ACS command authorisation on console

Unanswered Question
Mar 8th, 2007
User Badges:

Hi,


We are trying to set up command authoristaion.


On VTY evrythings working out but it is not authorising anything on console.


In debugging aaa authorisation it only tells me :


Jun 17 01:45:50: AAA/AUTHOR: authenticated console user is permitted


Anyone any thought on this ?


Tia,


Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 03/08/2007 - 10:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tom


What you are encountering is standard behavior for IOS. Cisco, on purpose, does not do authorization on the console by default. The reasoning was that authorization on the console has real potential to lock you out of the router is you are careless or do not understand well what you are doing when you set up authorization. There is a command that will cause the router to do authorization on the console as well as the vty ports. If you want it try this:

aaa authorization console


HTH


Rick

Tsasbrink Thu, 03/08/2007 - 12:29
User Badges:

Ok,


It seems to be a hidden command as "aaa authorisation" with a question mark does not list the console option. But the command does go to the config.


This doe seem to be the thing I am looking for. I will post the results tomorrow.


Thanx

Richard Burts Thu, 03/08/2007 - 18:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tom


Yes it is a hidden command. It does work if configured (and I believe it will be the answer to what you are trying to do). Cisco has positioned it so that you would not do this accidentally. I believe that the risk factor is relatively high with this, so Cisco puts it there if you intentionally use it but makes it obscure as a way of protecting people.


HTH


Rick

Actions

This Discussion