I've attached output from our canned aaa configuration. Thanks for your help.

Amit

I do not think that this will make much difference since Cisco by default does not do authorization on the console.

In addition to the configuration of aaa it would be very helpful to see the complete config of the console and the vty lines.

HTH

Rick

Haven't had time to test sorry.

Yup, removing the command didn't make a difference. However, now I couldn't go to PRIV mode even through the telnet ports using a valid TACACS account (adding the suggested line didn?t make a difference).

Here are more specifics about the problem. I'm getting an "Error in Authentication" prompt when trying to PRIV mode after logging in with a TACACS account with TACACS running. I'm assuming that the local account is disabled while there's connectivity to the TACACS server because I couldn't long in at all. I'm also including console and vty port settings for your review.

Thanks,

Samih

I have looked at the configs and do not see anything that looks wrong. There is one thing that I would suggest doing differently, but I am not sure that it is your problem. When you configure authorization you configure "none" as the alternate method (aaa authorization exec default group tacacs+ none). I would suggest that instead of "none" that you use "if-authenticated".

I am wondering if I am understanding your symptoms correctly. Are you saying that if you login on the console that you get into user mode but that if you enter the enable command (and give the correct password) that you do not get into privilege mode?

HTH

Rick

Yup, that's the problem in a nutshell. You can login to the console port using your TACACS account, but can't access PRIV mode once logged in.

Console login works fine once the TACACS account for the specific device is disabled or the server's disconnected.

I'll look into the "if-authenticated" command you suggest. Thanks for your effort.

Samih

The symptoms sound like the user ID you are using on the console may not be configured in TACACS to allow privilege mode. Are you perhaps using one ID for the console and a different ID for the vty login? If you login on the console and use the same ID that works on the vty do you still have a problem?

HTH

Rick

The problem occurs when using the same user ID that works on vty. I get the "Error in Authentication" statement after typing enable and password.

Samih

I have looked at the configs that you posted and I do not find anything in them that would explain the symptoms that you describe. Are you sure that what you posted is exactly the config of the router?

If so, I would suggest running debug aaa authentication and debug tacacs authentication and then do a telnet which does go to privilege mode and a session on the console that does not. Capture and post the debug output. This may help us understand what is happening.

HTH

Rick

I enabled debug and am submitting this attachment of the output. The problem area is in the "Enable mode attempt via console using temp000" portion of the attachment.

Let me know if you see anything useful and thanks again.

Samih

Thanks for the additional information. It has most, but not all, of what I asked for. I wanted to see a vty session login and go successfully to privilege mode but your debug only shows it logging in and then logging out without going to privilege mode.

One other question occurs to me, when you login on the vty you are using ID temp000, and what password are you using to get into privilege mode? And when you login on the console using ID temp000 and attempt to go to privilege mode what password are you using?

HTH

Rick

Thanks again for your quick response Rick.

The TACACS account for "temp000" (not the real UserID) is set to put me in PRIV mode automatically. I can't type enable because I'm already there.

I'm using my domain password when logging using "temp000". I tried both my domain and the local enable secret password when logged in as "temp000" through the console port and got identical results with both.

Samih

The additional information here is quite helpful. It explains much of what is happening. If you have TACACS configured to put the user ID directly into privilege mode then that will work when logging in via vty but will not work when logging in via console. Putting you directly into privilege mode depends on the operation of authorization and Cisco does perform authorization on the vty lines but by default does not do this on the console. So on the console you login and get to user mode and then must enter the enable command and enter the appropriate password to get into privilege mode. When entering the enable command when TACACS is working you would normally enter the users TACACS password again to get into privilege mode.

HTH

Rick