Re: AAA not working right on Console Port

bs6825 · ‎04-11-2005

I have AAA configured to use Tacacs+ on a 7206VXR, when we telnet to the router and enter the user name and password it takes us to enable mode. When connected to the console it takes us to exec mode, then requires a passwrod to enter enable. Here are the pertinent snipets:

aaa new-model

!

aaa authentication login default group tacacs+ line

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

!

line con 0

password <xxxxx>

stopbits 1

line vty 0 4

password <xxxxx>

line vty 5 15

password 7 <xxxxx>

!

Im sure this is easy, thanks in advance....

will.shaw · ‎04-12-2005

router(config)#aaa authentication login console group tacacs+

router(config)#line con 0

router(config-line)#login authentication console

Richard Burts · ‎04-12-2005

According to the config parts that were posted the console is already authenticating via TACACS. So specifying another method and assigning it to the console is a bit redundant.

I have been told that this behavior of being able to go directly to privilege mode from telnet but not from the console is a result of the fact that the console does not do authorization by default. (Not doing authorization via aaa from the console is a protection against a configuration mistake locking

you out of the router.)

I am told that you may be able to configure

aaa authorization console

(it may be a hidden command) and attain what you want.

HTH

Rick

HTH

Rick