11-24-2016 08:51 PM - edited 03-11-2019 12:15 AM
Dear All,
i want to enable aaa on the ios switch on ssh and telnet and not on console access. i am putting the below commands
phase 1:-
aaa authentication login default group TACACS_SERVERS local
aaa authentication login CONSOLE local
aaa authentication enable default group TACACS_SERVERS enable
aaa session-id common
!
aaa authorization config-commands
aaa authorization exec CONSOLE none
aaa authorization exec default group TACACS_SERVERS local
this way i am able to login to console using local username and password but the enable password is not working.
does it require the below commands as well to make it work. as i dont want console users to be authenticated through AAA.
aaa authorization commands 0 default group TACACS_SERVERS if-authenticated
aaa authorization commands 1 default group TACACS_SERVERS if-authenticated
aaa authorization commands 15 default group TACACS_SERVERS if-authenticated
11-25-2016 07:19 AM
Please share the line Con 0 configuration from IOS switch.
Do you have local enable password set ?
Regards
Gagan
11-26-2016 05:53 AM
this command aaa authorization exec CONSOLE none
will put you directly in privilege mode the enable will not be prompted. when you access from console
but of course you need to use the local user name and password for authentication
those:
aaa authorization commands 1 default group TACACS_SERVERS if-authenticated
aaa authorization commands 15 default group TACACS_SERVERS if-authenticated
required only if you want to authorize the commands !, so make sure to configure the ACS or any authentication server properly
because each command you type will be forwarded to ACS for authorization permission.
Yazan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: