AAA and TACACS on everything BUT NOT console

Unanswered Question
Feb 22nd, 2007

Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Thu, 02/22/2007 - 19:17

I do not think you can separate method list for

the enable piece. I've asked Cisco about this

in the past and they told me that it is not

possible. You can have a different method list

for the console for the "exec" mode but not

the enable or privilege mode. It is either

"tacacs" or "enable" or some other

combinations but not a separate method list for "enable" by itself. Maybe cisco added

this new feature in 12.4. I've my my testing

on both 12.2T and 12.3T and, IMHO, it is not

possible to separate the enable piece. Here

is my config:

username cisco password cisco

enable secret cisco

aaa authentication login notac local

aaa authentication login VTY group tacacs+ local

aaa authentication login web local enable

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec TAC start-stop group tacacs+

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 TAC start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 TAC start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 10 TAC start-stop group tacacs+

aaa accounting commands 15 TAC start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection TAC start-stop group tacacs+

aaa session-id common

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

login authentication notac

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

Actions

This Discussion