https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472525#M428986 <HTML><HEAD></HEAD><BODY><P>How do you in the router configured via vty in the router with authentication via TACACS+ </P><P></P></BODY></HTML> Wed, 28 Dec 2005 19:31:00 GMT bugalde 2005-12-28T19:31:00Z https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472522#M428979 <P>Hello all,</P><P></P><P>We encountered some strange problem with authentication via TACACS+. Logging into a switch via VTY works ok.... I enter my Username and PW and start at the priveledged exec prompt. But when I'm trying to log in via console, I won't get priviledge exec rights without entering an ena pass. This phenomenon occurs in diffrent IOS versions.</P><P></P><P>Config looks like that:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ none</P><P>aaa authorization network default group tacacs+ local</P><P>aaa accounting send stop-record authentication failure</P><P>aaa accounting update newinfo periodic 15</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting connection default start-stop group tacacs+</P><P>!</P><P>username &lt;User&gt; privilege 15 password &lt;somepass&gt;</P><P>tacacs-server host x.x.x.x</P><P>tacacs-server host x.x.x.x</P><P>tacacs-server timeout 25</P><P>tacacs-server key &lt;ourkey&gt;</P><P></P><P>line con 0</P><P>exec timeout 0 0</P><P>line vty 0 4 aso.</P><P></P><P>Any Ideas?</P><P></P><P>Regards,</P><P></P><P>Sebastian</P> Sun, 10 Mar 2019 21:11:34 GMT https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472522#M428979 sebastian.wiegand 2019-03-10T21:11:34Z https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472523#M428981 <HTML><HEAD></HEAD><BODY><P>Sebastian</P><P></P><P>What you are experiencing is a behavior that Cisco implements purposely. As it has been explained to me, to enter directly into privilege mode is a combination of authentication and of authorization. For the vty ports this is enabled. For the console it does the authentication but not the authorization componenet. The reason for this is that it is easy to misconfigure the authorization part of the config. It is one thing to lock yourself out of the vty ports and it is something else (and much more serious) if you lock yourself out of the console. So as a safety mechanism Cisco does not by default apply authorization on the console. You will need to enter the enable password on the console.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 16 Jun 2005 13:43:13 GMT https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472523#M428981 Richard Burts 2005-06-16T13:43:13Z https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472524#M428983 <HTML><HEAD></HEAD><BODY><P>While, this can be a good safety feature... I beleive that adding this:</P><P>aaa authorization console</P><P></P><P>solved this same problem for me when I was setting this up on our Cat6500 switches.</P></BODY></HTML> Tue, 12 Jul 2005 11:49:30 GMT https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472524#M428983 andy-gerace 2005-07-12T11:49:30Z https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472525#M428986 <HTML><HEAD></HEAD><BODY><P>How do you in the router configured via vty in the router with authentication via TACACS+ </P><P></P></BODY></HTML> Wed, 28 Dec 2005 19:31:00 GMT https://community.cisco.com/t5/network-access-control/tacacs-user-via-console/m-p/472525#M428986 bugalde 2005-12-28T19:31:00Z