cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
0
Helpful
4
Replies

AAA Enable

chuckp123
Level 1
Level 1

Does anyone know if there is a way to have two separate AAA authentication enable lists, one for telnet and one for console? So, for example, if someone was logged in through the console, enable would only authenticate locally, but when logged in via telnet, it checks radius first, then locally.

Thanks.

4 Replies 4

Premdeep Banga
Level 7
Level 7

unfortunately no.

Regards,

Prem

But what are you trying to achieve by this ?

If you want that when you login from console, you should get into privilege exec, but when accessing from telnet there should be authentication and enable authentication. then you can probably have following under line con

line con 0

privilege level 15

Regards,

Prem

Thanks for the response.

We would like to do it this way so that when radius is down, which is really the only reason we would ever log in via console, that we do not have to wait for radius to timeout when authenticating.

We also have some non-administrative users who we would like to be able to have log in via console without getting priv 15 access.

I can see what the requester is trying to do.

Here is a scenario:

aaa authentication login NOTAC none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 1.2.3.4 key cciesec

line console 0

login authentication NOTAC

line vty 0 15

login authentication VTY

With this configuration, let say user "pbanga" get on the console

port of the device, he will not be able to get into enable mode

in the console session because user pbanga did NOT log into the

console port with his AAA account at the beginning. Therefore,

he can NOT access the console port in privilege enable mode.

In most AAA implementation each user has

his/her own exec and enable password. NO

sharing.

Make sense?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: