I have the following config: IOS ver 12.2 on cat6500 sup720 running native IOS
username roadrunner privilege 15 password xxx
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default start-stop group tacacs+
line con 0
login authentication console
line vty 0 4
transport input ssh
exec-timeout 10 0
The idea is to use TACACS+ for "login" and "enable mode" authentication to the router. If tacacs+ is not-reachable/not-available, then to use the console to login to the router, using local username/password.
But, with this above config, I can only login to the "user exec" mode, but not to the "enable" mode.
My understanding is, in this case, the router uses local username/password to login to the user exec mode and must use the "enable secret" to login to the enable mode. See below link:
It says, On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
But this does not seem to be happenning in my case. I can only login to the user exec mode and unable to get to the enable mode.
Am I missing anything here? Any help is appreciated.