How to bypass TACACS on console connection

Answered Question
Aug 5th, 2008

On a switch with IOS have the following AAA config:

username administrator password xxx

aaa authentication login default group TACACS-Servers local

aaa authentication enable default group TACACS-Servers enable

aaa authorization exec default group TACACS-Servers if-authenticated

aaa authorization commands 15 default group TACACS-Servers if-authenticated

aaa accounting exec default start-stop group TACACS-Servers

aaa accounting commands 15 default start-stop group TACACS-Servers

How do i configure the switch so that the console connection uses the local username instead of TACACS, and TACACS is only used for telnet?

Thanks in advance for the help!

I have this problem too.
0 votes
Correct Answer by Mark Yeates about 8 years 2 months ago

I believe that you will need to create a privilege level associated with your local username and password.

username test privilege 15 password cisco123


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Mark Yeates Tue, 08/05/2008 - 12:05


Try adding the "login local" command under line con 0.



gkushnir21 Tue, 08/05/2008 - 12:11


That's what i originally planned on doing, but i don't get the login local option under line con 0. I'm assuming it's because of the AAA config that i have.

These are the options under con 0:

line con 0

login ?

authentication Authentication parameters

login authentication ?

WORD Use an authentication list with this name.

default Use the default authentication list.

Mark Yeates Tue, 08/05/2008 - 12:26

Here's how to set it up with the correct syntax.

aaa authentication login console local

line console 0

login authentication console



gkushnir21 Thu, 08/07/2008 - 12:12


That worked and forced me to use local username when connecting to the switch through the console port. The problem that i'm running into now that i use local username and password, it doesn't like the enable password that i'm putting in.

I get the "% Error in authentication." message. Any thoughts?



Correct Answer
Mark Yeates Thu, 08/07/2008 - 12:34

I believe that you will need to create a privilege level associated with your local username and password.

username test privilege 15 password cisco123


Richard Burts Thu, 08/07/2008 - 18:47


Mark has good advice here. The real issue is that while you can split user authentication so that vty uses the authentication server and the console just uses local authentication, when it comes to enable you have only one choice, they both will use the remote authentication server or they will both use local authentication. And if you are going to the remote authentication server but the user authenticated locally, then the authentication server does not know who the user is and whether to admit them to enable mode or not. If you specify the privilege level with the user ID then you should get the functionality that you want.



John Patrick Lopez Tue, 07/12/2016 - 18:08

Hi Rick,

I was trying to do the same thing but for some reason, whatever happens, the switch will try to look for my username and password from the TACACS server and it will never check local database when I type "enable". I tried regular "enable" and "enable 15". I tried to create the same username as the one I have in TACACS locally but changed the password to something different to know where the switch is picking up the "enable auth".



aaa authentication login CONSOLE line

aaa authorization exec CONSOLE none

aaa authorization commands 0 CONSOLE none

aaa authorization commands 1 CONSOLE none

aaa authorization commands 15 CONSOLE none


line con 0

authorization exec CONSOLE

login authentication CONSOLE

authorization commands 0 CONSOLE

authorization commands 1 CONSOLE

authorization commands 15 CONSOLE

Richard Burts Wed, 07/13/2016 - 06:50

I believe that your issue is that you have specified authentication using line. This will look for a password configured on the console and not for your ID. Change it to aaa authentication login CONSOLE local and let us know if it works better. 



John Patrick Lopez Wed, 07/13/2016 - 07:06

Thanks for the reply Rick.

Apparently it is already asking for username and password after hitting enable.

When accessing the switch through console, our objective is to just use the line con 0 password which is working, aaa authentication login CONSOLE line and login authentication console combo.

We are hoping that if we hit enable, it will use the enable secret password instead but since we are using "aaa authentication enable default group tacacs+ enable", it is still looking for TACACS. So after hitting enable, it asks for username/password combo instead of just password which is the enable secret.

Also, isn't that the switch will check what was stated under "aaa authen enable" instead of "aaa authen login" when hitting "enable" command?

I haven't tried to simulate what you're saying as the PC I am using to go through console is dead and need someone to boot it up for me.



Richard Burts Wed, 07/13/2016 - 07:40


I understood your first post to indicate that you wanted to login with your ID. I now understand that your question is about enable authentication. Please consider what I said in a previous post in this thread about enable authentication. You can configure enable authentication to use tacacs with local as an alternative/backup method. But when you authenticate it will try the primary and use the backup only if primary fails. 

If you want to get to enable on the console and bypass tacacs I have two suggestions each of which mean that anyone who logs in on console will be in enable mode which might be acceptable or might not. 

- on the console configure privilege level 15

- configure your local account to have privilege level 15. Change the console authentication to use local and not line. And be sure that the console has authorization local. 



John Patrick Lopez Wed, 07/13/2016 - 07:45

Thanks again Rick. Yes I have tried the privilege level 15 earlier and after the line console password when connecting, it will immediately jump to privilege mode. Thank you so much for you inputs.

Richard Burts Wed, 07/13/2016 - 08:00


you are welcome. Both of my suggestions have some down side but they are as close as I can come to what you really want. Unfortunately there is not a way to bypass tacacs if tacacs is working. 




This Discussion