https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267437#M435599 <HTML><HEAD></HEAD><BODY><P>Authorization on the console port is turned off by default, even with authorization enabled globally. This was done on purpose as we had a large number of people lock themselves out of their router when configuring authorization, and we wanted the console port to always be a backdoor entry. The theory is that if someone has access to your console port, you have a lot more to worry about than command or exec authorization <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>If you really, really want to enable authorization on the console port, add the following hidden command into your router and you should be good to go:</P><P><B></B></P><P>aaa authorization console</P></BODY></HTML> Thu, 20 May 2004 02:33:14 GMT gfullage 2004-05-20T02:33:14Z https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267436#M435597 <P>Hi all,</P><P></P><P>i've configured my router's authentication and authorization in this fashion:</P><P></P><P></P><P>username test privilege 15 password test</P><P></P><P>aaa authentication password-prompt password:</P><P>aaa authentication username-prompt login:</P><P>aaa authentication login vty group radius local</P><P>aaa authentication login console group radius local</P><P>aaa authorization exec default group radius local</P><P></P><P>line con 0</P><P> login authentication console</P><P></P><P>line vty 0 4</P><P> login authentication vty</P><P></P><P></P><P></P><P></P><P>and i've configured Microsoft IAS radius server with two groups:</P><P></P><P>admin with shell-priv-level= 15 </P><P></P><P>and Operator with shell-priv-level= 1.</P><P></P><P></P><P>When I try on vty, all works well: admin log on router with privilege 15 (already in enable mode) and operator with privilege 1... </P><P>but on console all users have level 1 privilege... </P><P></P><P>any ideas?</P><P></P><P>thanks in advance,</P><P>Graz.</P> Sun, 10 Mar 2019 14:48:30 GMT https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267436#M435597 g.rodegari 2019-03-10T14:48:30Z https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267437#M435599 <HTML><HEAD></HEAD><BODY><P>Authorization on the console port is turned off by default, even with authorization enabled globally. This was done on purpose as we had a large number of people lock themselves out of their router when configuring authorization, and we wanted the console port to always be a backdoor entry. The theory is that if someone has access to your console port, you have a lot more to worry about than command or exec authorization <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>If you really, really want to enable authorization on the console port, add the following hidden command into your router and you should be good to go:</P><P><B></B></P><P>aaa authorization console</P></BODY></HTML> Thu, 20 May 2004 02:33:14 GMT https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267437#M435599 gfullage 2004-05-20T02:33:14Z https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267438#M435600 <HTML><HEAD></HEAD><BODY><P>Hi Glenn,</P><P></P><P>thank you very much!</P><P></P><P>I'm completely agree with you: </P><P>to have console security, first you should have physical security...</P><P></P><P></P><P>regards,</P><P> </P><P></P><P>Graz.</P><P></P></BODY></HTML> Thu, 20 May 2004 06:27:36 GMT https://community.cisco.com/t5/network-access-control/exec-authorization-for-router-s-console-and-radius/m-p/267438#M435600 g.rodegari 2004-05-20T06:27:36Z