你好,我这边配置这样的,能帮忙看看吗。我以前用的思科29、38系列,都可以在vty 里配login认证方式,现在貌似都不用配了。但是console口不管是tacacs或是本地账号都进不去。
aaa authentication login default group ISE-Group local
aaa authentication enable default group ISE-Group enable
aaa authorization exec default group ISE-Group local
aaa authorization commands 15 default group ISE-Group local
aaa authorization config-commands
aaa accounting exec default start-stop group ISE-Group
aaa accounting connection default start-stop group ISE-Group
aaa accounting commands 15 default start-stop group ISE-Group
username cisco privilege 15 secret 9 $9$BB3A/CA/TO2VY.$6oGJYzVapcbTS3hCcvRN3V4utDOXKfnIU5yDUtyDHII
username admin privilege 15 secret 9 $9$qZpmGMODTht6zU$BXJXJ2GBJB4CSFTwB7a5XF1LSYfzVgnfqciUXqebFYU
!
!
!
!
!
!
tacacs server XXXX
address ipv4 XXXX
key XXXXX
!
!
aaa group server tacacs+ ISE-Group
server name XXXX
!
!
!
aaa new-model
aaa session-id common
!
line con 0
exec-timeout 5 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class SSH in
exec-timeout 5 0
transport input ssh
transport output none
line vty 5 15
access-class SSH in
exec-timeout 5 0
transport input ssh
可以尝试配置这个命令:aaa authorization console.
SW(config)#aaa authorization ?
address-authorization-exec Force address authorization for PPP when started from Exec
auth-proxy For Authentication Proxy Services
cache For AAA cache configuration
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
console For enabling console authorization <<<<<<<<<<
<snip>
那可以试试单独给console配置一个本地AAA吧。
username mrn-local privilege 15 secret xxxx
!
aaa authentication login CON-AUTH local
aaa authorization console
aaa authorization exec CON-AUTHOR local
!
line con 0
login authentication CON-AUTH
authorization exec CON-AUTHOR