Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1698
Views
15
Helpful
6
Replies

How to Go directly into priv mode with local account and AAA configured

CiscoPurpleBelt
Level 6
Level 6

‎09-06-2017 10:50 AM - edited ‎03-12-2019 04:31 AM

I would like to know how to go directly into priveledge mode using local account (if TACACs is down). I tried doing different "if-authenticated configs" and it still prompts for an enable password to go into enable mode. Also, is there anything else I need to add under line console 0 if I want to always use local accounts to access the line con 0?

Here are my AAA configs:

 

aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Labels:
0 Helpful
6 Replies 6

johnd2310
Level 8
Level 8

‎09-06-2017 08:54 PM

Hi,

 

what is the configuration of the local user account? It should be something like:

username XXXX secret XXXX priviledge XXXX

For console login to use local account, make sure you have a local account and try the following:

 

aaa authentication login console-login local

 

line console 0

     login authentication console-login

 

Thanks

John

 

**Please rate posts you find helpful**

CiscoPurpleBelt
Level 6
Level 6
In response to johnd2310

‎09-11-2017 11:47 AM

Yes it is priv 15 for user account.
I thought the AAA authentication will apply to all mgmt. ports (mgmt., line con, vty, etc.)?
0 Helpful

CiscoPurpleBelt
Level 6
Level 6
In response to johnd2310

‎09-11-2017 11:53 AM

Yes username is priv 15.
If I don't add the AAA authentication config and line con 0 config you described, will I still be prompted to enter my TACACs creds if the server is up when attempting to console into a device?
0 Helpful

Georg Pauwen
VIP
VIP

‎09-07-2017 04:46 AM

Hello,

the below gets you directly into enable mode when using the local account, is this what you are looking for ?

username admin privilege 15 secret cisco
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated

 

line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1

CiscoPurpleBelt
Level 6
Level 6
In response to Georg Pauwen

‎09-11-2017 11:50 AM

Oh ok so I should take out the "line enable" from my 1st AAA config line, and then add: privilege level 15 under line vty 0 4? what about vty 5 15?
0 Helpful

Georg Pauwen
VIP
VIP
In response to CiscoPurpleBelt

‎09-11-2017 12:55 PM

Exactly.

And yes, configure vty 5 15 in the same way as 0 4.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents