how to prevent local aaa users to login

Unanswered Question
Feb 27th, 2008
User Badges:


Please could you help me with my question:

My Cisco router R1 aaa configuration:

username user1 privilege 15 password user1

username user2 password user2

aaa authentication login default local

aaa authorization exec default local

aaa authentication ppp PPP_MODEM local

aaa authorization network PPP_MODEM local

So, I want to:

allow user1 to have full terminal access to R1

deny user2 to have any terminal access to R1 but allow user2 to connect to R1 via PPP.

I can configure privilege 0 to user2, but user2 will be able to access R1 terminal lines!

How can I prevent user2 to have management access to R1 using only local AAA services?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsivulka Tue, 03/04/2008 - 10:04
User Badges:
  • Bronze, 100 points or more

It is set to No Privilege by default. Set this to use group level settings. You also have to configure the enable password for the user

Here is a copy of my AAA settings:


aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+


The method no_tacacs is used for the console to prevent admin-lockouts. Doing a debug aaa authen & author was quite helpful in getting this to work.


This Discussion