Solved: Console Local Login with aaa new-model issue

dflowers · ‎05-07-2025

Hi All,

Have an issue configuring a cisco C8200-1N-4Twith IOS-XE 17.06.06a for local console login with no external servers. I have use the following commands but still can not authenticate.

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local

username WMS-RTR-Admin privilege 15 password 7 10631F1811001C5F0E4C1E0907113B270653

enable secret 9 $9$nQo1zgfAtxeaDE$rPXZbytNTplMq95VmA1stMSWYFJ4It2d8O6UYRzdUVI

Can't see what I'm doing wrong, please point me in the right direction.

Thank you

M02@rt37 · ‎05-08-2025

OK, so by default this command is written.

What is the symptom when you try to connect via console port ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

dflowers · ‎05-08-2025

Hi M02@rt37,
With aaa authentication login default added to the global configuration, I am prompted for a used name and password. The login attempt fails every time. I have bypassed the configuration to verify/change the password but the same results.
Without aaa authentication login default added to the global configuration, the router does not prompt for a username just the enable security password.
I have used the options of local and line and even none but still can't login with aaa authentication login default added to the global configuration.
This router( C8200-1N-4T ) is at IOS version 17.6.6a, this router is new to me. In the process of replacing a 2921 router.
Thank you for responding

View solution in original post

M02@rt37 · ‎05-07-2025

Hello @dflowers

Add this under line con 0:

login authentication default

Please share line con 0 config.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

dflowers · ‎05-07-2025

Hello I added that statement but still was not successful, I will add it back to the configuration. When I do add that statement back into the configuration, it does not appear when I do show config

line con 0
exec-timeout 0 0
stopbits 1

M02@rt37 · ‎05-08-2025

OK, so by default this command is written.

What is the symptom when you try to connect via console port ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

dflowers · ‎05-08-2025

Hi M02@rt37,
With aaa authentication login default added to the global configuration, I am prompted for a used name and password. The login attempt fails every time. I have bypassed the configuration to verify/change the password but the same results.
Without aaa authentication login default added to the global configuration, the router does not prompt for a username just the enable security password.
I have used the options of local and line and even none but still can't login with aaa authentication login default added to the global configuration.
This router( C8200-1N-4T ) is at IOS version 17.6.6a, this router is new to me. In the process of replacing a 2921 router.
Thank you for responding

Jens Albrecht · ‎05-08-2025

Hello @dflowers,

the config snipet you posted looks good, nothing obviously wrong.

Are you prompted for username/password repeatedly when you try to connect via console?

Can you ssh into your device?
If yes, then open a terminal via ssh and enter the commands "terminal monitor", "debug aaa authentication" and "debug aaa authorization" in privileged mode. Try to login via console and post the debug output.

MHM Cisco World · ‎05-08-2025

Add

Login authc defualt

Exec authz defualt

Under console and check

MHM

dflowers · ‎05-08-2025

Hi HM Cisco World,
Login authentication default when entered does reflect under the console line 0
Exec authentication does not appear to be a valid command.
This cisco C8200-1N-4T does not response to the command strings, all new to me.

MHM Cisco World · ‎05-08-2025

authorization exec default <<- correct command' add it under console

Try Use show run all to see command add under console

MHM

dflowers · ‎05-08-2025

Hi, entered command as you described but with same results.

UURWASR010#config t
Enter configuration commands, one per line. End with CNTL/Z.
UURWASR010(config)#aaa authorization console
UURWASR010(config)#line console 0
UURWASR010(config-line)#authorization exec default
UURWASR010(config-line)#
UURWASR010#wr
Building configuration...
>From line Console 0 :
line con 0
motd-banner
exec-banner
exec-timeout 0 0
timeout login response 30
privilege level 1
flush-at-activation
activation-character 13
logout-warning 20
absolute-timeout 0
data-character-bits 8
exec-character-bits 7
special-character-bits 7
domain-lookup
exec
length 24
width 80
history size 10
history
editing
monitor
escape-character soft DEFAULT
escape-character DEFAULT
autohangup session-timeout
databits 8
stopbits 1
start-character 17
stop-character 19
speed 9600

Richard Burts · ‎05-08-2025

It seems to me that there are two possible issues here: 1) problem with authentication 2) problem with authorization. I strongly suspect that the issue is about authorization. So my suggestion is to remove the authorization commands (leaving only the authentication command). If you are then able to login, then we know to focus on authorization configuration. If it still does not work then we can focus on the authentication commands.

HTH

Rick

dflowers · ‎05-08-2025

Thank you, Mr. Burts
Will do and post the results

Jens Albrecht · ‎05-08-2025

Did you have a chance to collect the debug output as suggested above?

In case that you are not familiar with debug commands, then this is what you need to do:

Enter priviledged mode
Enter the command "terminal monitor". This is needed for remote sessions to see the log and debug messages
Enter the command "debug aaa authentication"
Enter the command "debug aaa authorization"
Try to log in via console
Enter the command "undebug all" to stop debugging
Post the output of the debug messages

Based on the output we should be able to narrow down what is going on.

HTH!