I'm playing with lock and key on a 3750 IOS 12.1(19)EA1. The console works fine (and there is no AAA or ACLs on the switch) until I add the following commands:

!

aaa new-model

aaa authentication login TestLK group tacacs+ local

aaa authorization exec default group tacacs+ local

!

username xxx password xxx

!

access-list 100 dynamic TestLK timeout 5 permit ip any 10.204.1.0 0.0.0.255 log

access-list 100 permit tcp any host 10.204.0.199 eq telnet

access-list 100 deny ip any 10.204.1.0 0.0.0.255 log

access-list 100 permit ip any any

!

tacacs-server host xxx.4.104.245

tacacs-server key testkey

!

line vty 0 4

password xxx

login authentication TestLK

!

interface Vlan400

ip access-group 100 in

! The console exists with no configuration i.e.

line con 0

!

At this point my lock and key does more-or-less what I want (ignore the strange IP address in the access list - it shouldn't be part of the problem) and I can telnet to the 3750 OK, but I suddenly can't get into the console.

When I hit RETURN it displays the "unwelcome" banner and then seems to rush off to the ACS server and have a look for something and then comes back with the message "authorisation failed" At no point do I get a prompt.

Disabling the ACS server doesn't help. nor does adding an EXEC-TIMEOUT and/or password to the console line. Nor does adding the dreaded AAA AUTHORISATION CONSOLE.

Its got to be something embarrassingly simple.

Cheers