cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1402
Views
10
Helpful
3
Replies

AAA VTY Tacacs & Local Console access. AAA

Gordel2306
Level 1
Level 1

Hello,

I have a router which is currently setup for TACACS authentication & it's all good for the VTY lines. What I would like to do is have the console port use a local username defined as test rather than tacacs. I've set it up with the following however every time I login I get the following message:   % Authorization failed.

It seems the Authentication part is ok but the authorization part is still trying to connect to the tacacs server. Any help would be much appreciated.

 

My Config

 

username test privilege 15 password test123

 

aaa new-model
aaa group server tacacs+ default
aaa authentication login default local-case
aaa authentication login vty group tacacs+ local
aaa authentication login CON local
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common

 

line console 0

login authentication CON

3 Replies 3

Hello

Try the following:
aaa authentication login CON local
aaa authorization exec CON local if-authenticated
aaa authorization commands 0 CON if-authenticated
aaa authorization commands 1 CON if-authenticated
aaa authorization commands 15 CON if-authenticated

line con 0
authorization exec CON
login authentication CON


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello

Fyi - I should have stated that you should only require to authorisation commands x if you have enabled aaa authorization config-commands default .


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

 

I came up with the below, which is similar to what Paul suggested, just a bit shorter:

 

aaa authentication login console local
aaa authorization console
aaa authorization exec console local
!
line con 0
exec-timeout 0 0
privilege level 15
authorization exec console
logging synchronous
login authentication console

Review Cisco Networking for a $25 gift card