Password set for logging into Console

Unanswered Question
Apr 24th, 2008

I have most of my customers Network Devices set to use tacacs+ thru an ACS server to authenticate Remote Admins whom ssh to these devices.

I was attempting to set up a cryptic password as the authentication means for Console access to any of the devices. This in case we have to log into any of the devices locally, and the ACS server not being available for any reason.

I used the IOS command "password" and then configured a Password. However when testing, the devices all still ask for a username when I connect to a console port to login.

Is there any reason this would be happening?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (4 ratings)
Jagdeep Gambhir Thu, 04/24/2008 - 13:24

Remove the login local command under the

line console configuration.

Router(config)#line con 0

Router(config-line)#no login local



Do rate helpful posts

Richard Burts Fri, 04/25/2008 - 08:20

If I have understood the original post then I do not believe that it is an issue of login local. If aaa new-model is configured so that the vty will authenticate to ACS then it also means that the console will authenticate with the default authentication method - which is probably set to TACACS.

If you do not want the console to authenticate with tacacs then try configuring this:

aaa authentication login consoleauth line

line con 0

login authentication consoleauth



Jagdeep Gambhir Fri, 04/25/2008 - 09:04

Opps sorry my bad.

Rick is 100% correct here, we need to make method list for console.

Thanks for correction Rick

Richard Burts Fri, 04/25/2008 - 09:19


no problem. we all help to keep each other straight. that is part of what makes the forum so very good.



Kevin Melton Sat, 04/26/2008 - 05:21


Let me take this a step furthur. If I configure the following statement, does this not roll back the local userbase if in fact tacacs does not respond?

aaa authentication default group tacacs local

I had moved forward and configured this on not only the vty lines (which are the most vulnerable to UA attempts), but on the console line as well by using:

router#line con 0

router-line#login authentication default

Thanks for the both of your participation in this. I look forward to your response. I want my customers networks to be as secure as possible.


Richard Burts Sat, 04/26/2008 - 13:51


Perhaps it is a terminology thing but I am not clear what you are asking when you say:"does this not roll back the local userbase if in fact tacacs does not respond".

So let me respond by saying what that command will do.

aaa authentication default group tacacs local

will attempt to authenticate with configured tacacs server(s) and if there is no response from tacacs or if the response from tacacs is error (note that fail is a very different response than error) then it will attempt to authenticate with locally configured userID and password. If attempting local authentication and if the entered userID does not exist in the locally configured set of users or if the entered password does not match the configured password for the userID entered then authentication will fail.



Kevin Melton Sat, 04/26/2008 - 18:07

Yes my terminology may be not as concise as it should have been. Your answer however is a great and thorough answer, Rick. In the event that the tacacs daemon (in my case the ACS box) cannot be reached because he is down, then the local username and password (which I had called a userbase incorrectly i suppose) will be used. Whereas if tacacs does respond and it is a REJECT, then the user is not authenticated and is not allowed access.

Great job!


Richard Burts Sun, 04/27/2008 - 17:41


Thank you for the compliment. I am really gratified when someone expresses appreciation for my response.

I try to not say that someone's terminology is wrong because they may be speaking in some context I am not familiar with or have something in their background that gives the term meaning. So if I do not understand it I generally say it is not clear to me and ask for clarification. In this case I was pretty clear what you meant with userbase. What I did not understand was ROLL BACK the userbase.

I am glad that I was able to explain the functionality in a way that made sense to you.




This Discussion