cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

336
Views
5
Helpful
3
Replies

tacacs user via console?

Hello all,

We encountered some strange problem with authentication via TACACS+. Logging into a switch via VTY works ok.... I enter my Username and PW and start at the priveledged exec prompt. But when I'm trying to log in via console, I won't get priviledge exec rights without entering an ena pass. This phenomenon occurs in diffrent IOS versions.

Config looks like that:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization network default group tacacs+ local

aaa accounting send stop-record authentication failure

aaa accounting update newinfo periodic 15

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

username <User> privilege 15 password <somepass>

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

tacacs-server timeout 25

tacacs-server key <ourkey>

line con 0

exec timeout 0 0

line vty 0 4 aso.

Any Ideas?

Regards,

Sebastian

1 ACCEPTED SOLUTION

Accepted Solutions
Richard Burts
Hall of Fame Guru

Sebastian

What you are experiencing is a behavior that Cisco implements purposely. As it has been explained to me, to enter directly into privilege mode is a combination of authentication and of authorization. For the vty ports this is enabled. For the console it does the authentication but not the authorization componenet. The reason for this is that it is easy to misconfigure the authorization part of the config. It is one thing to lock yourself out of the vty ports and it is something else (and much more serious) if you lock yourself out of the console. So as a safety mechanism Cisco does not by default apply authorization on the console. You will need to enter the enable password on the console.

HTH

Rick

HTH

Rick

View solution in original post

3 REPLIES 3
Richard Burts
Hall of Fame Guru

Sebastian

What you are experiencing is a behavior that Cisco implements purposely. As it has been explained to me, to enter directly into privilege mode is a combination of authentication and of authorization. For the vty ports this is enabled. For the console it does the authentication but not the authorization componenet. The reason for this is that it is easy to misconfigure the authorization part of the config. It is one thing to lock yourself out of the vty ports and it is something else (and much more serious) if you lock yourself out of the console. So as a safety mechanism Cisco does not by default apply authorization on the console. You will need to enter the enable password on the console.

HTH

Rick

HTH

Rick

While, this can be a good safety feature... I beleive that adding this:

aaa authorization console

solved this same problem for me when I was setting this up on our Cat6500 switches.

How do you in the router configured via vty in the router with authentication via TACACS+

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube