Showing results for 
Search instead for 
Did you mean: 

how to prevent local aaa users to login

Level 1
Level 1


Please could you help me with my question:

My Cisco router R1 aaa configuration:

username user1 privilege 15 password user1

username user2 password user2

aaa authentication login default local

aaa authorization exec default local

aaa authentication ppp PPP_MODEM local

aaa authorization network PPP_MODEM local

So, I want to:

allow user1 to have full terminal access to R1

deny user2 to have any terminal access to R1 but allow user2 to connect to R1 via PPP.

I can configure privilege 0 to user2, but user2 will be able to access R1 terminal lines!

How can I prevent user2 to have management access to R1 using only local AAA services?

1 Reply 1

Level 5
Level 5

It is set to No Privilege by default. Set this to use group level settings. You also have to configure the enable password for the user

Here is a copy of my AAA settings:


aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+


The method no_tacacs is used for the console to prevent admin-lockouts. Doing a debug aaa authen & author was quite helpful in getting this to work.