cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9200
Views
0
Helpful
6
Replies

Privileged EXEC at line con 0

Thomas Reiling
Level 1
Level 1

How do I configure my switch using AAA so that when I console in using the console port it automatically starts me off at the privilege EXEC prompt instead of the user EXEC prompt.  When I SSH in, it automatically starts me off at the privilege EXEC prompt.  I just want the same for the console port.

Thank you,

Thomas Reiling

6 Replies 6

gcover
Level 1
Level 1

If your existing AAA configuration is responsible for placing you into privileged exec mode when logging in on the vty lines then adding "aaa authorization console" to your global AAA configuration should accomplish what you are looking for.

I tried your suggestion but it didn't work.  The switch took the command okay but when I tried to login via console I started out at user EXEC again instead of privilege EXEC.  I appreciate the suggestion.  Do you have any other ideas that might work?

Richard Burts
Hall of Fame
Hall of Fame

Thomas

The fundamental issue is that by default IOS does not do authorization on the console and authorization is what puts you directly into privilege mode. Perhaps it would help if you would post your running config.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

Richard,

Thanks for the reply.  I figured it out, however.

The following worked for me:

line con 0
privilege level 15

Thank you,

Thomas

Thomas,

It would be helpful to see your AAA and console line configuration.

Configuring a static privilege level on the console line will accomplish what you are looking to do.  However, this is totally independent of your AAA configuration and will allow anyone who logs in and successfully authenticates to gain priv 15 access on your console line.

Here's how I've done it.

Create a named authenttication list, lets call it CONSOLE;

Switch(config)#aaa authentication login CONSOLE group tacacs+ local

Create a named authorization list, again called CONSOLE

Switch(config)#aaa authorization exec CONSOLE group tacacs+ local if-authenticated

Then apply the following under line con 0;

Switch(config-line)#login authentication CONSOLE

Switch(config-line)#authorization exec CONSOLE

Since local is defined as the secondary method of authentication/authorization be sure to have a local privilege 15 user defined in the event your tacacs server isn't available.

Switch(config)#username MYUSERNAME privilege 15 secret 0 MYPASSWORD

This works for me, hope this helps!

Greg

Thomas

Putting the privilege-level 15 on the console is one way to work around the issue. And it works - as long as you are comfortable with the fact that everyone who logs in on the console will be immediately placed directly into privilege/enable mode.

The suggestion from Greg addresses the different processing on the console as compared to the vty, and should work and would give you the ability to put some people directly into privilege/enable mode but not put other people directly into privilege/enable mode.

HTH

Rick

HTH

Rick