console cable, I get authenticate, the radius server return me the priv15 but the switch ask me to put the "enable" command. When I issue this command, I get rejected because the radius server is not able to find the object "$enab15$" that sounds logical.</P> <P>&nbsp;</P> <P>So do you have any idea why I can't log with the console cable directly in privilege 15 ?</P> <P>&nbsp;</P> <P>You can find below my configuration:</P> <PRE>aaa new-model aaa group server radius RADIUS-SERVERS aaa authentication login default group RADIUS-SERVERS local aaa authentication enable default group RADIUS-SERVERS enable aaa authentication dot1x default group RADIUS-SERVERS aaa authorization exec default group RADIUS-SERVERS if-authenticated aaa authorization network default group RADIUS-SERVERS if-authenticated aaa accounting send stop-record authentication failure aaa accounting update newinfo periodic 55 aaa accounting exec default start-stop group RADIUS-SERVERS aaa accounting connection default start-stop group RADIUS-SERVERS aaa accounting system default start-stop group RADIUS-SERVERS no aaa accounting system guarantee-first aaa session-id common ! line con 0 logging synchronous escape-character 3 stopbits 1 line vty 0 4 logging synchronous transport input ssh escape-character 3 line vty 5 15 logging synchronous transport input ssh escape-character 3 !</PRE> <P>Have a nice day,</P> <P>Alex</P> Mon, 11 Mar 2019 08:52:04 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747246#M25070 Labin08 2019-03-11T08:52:04Z https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747336#M25071 <P>Hi Alex.<BR />I think you need this command "aaa authorization console" and "authorization exec" in line console<BR /><BR /></P> Thu, 15 Nov 2018 12:46:48 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747336#M25071 fbabashahi 2018-11-15T12:46:48Z https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747435#M25072 <P>It works, many thanks.</P> <P>&nbsp;</P> <P>Alex</P> Thu, 15 Nov 2018 15:03:49 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747435#M25072 Labin08 2018-11-15T15:03:49Z https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747589#M25073 your welcome<BR /><BR />Good Luck Thu, 15 Nov 2018 18:31:25 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-failed-in-console-mode/m-p/3747589#M25073 fbabashahi 2018-11-15T18:31:25Z