ACS command authorisation on console

Tsasbrink · ‎03-08-2007

Hi,

We are trying to set up command authoristaion.

On VTY evrythings working out but it is not authorising anything on console.

In debugging aaa authorisation it only tells me :

Jun 17 01:45:50: AAA/AUTHOR: authenticated console user is permitted

Anyone any thought on this ?

Tia,

Tom

Richard Burts · ‎03-08-2007

Tom

What you are encountering is standard behavior for IOS. Cisco, on purpose, does not do authorization on the console by default. The reasoning was that authorization on the console has real potential to lock you out of the router is you are careless or do not understand well what you are doing when you set up authorization. There is a command that will cause the router to do authorization on the console as well as the vty ports. If you want it try this:

aaa authorization console

HTH

Rick

HTH

Rick

Tsasbrink · ‎03-08-2007

Ok,

It seems to be a hidden command as "aaa authorisation" with a question mark does not list the console option. But the command does go to the config.

This doe seem to be the thing I am looking for. I will post the results tomorrow.

Thanx

Richard Burts · ‎03-08-2007

Tom

Yes it is a hidden command. It does work if configured (and I believe it will be the answer to what you are trying to do). Cisco has positioned it so that you would not do this accidentally. I believe that the risk factor is relatively high with this, so Cisco puts it there if you intentionally use it but makes it obscure as a way of protecting people.

HTH

Rick

HTH

Rick

Tsasbrink · ‎03-08-2007

It works like a charm.

Thank you !

Tom