Exec Authorization for router's console and Radius

g.rodegari · ‎05-19-2004

Hi all,

i've configured my router's authentication and authorization in this fashion:

username test privilege 15 password test

aaa authentication password-prompt password:

aaa authentication username-prompt login:

aaa authentication login vty group radius local

aaa authentication login console group radius local

aaa authorization exec default group radius local

line con 0

login authentication console

line vty 0 4

login authentication vty

and i've configured Microsoft IAS radius server with two groups:

admin with shell-priv-level= 15

and Operator with shell-priv-level= 1.

When I try on vty, all works well: admin log on router with privilege 15 (already in enable mode) and operator with privilege 1...

but on console all users have level 1 privilege...

any ideas?

thanks in advance,

Graz.

gfullage · ‎05-19-2004

Authorization on the console port is turned off by default, even with authorization enabled globally. This was done on purpose as we had a large number of people lock themselves out of their router when configuring authorization, and we wanted the console port to always be a backdoor entry. The theory is that if someone has access to your console port, you have a lot more to worry about than command or exec authorization :-)

If you really, really want to enable authorization on the console port, add the following hidden command into your router and you should be good to go:

aaa authorization console

g.rodegari · ‎05-19-2004

Hi Glenn,

thank you very much!

I'm completely agree with you:

to have console security, first you should have physical security...

regards,

Graz.