10-10-2001 05:02 PM - edited 03-08-2019 08:51 PM
I am try to setup limited access on all lines on a router with certain privileges for certain users in the local user database but it doesnt seem to be working. If I login with "tcsuser" via a VTY line everything works fine, the user is only able to execute certain low level commands. However if I login in the console port with the same "tcsuser" username which is a level 0 username, this user has full access. I want this user to only have the same access whether he/she is using vty lines or console lines.
What is the deal?
Note: This is not a TACACS/RADIUS integration
Thanks,
See Config below:
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login conmethod local
aaa authentication login auxmethod local
aaa authentication login vtymethod local
aaa authorization exec conmethod local
aaa authorization exec vtymethod local
aaa authorization exec auxmethod local
!
username tcsadmin privilege 15 password 0 password
username ptsadmin privilege 15 password 0 password
username ptsuser password 0 password
username tcsuser password 0 password
memory-size iomem 25
ip subnet-zero
no ip finger
no ip domain-lookup
ip domain-name xcentri.com
ip name-server 192.168.0.2
ip name-server 192.168.0.18
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
interface Ethernet0
ip address 172.16.254.56 255.255.0.0
half-duplex
!
interface FastEthernet0
ip address 192.168.0.17 255.255.255.0
speed auto
!
ip kerberos source-interface any
ip classless
no ip http server
!
!
line con 0
exec-timeout 15 0
authorization exec conmethod
login authentication conmethod
transport input none
line aux 0
line vty 0 4
exec-timeout 15 0
authorization exec vtymethod
login authentication vtymethod
!
end
10-15-2001 04:11 AM
Only on console port even if you configure authorization , it is ignored. This is the way it works. On other types of line authorization works great.
10-15-2001 12:42 PM
Here is an undocumented Cisco fact: AAA authorization does not apply to console sessions. Long story short, it keeps you from being locked out of the box in case you configure a proper authentication backup method but an improper authorization backup method. Here's how to make console sessions also follow AAA authorization; it is a hidden command executed at global config:
aaa authorization console
That should do the trick. Good luck!
10-17-2001 11:58 AM
Tried aaa authorization console and it took the command but it didn't seem to initiate any authorization on the console.
Oh well.
No biggie.
Thanks for you help
Brian
10-17-2001 01:32 PM
Honestly man,, If I were you don't place AAA on the console.
What happens if you forgot the password or something happens, like you misconfigure it.
Its bad, then you have to perform password recovery.
Thats mean downing the router.
10-17-2001 04:37 PM
Well you know the solution to that. Don't forget your password! This is a sample config, we will be using TACACS so I won't forget it, but thanks for the advice.
10-26-2001 08:45 AM
Brian,
You need to simplify your configuration.
Have all users first login and authenticate to exec mode using their password configured in the local user database. Level 15 authentication should be via an Enable Secret password shared with your admin types.
Configuring default as your list name in the aaa new-model configuration specifies that all (vty, console, http) router access will use the methods that follow. There is no need to specify an authentication command in the vty or console configuration the ios by default, uses the default configuration.
#In the example below a line password is configured
#for console and vty. The default list #authentication method in the aaa new-model #configuration is the local user database identified #with the keyword local. If local authentication #fails for any reason the second authentication #method is the line password identified with the #keyword line.
# This command enables a line password used as a #secondary authentication method.
(config-line)#password 7 mylinepassword
#
#The command in line 2 authenticates all router #access to exec mode using the local user database. #This is specified with the keyword local. The line #keyword is a second authentication method used in #the event the user database authentication fails #for some reason. The last line authenticates level #15 (privileged) using the local Enable Secret #password.
(config)#aaa new-model
(config)#aaa authentication login default local line
(config)#aaa authentication enable default enable
#
#configure your local user database (do not #configure privilege levels.)
(config)#username joeuser password 0 joeuser01
#
#Enable secret password is used to authenticate #privileged level 15(config)#enable secret myenablesecret
#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide