Hi

I'm seeing an % Authorization failed error when I try to access my switch via the console port.

I want to separate my VTY and console access -

vty to use TACACS - this is working

console to use local database 

I have the following config in place:

aaa new-model

!

aaa authentication login default group ISE local

aaa authentication login CONSOLE local

aaa authorization config-commands

aaa authorization exec default group ISE if-authenticated

aaa authorization commands 1 default group ISE if-authenticated

aaa authorization commands 15 default group ISE if-authenticated

aaa accounting delay-start

aaa accounting commands 1 default start-stop group ISE

aaa accounting commands 15 default start-stop group ISE

!

line con 0

 login authentication CONSOLE

My understanding is that there shouldn't be any authorization applied on the console port by default, but when I debug the switch (debug aaa authorization) I can see the default method is being picked. This is also the case when I configure authorization for the console port.

I have found some bugs for this issue but they all relate to older software versions, I can't find anything for the version I'm running:

WS-C2960X-48FPS-L (stack x2)

15.2(4)E7

Any help would be appreciated.

Thanks