05-21-2013 03:22 AM - edited 03-10-2019 08:27 PM
Hi,
i have the following config :
aaa new-model
!
!
aaa authentication login NO_LOGIN none
aaa authentication login ADMINS group radius local
aaa authentication login CONSOLE group radius local
aaa authorization exec NO_AUTHOR none
aaa authorization exec ADMINS group radius local
aaa authorization exec CONSOLE group radius local
!
enable secret cisco
username cisco privilage 15 secret cisco
!
line con 0
password 7 05080F1C2243
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
password 7 045802150C2E0C
authorization exec ADMINS
logging synchronous
login authentication ADMINS
line vty 5 15
password 7 060506324F41
authorization exec ADMINS
logging synchronous
login authentication ADMINS
When i am tryin gto login to the switch from vty line i come directly to privillage mode, but when loging to console port i come to the exec mode (privilage 1) and i cant go further to the user privillage mode . each time i have to type a password (i type the enable one) and my access is denied.
when issuing the command # aaa authorization console (using telnet from other switch)
the problem is solved.
Can someone please explain why is this happening? i think after logging in with local account (with privillage 15) from console port i should get directly to privilage mode, or am i wrong ?
06-06-2013 06:07 PM
There are a couple of parts to this explanation.
First thing is to understand that going directly into privilege mode is dependent on authorization granting that.
Second thing to understand is that by default Cisco does not perform authorization for sessions on the console. The reason for that is to provide some protection against the situation where authorization is mis-configured and you could get locked out from executing commands on the IOS device. If you want authorization to be performed on console sessions then you must manually configure aaa authorization console.
HTH
Rick
06-06-2013 11:41 PM
aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console.
command refrence
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfauth.html#wp1024046
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide