cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1274
Views
5
Helpful
2
Replies

Exec Authorization for router's console and Radius

g.rodegari
Level 1
Level 1

Hi all,

i've configured my router's authentication and authorization in this fashion:

username test privilege 15 password test

aaa authentication password-prompt password:

aaa authentication username-prompt login:

aaa authentication login vty group radius local

aaa authentication login console group radius local

aaa authorization exec default group radius local

line con 0

login authentication console

line vty 0 4

login authentication vty

and i've configured Microsoft IAS radius server with two groups:

admin with shell-priv-level= 15

and Operator with shell-priv-level= 1.

When I try on vty, all works well: admin log on router with privilege 15 (already in enable mode) and operator with privilege 1...

but on console all users have level 1 privilege...

any ideas?

thanks in advance,

Graz.

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Authorization on the console port is turned off by default, even with authorization enabled globally. This was done on purpose as we had a large number of people lock themselves out of their router when configuring authorization, and we wanted the console port to always be a backdoor entry. The theory is that if someone has access to your console port, you have a lot more to worry about than command or exec authorization :-)

If you really, really want to enable authorization on the console port, add the following hidden command into your router and you should be good to go:

aaa authorization console

Hi Glenn,

thank you very much!

I'm completely agree with you:

to have console security, first you should have physical security...

regards,

Graz.