Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
1
Helpful
5
Replies

Console port authorization (9300 switch)

omarmontes
Level 4
Level 4

‎02-24-2026 04:17 PM

Hi guys..

We are having trouble using the console port of a switch configured with AAA. As far as I know, authorization is NOT enabled on the console port of the switches by default, and we do NOT have the "aaa authorization console" command, but somehow, we are getting an "% authorization error" while authenticating to the console port.

Here is the AAA commands used:

aaa authentication attempts login 2
aaa authentication login default local
aaa authentication login admin group GROUP local
aaa authentication login consola line <- Configured but not used
aaa authorization config-commands
aaa authorization exec default group GROUP local
aaa authorization commands 5 default group GROUP local
aaa authorization commands 15 default group GROUP local

line con 0
privilege level 15
logging synchronous
stopbits 1

 

The devices is a 9300 Switch with IOS 16.12.04.

SSHing to the switch works fine.

Im aware of this bug: https://bst.cisco.com/bugsearch/bug/CSCeb08860?rfs=qvlogin but I think is for older versions of IOS.

thanks in advance for anyone helping!

 

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎02-24-2026 04:59 PM

@omarmontes 

  The issue arise due the "aaa authorization exec default group GROUP local"

This makes the IOS XE apply the method list default to all lines. Use the command "no aaa authorization exec default" and test.

0 Helpful

omarmontes
Level 4
Level 4
In response to Flavio Miranda

‎02-24-2026 05:10 PM

Thanks for the input. Acording to documentation, the default is: no authorization in console port. Even if you explicitly try to configure it in the con 0 line with the "autorization exec XXX" you get an error saying the configuration is irrelevant without the global command "aaa authorization console".   Sadly, this is a production device so I can't try it right now.. BUT, I used the same configuration I posted in an emulated device and it worked just right (with the "authorization exec default" and without the "aaa authorization console" commands). So maybe the bug is still out there in newer IOS?

0 Helpful

Flavio Miranda
VIP
VIP
In response to omarmontes

‎02-24-2026 06:17 PM

I dont believe this is a bug. When you tested in the emulator, did you have a TACACS available on it? 

0 Helpful

omarmontes
Level 4
Level 4
In response to Flavio Miranda

‎02-24-2026 06:24 PM

No TACACS, but it fell back to local authentication. I ran a debug and it said something like "console user don't need authorization" or something like that, after authentication.

The emulation is working as suggested by the documentation, when console authorization is only enabled when explicitly stated by the command "AAA authorization console"

0 Helpful

Flavio Miranda
VIP
VIP
In response to omarmontes

‎02-25-2026 01:51 AM

If you dont have a tacacs on the simulation the scenario is not the same. You need to run this with tacacs cause when the switch can communicate with tacacs server, the behavior is different. 

Customers Also Viewed These Support Documents