Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
10
Helpful
1
Replies

shell authorization works only on vty lines and not on console

o-ziltener
Level 1
Level 1

‎09-12-2004 10:35 AM - edited ‎03-10-2019 01:47 PM

Why does command authorization only works for the vty line and NOT for the consoles?

I use ACS for Win 3.3.(1)

any input are very welcome

Configuration

aaa new-model

aaa authentication login VTY group tacacs+ local

aaa authentication login CONSOLE group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

line con 0

login authentication CONSOLE

line vty 0 4

login authentication VTY

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎09-12-2004 05:06 PM

By default, console authorization is turned off, even with all the standard authorization commands in your configuration. This was done deliberately to leave the console connection as a "back door" to get into the router in case you lock yourself out (which is easy to do with authorization). The theory is that if someone has access to your console port, you have a lot more to worry about than command authorization :-)

If you really, really want to do this, make sure it works fine first on the VTY's, and then issue the hidden command:

aaa authorization console

Customers Also Viewed These Support Documents