Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

mohamed hawas

aaa authorization console


i have the following config :

aaa new-model



aaa authentication login NO_LOGIN none

aaa authentication login ADMINS group radius local

aaa authentication login CONSOLE group radius local

aaa authorization exec NO_AUTHOR none

aaa authorization exec ADMINS group radius local

aaa authorization exec CONSOLE group radius local


enable secret cisco

username cisco privilage 15 secret cisco


line con 0

password 7 05080F1C2243

authorization exec CONSOLE

login authentication CONSOLE

line vty 0 4

password 7 045802150C2E0C

authorization exec ADMINS

logging synchronous

login authentication ADMINS

line vty 5 15

password 7 060506324F41

authorization exec ADMINS

logging synchronous

login authentication ADMINS

When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.

when issuing the command # aaa authorization console   (using telnet from other switch)

the problem is solved.

Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?

Richard Burts
Hall of Fame Guru

There are a couple of parts to this explanation.

First thing is to understand that going directly into privilege mode is dependent on authorization granting that.

Second thing to understand is that by default Cisco does not perform authorization for sessions on the console. The reason for that is to provide some protection against the situation where authorization is mis-configured and you could get locked out from executing commands on the IOS device. If you want authorization to be performed on console sessions then you must manually configure aaa authorization console.




Jatin Katyal
Cisco Employee

aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.

command refrence

Jatin Katyal
- Do rate helpful posts -

Content for Community-Ad