03-22-2021 02:59 AM
Hello,
I have a router which is currently setup for TACACS authentication & it's all good for the VTY lines. What I would like to do is have the console port use a local username defined as test rather than tacacs. I've set it up with the following however every time I login I get the following message: % Authorization failed.
It seems the Authentication part is ok but the authorization part is still trying to connect to the tacacs server. Any help would be much appreciated.
My Config
username test privilege 15 password test123
aaa new-model
aaa group server tacacs+ default
aaa authentication login default local-case
aaa authentication login vty group tacacs+ local
aaa authentication login CON local
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
line console 0
login authentication CON
03-22-2021 03:42 AM - edited 03-22-2021 06:11 AM
Hello
Try the following:
aaa authentication login CON local
aaa authorization exec CON local if-authenticated
aaa authorization commands 0 CON if-authenticated
aaa authorization commands 1 CON if-authenticated
aaa authorization commands 15 CON if-authenticated
line con 0
authorization exec CON
login authentication CON
03-22-2021 10:36 AM
Hello
Fyi - I should have stated that you should only require to authorisation commands x if you have enabled aaa authorization config-commands default .
03-22-2021 04:48 AM
Hello,
I came up with the below, which is similar to what Paul suggested, just a bit shorter:
aaa authentication login console local
aaa authorization console
aaa authorization exec console local
!
line con 0
exec-timeout 0 0
privilege level 15
authorization exec console
logging synchronous
login authentication console
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide