04-11-2005 07:40 PM - edited 03-10-2019 02:06 PM
I have AAA configured to use Tacacs+ on a 7206VXR, when we telnet to the router and enter the user name and password it takes us to enable mode. When connected to the console it takes us to exec mode, then requires a passwrod to enter enable. Here are the pertinent snipets:
aaa new-model
!
!
aaa authentication login default group tacacs+ line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
!
line con 0
password <xxxxx>
stopbits 1
line vty 0 4
password <xxxxx>
line vty 5 15
password 7 <xxxxx>
!
Im sure this is easy, thanks in advance....
04-12-2005 07:29 AM
router(config)#aaa authentication login console group tacacs+
router(config)#line con 0
router(config-line)#login authentication console
04-12-2005 09:29 AM
According to the config parts that were posted the console is already authenticating via TACACS. So specifying another method and assigning it to the console is a bit redundant.
I have been told that this behavior of being able to go directly to privilege mode from telnet but not from the console is a result of the fact that the console does not do authorization by default. (Not doing authorization via aaa from the console is a protection against a configuration mistake locking
you out of the router.)
I am told that you may be able to configure
aaa authorization console
(it may be a hidden command) and attain what you want.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide