cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

97
Views
0
Helpful
2
Replies
Beginner

AAA commands

Dear All,

i want to enable aaa on the ios switch on ssh and telnet and not on console access. i am putting the below commands

phase 1:-

aaa authentication login default group TACACS_SERVERS local
aaa authentication login CONSOLE local
aaa authentication enable default group TACACS_SERVERS enable
aaa session-id common
!
aaa authorization config-commands
aaa authorization exec CONSOLE none

aaa authorization exec default group TACACS_SERVERS local

this way i am able to login to console using local username and password but the enable password is not working. 

does it require the below commands as well to make it work. as i dont want console users to be authenticated through AAA.


aaa authorization commands 0 default group TACACS_SERVERS if-authenticated
aaa authorization commands 1 default group TACACS_SERVERS if-authenticated
aaa authorization commands 15 default group TACACS_SERVERS if-authenticated

2 REPLIES 2
Cisco Employee

Please share the line Con 0

Please share the line Con 0 configuration from IOS switch.

Do you have local enable password set ?

Regards

Gagan

Highlighted
Cisco Employee

this command aaa

this command aaa authorization exec CONSOLE none

will put you directly in privilege mode the enable will not be prompted. when you access from console 

but of course you need to use the local user name and password for authentication  

those:

aaa authorization commands 1 default group TACACS_SERVERS if-authenticated
aaa authorization commands 15 default group TACACS_SERVERS if-authenticated

required only if you want to authorize the commands !, so make sure to configure the ACS or any authentication server properly 

because  each command you type will be forwarded to ACS for authorization permission.

Yazan