How to stop console authorization from ACS?

Unanswered Question
Aug 19th, 2008


I have Cisco ACS installed for Cisco switches.Any time,the user logs in to device,it gets authorized from ACS.

Today, i found that through local console also,the authorization from AAA is taking place.

I fear that if my AAA goes down tomarrw,all the device access will be locked up.

Kindly tell me what command i need to put in device so that it does the authorization locally only while comnecting through local console.

The AAA comands in the devices are :

aaa new-model

aaa group server tacacs+ ACS_Group1



aaa authentication login default group ACS_Group1 local

aaa authentication enable default group ACS_Group1 enable

aaa authorization config-commands

aaa authorization exec default group ACS_Group1 if-authenticated

aaa authorization exec ACS_Group1 group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Require your help immediately!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Richard Burts Tue, 08/19/2008 - 08:49


It has been my experience that when you configure authorization in aaa it is applied to the vty but not to the console, unless there is special configuration to also authorize on the console. Since the command to authorize on the console is not in the config that you posted, I would believe that it is not authorizing on the console.

If you run debug aaa authorization and then log in on the console does the debug produce output? If so would you post that output?



Jagdeep Gambhir Wed, 08/20/2008 - 11:39

aaa authentication login default group ACS_Group1 enable or local

aaa authentication enable default groupACS_Group1 enable

aaa authorization exec default group ACS_Group1 if-authenticated

rajeev.payal Thu, 08/21/2008 - 00:39

Dear Sir,

These commands are already there (see my first mail).

i don't understand what You want to tell.To remove?

Please reply!!

Richard Burts Sun, 08/24/2008 - 02:35


If you are still working on this issue then please run the debug aaa authorization. Then login on the console and post any debug output. This will show whether it is really authorizing on the console login.

[edit] in re-reading the original post I would comment in these things:

aaa authorization config-commands

This command is incomplete. I am not clear whether it is really incomplete in the config or whether there was a problem with getting commands into the config.

aaa authorization exec ACS_Group1 group tacacs+ local

I would suggest getting the parameter if-authenticated into this command (either replace local with if-authenticated or add the parameter after local.



Premdeep Banga Sun, 08/24/2008 - 05:50

I agree with Rick. By default there is no authorization applied on the console, even if we use the 'default' method list. unless you have a command in configuration,

"aaa authorization console", in some IOS this is hidden, and in some this is visible.

First suggestion add command "no aaa authorization console".

The command "aaa authorization config-commands" is a complete command. It is used to authorize commands against the Tacacs server, when any command is executed in the configuration mode of the device i.e.,


If you have command authorization configured on a device for example you have,

aaa authorization commands 15 default ......

And you have profile that should not be allowed to execute the command "show run" but can execute command "configuration terminal".

Then you will not be able execute "sh run" at the privilege exec mode i.e.,

device#show run

%command authorization failed

But if this user moves to config t, and we do not have the command "aaa authorization confg-commands" then the user will be able to run sh run i.e.

device(config)#do sh run

I hope this clear the meaning of aaa authorization config-commands.

And I hope that you are not confusing/mixing Authentication and Authorization together.

As you are using the 'default' list, the Authentication will be applied to Console (not Authorization).

If you want a complete backdoor on Console or You want that login on Console should not be verified from ACS, let us know, we'll help you out on that. I dont want to suggest the commands for the same, as there could be two solution on that. And I can provide you those, if you require them.

Else, according to your configuration. If Tacacs server is not available, then from any line i.e. vty, aux or console, you should be able to authenticate using local username/password configured on the device. And should be able to go to privilege exec mode using the local enable password.

And, there should be NO authorization on Console.

[edit] Agree with Rick debug aaa authorization, a great help in understanding whether authorization is even taking place on console or not. If you dont mind, please do add "debug aaa authentication" as well.



Farrukh Haroon Sun, 08/24/2008 - 10:52

Are these devices switches or routers? I think some versions of catalyst code apply command authorization of console also once you put in the 'default' method list.

aaa authorization exec default group ACS_Group1 if-authenticated

On others you have to specifically enable authorization of the console as well.



Farrukh Haroon Sun, 08/24/2008 - 10:53

A simple workaround is to make a list like this

aaa authorization exec CONSOLE none

and then apply this to the console/aux ports. It can't hurt you anyway, its better to be on the safe side. However as others has suggested, try to run the debug and see which method list is picked up when you login via the console.




This Discussion