TACACS console question

Answered Question
Jan 31st, 2007

Hi,

I have just put TACACS on a few IOS devices, I am only using a default group which is set up to provide level 15 priviliges. As I am using the same default group on both vty and console I would expect access by the 2 methods to be the same but when I telnet in I get level 15 straight to the # prompt, but when I console in I still get prompted for the enable secret.

Any ideas

Regards

Chris Ayres

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 8 months ago

Chris

You are finding a behavior that Cisco has done for a long time (and probably for good reason). The TACACS authentication/authorization to put someone directly into privilege mode by default works on the vty and does not work on the console.

The rationale is that if you make a mistake in configuring authentication/authorization (very easy to do - especially if your understanding of what you are doing is a bit weak) it would be easy to lock yourself out of the device. So by default it works on vty and does not work on console (prividing away to recover from problems). There is a hidden command that you can use to also have this work on the console (be very careful that your config works properly before you enable it on the console).

If you want it, try this:

aaa authorization console

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Richard Burts Wed, 01/31/2007 - 20:46

Chris

You are finding a behavior that Cisco has done for a long time (and probably for good reason). The TACACS authentication/authorization to put someone directly into privilege mode by default works on the vty and does not work on the console.

The rationale is that if you make a mistake in configuring authentication/authorization (very easy to do - especially if your understanding of what you are doing is a bit weak) it would be easy to lock yourself out of the device. So by default it works on vty and does not work on console (prividing away to recover from problems). There is a hidden command that you can use to also have this work on the console (be very careful that your config works properly before you enable it on the console).

If you want it, try this:

aaa authorization console

HTH

Rick

Actions

This Discussion