Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8381
Views
1
Helpful
2
Replies

aaa authorization console

mhawas
Level 1
Level 1

‎05-21-2013 03:22 AM - edited ‎03-10-2019 08:27 PM

Hi,

i have the following config :

aaa new-model

!

!

aaa authentication login NO_LOGIN none

aaa authentication login ADMINS group radius local

aaa authentication login CONSOLE group radius local

aaa authorization exec NO_AUTHOR none

aaa authorization exec ADMINS group radius local

aaa authorization exec CONSOLE group radius local

!

enable secret cisco

username cisco privilage 15 secret cisco

!

line con 0

password 7 05080F1C2243

authorization exec CONSOLE

login authentication CONSOLE

line vty 0 4

password 7 045802150C2E0C

authorization exec ADMINS

logging synchronous

login authentication ADMINS

line vty 5 15

password 7 060506324F41

authorization exec ADMINS

logging synchronous

login authentication ADMINS

When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.

when issuing the command # aaa authorization console   (using telnet from other switch)

the problem is solved.

Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎06-06-2013 06:07 PM

There are a couple of parts to this explanation.

First thing is to understand that going directly into privilege mode is dependent on authorization granting that.

Second thing to understand is that by default Cisco does not perform authorization for sessions on the console. The reason for that is to provide some protection against the situation where authorization is mis-configured and you could get locked out from executing commands on the IOS device. If you want authorization to be performed on console sessions then you must manually configure aaa authorization console.

HTH

Rick

HTH

Rick
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-06-2013 11:41 PM

aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.

command refrence

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046

Jatin Katyal
- Do rate helpful posts -

~Jatin
Customers Also Viewed These Support Documents