https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146039#M438018 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>line con 0</P><P>authorization exec no_autho &lt;--this is your menthod name</P><P></P><P>Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Tue, 10 Jun 2003 22:54:26 GMT mhoda 2003-06-10T22:54:26Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146036#M438015 <P>I would like to configure our routers to use our ACS server for authentication and enable authorization for all telnet access but not use the ACS when connected to the console port. I was able to get the router configured so that console username and password access was local. However, when I attempt to go into enable mode from the console port the router still goes after the ACS server for the enble password. How do I get around this?</P><P></P> Sun, 10 Mar 2019 14:21:04 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146036#M438015 jrhofman 2019-03-10T14:21:04Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146037#M438016 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You cannot disable enable authentication on the console or create a new method for the console enable authentication.</P><P></P><P>Only option you have is to enable exec authorization on the console and give the priviledged user "priv=15" under shell so that they will not be asked for enable password and dropped into the enable mode directly.</P><P></P><P>Thanks</P><P>Sujit</P><P></P><P></P></BODY></HTML> Tue, 10 Jun 2003 16:08:08 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146037#M438016 sghosh 2003-06-10T16:08:08Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146038#M438017 <HTML><HEAD></HEAD><BODY><P>I'm running 12.2.10 code. I don;t see the command for giving enable exec authorization on the console port as an option. Can you show me an example?</P><P></P></BODY></HTML> Tue, 10 Jun 2003 21:30:34 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146038#M438017 jrhofman 2003-06-10T21:30:34Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146039#M438018 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>line con 0</P><P>authorization exec no_autho &lt;--this is your menthod name</P><P></P><P>Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Tue, 10 Jun 2003 22:54:26 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146039#M438018 mhoda 2003-06-10T22:54:26Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146040#M438019 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>Actually, this is incorrect. You need to enable authorization for the console users to drop them automatically into an enable prompt. For example,</P><P></P><P>username admin privilege 15 password cisco</P><P>!</P><P>aaa authentication login console local</P><P>aaa authorization exec console local</P><P>!</P><P>line con 0</P><P> login authentication console</P><P> authorization exec console</P><P></P><P>Hope this helps...</P><P>Marcus</P><P></P></BODY></HTML> Wed, 11 Jun 2003 01:52:55 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146040#M438019 msitzman 2003-06-11T01:52:55Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146041#M438020 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>This is not incorrect, I just didn't provide the details of the method list. Thought, the post is just looking for the command required for exec authorization under the line console. In your case, you defined the method name console and then apply the same way for the authorization under the console line as I mentioned in my post <span class="lia-unicode-emoji" title=":winking_face:">😉</span> Thanks,</P><P></P><P>Mynul </P></BODY></HTML> Wed, 11 Jun 2003 03:46:41 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146041#M438020 mhoda 2003-06-11T03:46:41Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146042#M438021 <HTML><HEAD></HEAD><BODY><P>--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note -- </P><P></P><P>Thanks this does help. However, I'm still running into and issue. My ultimate goal is to have all users authenticate and get enable access through our ACS server based on there corporate NT domain username/pw. If the ACS server is unavailable go to the local data base. This is working fine for user telneting to the routers and also works for the console port (if the ACS server is unavailable). </P><P></P><P>However, with the ACS server active, when I console in I authenticate based on the local database admin/cisco. But when I attempt to go into enable mode the router still goes after the ACS server for a password. I would like console port users to always use the local enable password. </P><P>! </P><P>I'm just trying to protect myself from a possible misbehaved ACS server. </P><P>! </P><P>aaa new-model </P><P>aaa authentication login default group tacacs+ local </P><P>aaa authentication login console local </P><P>aaa authentication enable default group tacacs+ enable </P><P>aaa authorization exec console local </P><P>enable secret 5 --moderator edit--</P><P>! </P><P>username --moderator edit--privilege 15 password 0 --moderator edit--</P><P>! </P><P>line con 0 </P><P>exec-timeout 300 0 </P><P>authorization exec console </P><P>login authentication console </P><P>line aux 0 </P><P>line vty 0 4 </P><P>password --moderator edit--</P><P></P></BODY></HTML> Wed, 11 Jun 2003 12:42:17 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146042#M438021 jrhofman 2003-06-11T12:42:17Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146043#M438022 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>With the newer version of code, by default, authorization on the console is turned off with the "no aaa authorization console" hidden command. But, authorization exec console should take care of that. Can you please add the following line:</P><P></P><P>aaa authorization console </P><P></P><P>Please lets know the results. Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Wed, 11 Jun 2003 17:30:05 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146043#M438022 mhoda 2003-06-11T17:30:05Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146044#M438023 <HTML><HEAD></HEAD><BODY><P>Works great. Just what I was looking for. Thanks for the help.</P><P></P></BODY></HTML> Thu, 12 Jun 2003 22:21:47 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146044#M438023 jrhofman 2003-06-12T22:21:47Z https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146045#M438024 <HTML><HEAD></HEAD><BODY><P>Perfect! Thanx</P></BODY></HTML> Wed, 15 Nov 2006 12:52:40 GMT https://community.cisco.com/t5/network-access-control/no-aaa-authentication-on-console-port/m-p/146045#M438024 jsteffensen 2006-11-15T12:52:40Z