https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161631#M591246 <P>AAA authorization is disabled on the console by default. If AAA authorization is enabled on the console, disable it by configuring the <STRONG><SPAN class="ph synph"><SPAN class="keyword kwd">no aaa authorization console </SPAN> </SPAN></STRONG> command during the AAA configuration stage. AAA should be disabled on the console for user authentication.</P> <P>The logs also tells that it is looking for enable password but none is configured.</P> <P>&nbsp;</P> <PRE class="lia-code-sample language-markup"><CODE>ug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): console enable - default to enable password (if any) Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=ENABLE Aug 15 13:45:49.876: AAA/AUTHEN(1746517121): can't find any passwords Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = ERROR</CODE></PRE> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 16 Aug 2024 03:45:09 GMT poongarg 2024-08-16T03:45:09Z https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161576#M591240 <P>I configured a 2960x not to require authentication on the console port.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">aaa authentication login NoPassword none line con 0 exec-timeout 0 0 privilege level 15 login authentication NoPassword stopbits 1</LI-CODE><P>&nbsp;</P><P>But on firmware version&nbsp;15.2(7)E10 if I also have the default authorization policy (see below) I cannot connect via console. I get the error "<FONT face="terminal,monaco">% Authorization failed.</FONT>". But on&nbsp;15.2(7)E7 it does work.</P><P>&nbsp;</P><LI-CODE lang="markup">aaa authorization exec default local </LI-CODE><P>&nbsp;</P><P>Furthermore, I created a new aaa authorization policy with none and applied it on the line and it still not working.</P><P>&nbsp;</P><LI-CODE lang="markup">aaa authentication login NoPassword none aaa authorization console aaa authorization exec NoPassword none line con 0 exec-timeout 0 0 authorization exec NoPassword login authentication NoPassword stopbits 1</LI-CODE><P>&nbsp;</P><P>Debug aaa authorization shows that the switch is somehow still using the default list.</P><P>&nbsp;</P><LI-CODE lang="markup">Aug 15 16:32:57.000: AAA/BIND(00000022): Bind i/f Aug 15 16:32:57.000: AAA/AUTHEN/LOGIN (00000022): Pick method list 'NoPassword' Aug 15 16:32:57.000: AAA/AUTHOR (0x22): Pick method list 'default' Aug 15 16:32:57.000: AAA/AUTHOR/EXEC(00000022): Authorization FAILED</LI-CODE><P>&nbsp;</P><P>&nbsp;On&nbsp;15.2(7)E7 we can the authentication flow doesn't touch the authorization policy at all.</P><P>&nbsp;</P><LI-CODE lang="markup">Aug 15 13:37:43.088: AAA/BIND(00000014): Bind i/f Aug 15 13:37:43.088: AAA/AUTHEN/LOGIN (00000014): Pick method list 'NoPassword'</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>When I remove the default authorization entry the console login flow on 15.2(7)E10 looks like this</P><LI-CODE lang="markup">Aug 15 16:43:04.517: AAA/BIND(00000025): Bind i/f Aug 15 16:43:04.520: AAA/AUTHEN/LOGIN (00000025): Pick method list 'NoPassword' Aug 15 16:43:04.520: AAA/AUTHOR (00000025): Method list id=0 not configured. Skip author Aug 15 16:43:12.661: AAA/AUTHOR: auth_need : user= '' ruser= '&lt;&gt;'rem_addr= '127.0.0.5' priv= 0 list= '' AUTHOR-TYPE= 'commands' Aug 15 16:43:12.661: AAA: parse name=tty2 idb type=-1 tty=-1 Aug 15 16:43:12.661: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 Aug 15 16:43:12.661: AAA/MEMORY: create_user (0xEEFF104) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='127.0.0.5' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): port='tty2' list='' action=LOGIN service=ENABLE Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): console enable - default to enable password (if any) Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): Method=ENABLE Aug 15 16:43:12.661: AAA/AUTHEN(1151806892): can't find any passwords Aug 15 16:43:12.661: AAA/AUTHEN (1151806892): status = ERROR Aug 15 16:43:12.661: AAA/AUTHEN/START (1151806892): Method=NONE Aug 15 16:43:12.661: AAA/AUTHEN (1151806892): status = PASS Aug 15 16:43:12.661: AAA/MEMORY: free_user (0xEEFF104) user='NULL' ruser='NULL' port='tty2' rem_addr='127.0.0.5' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)</LI-CODE><P>&nbsp;But on&nbsp;15.2(7)E7 