Re: No AAA authentication on Console port

jrhofman · ‎06-10-2003

I would like to configure our routers to use our ACS server for authentication and enable authorization for all telnet access but not use the ACS when connected to the console port. I was able to get the router configured so that console username and password access was local. However, when I attempt to go into enable mode from the console port the router still goes after the ACS server for the enble password. How do I get around this?

sghosh · ‎06-10-2003

Hi,

You cannot disable enable authentication on the console or create a new method for the console enable authentication.

Only option you have is to enable exec authorization on the console and give the priviledged user "priv=15" under shell so that they will not be asked for enable password and dropped into the enable mode directly.

Thanks

Sujit

jrhofman · ‎06-10-2003

I'm running 12.2.10 code. I don;t see the command for giving enable exec authorization on the console port as an option. Can you show me an example?

mhoda · ‎06-10-2003

Hi,

line con 0

authorization exec no_autho <--this is your menthod name

Thanks,

Mynul

msitzman · ‎06-10-2003

Hi there,

Actually, this is incorrect. You need to enable authorization for the console users to drop them automatically into an enable prompt. For example,

username admin privilege 15 password cisco

!

aaa authentication login console local

aaa authorization exec console local

!

line con 0

login authentication console

authorization exec console

Hope this helps...

Marcus

mhoda · ‎06-10-2003

Hi,

This is not incorrect, I just didn't provide the details of the method list. Thought, the post is just looking for the command required for exec authorization under the line console. In your case, you defined the method name console and then apply the same way for the authorization under the console line as I mentioned in my post ;-) Thanks,

Mynul

jrhofman · ‎06-11-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Thanks this does help. However, I'm still running into and issue. My ultimate goal is to have all users authenticate and get enable access through our ACS server based on there corporate NT domain username/pw. If the ACS server is unavailable go to the local data base. This is working fine for user telneting to the routers and also works for the console port (if the ACS server is unavailable).

However, with the ACS server active, when I console in I authenticate based on the local database admin/cisco. But when I attempt to go into enable mode the router still goes after the ACS server for a password. I would like console port users to always use the local enable password.

!

I'm just trying to protect myself from a possible misbehaved ACS server.

!

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authentication enable default group tacacs+ enable

aaa authorization exec console local

enable secret 5 --moderator edit--

!

username --moderator edit--privilege 15 password 0 --moderator edit--

!

line con 0

exec-timeout 300 0

authorization exec console

login authentication console

line aux 0

line vty 0 4

password --moderator edit--

mhoda · ‎06-11-2003

Hi,

With the newer version of code, by default, authorization on the console is turned off with the "no aaa authorization console" hidden command. But, authorization exec console should take care of that. Can you please add the following line:

aaa authorization console

Please lets know the results. Thanks,

Mynul

jrhofman · ‎06-12-2003

Works great. Just what I was looking for. Thanks for the help.

jsteffensen · ‎11-15-2006

Perfect! Thanx