how to prevent local aaa users to login

Unanswered Question
Feb 27th, 2008


Please could you help me with my question:

My Cisco router R1 aaa configuration:

username user1 privilege 15 password user1

username user2 password user2

aaa authentication login default local

aaa authorization exec default local

aaa authentication ppp PPP_MODEM local

aaa authorization network PPP_MODEM local

So, I want to:

allow user1 to have full terminal access to R1

deny user2 to have any terminal access to R1 but allow user2 to connect to R1 via PPP.

I can configure privilege 0 to user2, but user2 will be able to access R1 terminal lines!

How can I prevent user2 to have management access to R1 using only local AAA services?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsivulka Tue, 03/04/2008 - 10:04

It is set to No Privilege by default. Set this to use group level settings. You also have to configure the enable password for the user

Here is a copy of my AAA settings:


aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+


The method no_tacacs is used for the console to prevent admin-lockouts. Doing a debug aaa authen & author was quite helpful in getting this to work.


This Discussion