Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1703
Views
0
Helpful
3
Replies

Console Authorisation

andrew.butterworth
Level 7
Level 7

‎09-03-2003 07:44 AM - edited ‎03-10-2019 07:28 AM

We are using AAA with CiscoSecure ACS 3.2. All the 'defaults' are configured to use the ACS server -i.e. aaa authentication login default group ACS local, aaa authorisation exec default group ACS local. We also dynamically map users from Windows AD into a group that don't have Shell (exec) access (these are for remote access and NOT access to routers). If one of these dynamically created users tried to telnet to a router they fail with an Authorisation failure (the desired result), if however the user attempts to gain access via the console he is permitted, he cannot enter enable mode but can do 'show' commands etc. Doing various debugs shows no AAA Auhtorisation is done for the console line, whereas it is for the VTY lines. Is the console port (line con 0) treated differently than the TTY lines (line tty 0 etc) where AAA authorisation is concerned? Is there any way around this behaviour or are we stuck? We are running various IOS versions on Routers and Switches (12.1(x) and 12.2(x)T and the behaviour is the same with all devices.

Andy

Labels:
0 Helpful
3 Replies 3

yusuff
Cisco Employee
Cisco Employee

‎09-04-2003 10:22 PM

That is the expected behaviour that you are seeing. Console authorization is not active by default. Use the following hidden command to enable authorization for console seperately. By default console authorization is disabled.

Console authorization can now be turned on/off.

A hidden command is added to allow this. The command syntax is :

[no] aaa authorization console

Regards

Yusuf

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to yusuff

‎09-05-2003 01:02 AM

Thanks Yusuff. When was this command available - we have a mixture of IOS versions but most are 12.1 or above.

Thanks

Andy

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to andrew.butterworth

‎09-08-2003 04:36 PM

This command was brought in due to bug CSCdi82030 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdi82030&Submit=Search). The description for this bug doesn't say much, but you can look at the First-Fixed-In field to see what code this command is available in. Anything 12.1 should have it, it's been around for quite a while now.

0 Helpful
Customers Also Viewed These Support Documents