AAA Enable

Unanswered Question
Oct 9th, 2008

Does anyone know if there is a way to have two separate AAA authentication enable lists, one for telnet and one for console? So, for example, if someone was logged in through the console, enable would only authenticate locally, but when logged in via telnet, it checks radius first, then locally.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Thu, 10/09/2008 - 11:12

But what are you trying to achieve by this ?

If you want that when you login from console, you should get into privilege exec, but when accessing from telnet there should be authentication and enable authentication. then you can probably have following under line con

line con 0

privilege level 15

Regards,

Prem

chuckp123 Thu, 10/09/2008 - 11:19

Thanks for the response.

We would like to do it this way so that when radius is down, which is really the only reason we would ever log in via console, that we do not have to wait for radius to timeout when authenticating.

We also have some non-administrative users who we would like to be able to have log in via console without getting priv 15 access.

cisco24x7 Thu, 10/09/2008 - 11:34

I can see what the requester is trying to do.

Here is a scenario:

aaa authentication login NOTAC none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 1.2.3.4 key cciesec

line console 0

login authentication NOTAC

line vty 0 15

login authentication VTY

With this configuration, let say user "pbanga" get on the console

port of the device, he will not be able to get into enable mode

in the console session because user pbanga did NOT log into the

console port with his AAA account at the beginning. Therefore,

he can NOT access the console port in privilege enable mode.

In most AAA implementation each user has

his/her own exec and enable password. NO

sharing.

Make sense?

Actions

This Discussion