Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3684
Views
0
Helpful
4
Replies

AAA authorization for console connection

gcyeaw
Level 1
Level 1

‎11-07-2002 05:55 AM - edited ‎02-21-2020 10:05 AM

I have a user configured in the TACACS server to receive privalege level 15. When that user telnets to a router he gets level 15, but when he connects via the console he only gets level 1. A debug trace shows only the authentication, there is no authorization exchange for the console connection. Is there a parameter I am missing?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication ppp if-needed group tacacs+ local

aaa authorization exec default group tacacs+ none

Labels:
0 Helpful
4 Replies 4

4brown
Level 1
Level 1

‎11-07-2002 07:04 AM

What version of IOS are you using? There are some issues with this in older versions of IOS.

If your IOS supports it, try using the:

aaa authorization console

command.

If not, assign a list to the console and see if this works such as:

aaa authorization exec CONSOLE default group tacacs+

line con 0

author exec CONSOLE

Let us know if this works.

0 Helpful

gcyeaw
Level 1
Level 1
In response to 4brown

‎11-08-2002 05:45 AM

I had tried the list already along with a host of other variations. I am running 12.2-7a. 'aaa authorization console' solved the problem. Thanks!

0 Helpful

Nairi Adamian
Cisco Employee
Cisco Employee

‎11-07-2002 03:48 PM

As per the following Samle Configuration:

http://www.cisco.com/warp/public/480/8.shtml

Console port authorization was not added as a feature until Bug ID CSCdi82030 was implemented. Console port authorization is off by default to lessen the likelihood of accidentally being locked out of the router. If a user has physical access to the router via the console, console port authorization is not extremely effective. However, for images in which Bug ID CSCdi82030 has been implemented, console port authorization can be turned on under line con 0 with the hidden command aaa authorization console.

Hope this helps,

-Nairi

0 Helpful

gcyeaw
Level 1
Level 1
In response to Nairi Adamian

‎11-08-2002 05:42 AM

Yes, that was the solution.

I notice that once the hidden command is entered and the config saved to startup, it survives a reboot, however, there is no way to tell that it is there other than logging into the console and seeing the result.

0 Helpful
Customers Also Viewed These Support Documents