it looks like this</P><LI-CODE lang="markup">Aug 15 13:45:44.052: AAA/BIND(00000017): Bind i/f Aug 15 13:45:44.052: AAA/AUTHEN/LOGIN (00000017): Pick method list 'NoPassword' Aug 15 13:45:49.872: AAA: parse name=tty0 idb type=-1 tty=-1 Aug 15 13:45:49.872: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 Aug 15 13:45:49.872: AAA/MEMORY: create_user (0xC60F7EC) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): port='tty0' list='' action=LOGIN service=ENABLE Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): console enable - default to enable password (if any) Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=ENABLE Aug 15 13:45:49.876: AAA/AUTHEN(1746517121): can't find any passwords Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = ERROR Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=NONE Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = PASS Aug 15 13:45:49.876: AAA/MEMORY: free_user (0xC60F7EC) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)</LI-CODE> Thu, 15 Aug 2024 21:45:21 GMT https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161576#M591240 Breathing 2024-08-15T21:45:21Z https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161585#M591241 <P><STRONG>aaa authorization console &lt;&lt;- add this command and check authz</STRONG></P> <P><STRONG>MHM</STRONG></P> Thu, 15 Aug 2024 22:27:00 GMT https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161585#M591241 MHM Cisco World 2024-08-15T22:27:00Z https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161621#M591245 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;thank you, but I already added that command prior to posting here (see my third code block).</P><P>Thanks again</P> Fri, 16 Aug 2024 02:16:35 GMT https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161621#M591245 Breathing 2024-08-16T02:16:35Z https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161631#M591246 <P>AAA authorization is disabled on the console by default. If AAA authorization is enabled on the console, disable it by configuring the <STRONG><SPAN class="ph synph"><SPAN class="keyword kwd">no aaa authorization console </SPAN> </SPAN></STRONG> command during the AAA configuration stage. AAA should be disabled on the console for user authentication.</P> <P>The logs also tells that it is looking for enable password but none is configured.</P> <P>&nbsp;</P> <PRE class="lia-code-sample language-markup"><CODE>ug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): console enable - default to enable password (if any) Aug 15 13:45:49.876: AAA/AUTHEN/START (1746517121): Method=ENABLE Aug 15 13:45:49.876: AAA/AUTHEN(1746517121): can't find any passwords Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = ERROR</CODE></PRE> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 16 Aug 2024 03:45:09 GMT https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5161631#M591246 poongarg 2024-08-16T03:45:09Z https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5163226#M591303 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/66272">@poongarg</a>&nbsp;these lines in the logs are when I did&nbsp;<STRONG><SPAN class="">no aaa authorization console and no aaa</SPAN></STRONG><SPAN class="">&nbsp;<STRONG>authorization exec default&nbsp;</STRONG>and <STRONG>I'm actually able to log in</STRONG> (albeit not in exec mode). If you look further down the logs you can notice it passing authentication&nbsp;</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">Aug 15 13:45:49.876: AAA/AUTHEN (1746517121): status = PASS</LI-CODE><P>&nbsp;</P><P><STRONG>Update:</STRONG><BR />This is weird, now on&nbsp;15.2(7)E7 I'm getting the same error.</P><P><STRONG>Update2:<BR /></STRONG>I've managed to make it work by adding the below config</P><P>&nbsp;</P><LI-CODE lang="markup">aaa authorization exec default none line vty 0 15 priv level 15 line con 0 priv level 15</LI-CODE><P>&nbsp;</P><P>This doesn't explain the behavior and the fact that the custom authorization list is ignored, and that I'm getting conflicting results on the same firmware, but it works now so I'll leave it as is.</P> Tue, 20 Aug 2024 14:03:48 GMT https://community.cisco.com/t5/network-access-control/15-2-7-e10-not-using-named-authorization-list-on-console/m-p/5163226#M591303 Breathing 2024-08-20T14:03:48Z