Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
10
Helpful
3
Replies

AAA VTY Tacacs & Local Console access. AAA

Gordel2306
Level 1
Level 1

‎03-22-2021 02:59 AM

Hello,

I have a router which is currently setup for TACACS authentication & it's all good for the VTY lines. What I would like to do is have the console port use a local username defined as test rather than tacacs. I've set it up with the following however every time I login I get the following message:   % Authorization failed.

It seems the Authentication part is ok but the authorization part is still trying to connect to the tacacs server. Any help would be much appreciated.

 

My Config

 

username test privilege 15 password test123

 

aaa new-model
aaa group server tacacs+ default
aaa authentication login default local-case
aaa authentication login vty group tacacs+ local
aaa authentication login CON local
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common

 

line console 0

login authentication CON

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎03-22-2021 03:42 AM - edited ‎03-22-2021 06:11 AM

Hello

Try the following:
aaa authentication login CON local
aaa authorization exec CON local if-authenticated
aaa authorization commands 0 CON if-authenticated
aaa authorization commands 1 CON if-authenticated
aaa authorization commands 15 CON if-authenticated

line con 0
authorization exec CON
login authentication CON


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver
VIP
VIP
In response to paul driver

‎03-22-2021 10:36 AM

Hello

Fyi - I should have stated that you should only require to authorisation commands x if you have enabled aaa authorization config-commands default .


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP

‎03-22-2021 04:48 AM

Hello,

 

I came up with the below, which is similar to what Paul suggested, just a bit shorter:

 

aaa authentication login console local
aaa authorization console
aaa authorization exec console local
!
line con 0
exec-timeout 0 0
privilege level 15
authorization exec console
logging synchronous
login authentication console

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card