https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268753#M433765 <HTML><HEAD></HEAD><BODY><P>Thanks. That did the trick. The final configuration (in order to keep lock &amp; key working properly) reads:</P><P>!</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login TestLK group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization network default group tacacs+</P><P>!</P><P>Much appreciated</P><P></P></BODY></HTML> Sun, 22 Aug 2004 21:05:17 GMT ablenner 2004-08-22T21:05:17Z https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268751#M433763 <P>I'm playing with lock and key on a 3750 IOS 12.1(19)EA1. The console works fine (and there is no AAA or ACLs on the switch) until I add the following commands:</P><P>!</P><P>aaa new-model</P><P>aaa authentication login TestLK group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local</P><P>!</P><P>username xxx password xxx</P><P>!</P><P>access-list 100 dynamic TestLK timeout 5 permit ip any 10.204.1.0 0.0.0.255 log</P><P>access-list 100 permit tcp any host 10.204.0.199 eq telnet</P><P>access-list 100 deny ip any 10.204.1.0 0.0.0.255 log</P><P>access-list 100 permit ip any any</P><P>!</P><P>tacacs-server host xxx.4.104.245</P><P>tacacs-server key testkey</P><P>!</P><P>line vty 0 4</P><P> password xxx</P><P> login authentication TestLK</P><P>!</P><P>interface Vlan400</P><P>ip access-group 100 in</P><P>! The console exists with no configuration i.e.</P><P>line con 0</P><P>!</P><P>At this point my lock and key does more-or-less what I want (ignore the strange IP address in the access list - it shouldn't be part of the problem) and I can telnet to the 3750 OK, but I suddenly can't get into the console.</P><P>When I hit RETURN it displays the "unwelcome" banner and then seems to rush off to the ACS server and have a look for something and then comes back with the message "authorisation failed" At no point do I get a prompt.</P><P>Disabling the ACS server doesn't help. nor does adding an EXEC-TIMEOUT and/or password to the console line. Nor does adding the dreaded AAA AUTHORISATION CONSOLE.</P><P>Its got to be something embarrassingly simple.</P><P>Cheers</P><P></P> Sun, 10 Mar 2019 20:45:35 GMT https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268751#M433763 ablenner 2019-03-10T20:45:35Z https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268752#M433764 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>aaa authentication login default group tacacs+ local </P><P>aaa authorization network default group tacacs+</P><P></P><P></P><P>Add the above command.</P><P></P><P>Your console will not lock.</P><P></P><P></P><P>HTH.</P><P></P><P>Rgds</P><P>Vimal</P></BODY></HTML> Fri, 20 Aug 2004 04:33:35 GMT https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268752#M433764 vimal1980 2004-08-20T04:33:35Z https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268753#M433765 <HTML><HEAD></HEAD><BODY><P>Thanks. That did the trick. The final configuration (in order to keep lock &amp; key working properly) reads:</P><P>!</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login TestLK group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization network default group tacacs+</P><P>!</P><P>Much appreciated</P><P></P></BODY></HTML> Sun, 22 Aug 2004 21:05:17 GMT https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268753#M433765 ablenner 2004-08-22T21:05:17Z https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268754#M433766 <HTML><HEAD></HEAD><BODY><P>I get similar results just using:</P><P>!</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login TestLK group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local</P><P>!</P><P>Anyway the problem is solved.</P><P>Cheers</P></BODY></HTML> Sun, 22 Aug 2004 22:01:09 GMT https://community.cisco.com/t5/network-access-control/aaa-locks-out-console/m-p/268754#M433766 ablenner 2004-08-22T22:01:09Z