ACS command authorisation on console

Unanswered Question
Mar 8th, 2007


We are trying to set up command authoristaion.

On VTY evrythings working out but it is not authorising anything on console.

In debugging aaa authorisation it only tells me :

Jun 17 01:45:50: AAA/AUTHOR: authenticated console user is permitted

Anyone any thought on this ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Richard Burts Thu, 03/08/2007 - 10:45


What you are encountering is standard behavior for IOS. Cisco, on purpose, does not do authorization on the console by default. The reasoning was that authorization on the console has real potential to lock you out of the router is you are careless or do not understand well what you are doing when you set up authorization. There is a command that will cause the router to do authorization on the console as well as the vty ports. If you want it try this:

aaa authorization console



Tsasbrink Thu, 03/08/2007 - 12:29


It seems to be a hidden command as "aaa authorisation" with a question mark does not list the console option. But the command does go to the config.

This doe seem to be the thing I am looking for. I will post the results tomorrow.


Richard Burts Thu, 03/08/2007 - 18:46


Yes it is a hidden command. It does work if configured (and I believe it will be the answer to what you are trying to do). Cisco has positioned it so that you would not do this accidentally. I believe that the risk factor is relatively high with this, so Cisco puts it there if you intentionally use it but makes it obscure as a way of protecting people.




This Discussion