05-19-2004 08:14 AM - edited 03-10-2019 07:48 AM
Hi all,
i've configured my router's authentication and authorization in this fashion:
username test privilege 15 password test
aaa authentication password-prompt password:
aaa authentication username-prompt login:
aaa authentication login vty group radius local
aaa authentication login console group radius local
aaa authorization exec default group radius local
line con 0
login authentication console
line vty 0 4
login authentication vty
and i've configured Microsoft IAS radius server with two groups:
admin with shell-priv-level= 15
and Operator with shell-priv-level= 1.
When I try on vty, all works well: admin log on router with privilege 15 (already in enable mode) and operator with privilege 1...
but on console all users have level 1 privilege...
any ideas?
thanks in advance,
Graz.
05-19-2004 07:33 PM
Authorization on the console port is turned off by default, even with authorization enabled globally. This was done on purpose as we had a large number of people lock themselves out of their router when configuring authorization, and we wanted the console port to always be a backdoor entry. The theory is that if someone has access to your console port, you have a lot more to worry about than command or exec authorization :-)
If you really, really want to enable authorization on the console port, add the following hidden command into your router and you should be good to go:
aaa authorization console
05-19-2004 11:27 PM
Hi Glenn,
thank you very much!
I'm completely agree with you:
to have console security, first you should have physical security...
regards,
Graz.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide