10-09-2008 10:54 AM - edited 03-10-2019 04:07 PM
Does anyone know if there is a way to have two separate AAA authentication enable lists, one for telnet and one for console? So, for example, if someone was logged in through the console, enable would only authenticate locally, but when logged in via telnet, it checks radius first, then locally.
Thanks.
10-09-2008 11:11 AM
unfortunately no.
Regards,
Prem
10-09-2008 11:12 AM
But what are you trying to achieve by this ?
If you want that when you login from console, you should get into privilege exec, but when accessing from telnet there should be authentication and enable authentication. then you can probably have following under line con
line con 0
privilege level 15
Regards,
Prem
10-09-2008 11:19 AM
Thanks for the response.
We would like to do it this way so that when radius is down, which is really the only reason we would ever log in via console, that we do not have to wait for radius to timeout when authenticating.
We also have some non-administrative users who we would like to be able to have log in via console without getting priv 15 access.
10-09-2008 11:34 AM
I can see what the requester is trying to do.
Here is a scenario:
aaa authentication login NOTAC none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
tacacs-server host 1.2.3.4 key cciesec
line console 0
login authentication NOTAC
line vty 0 15
login authentication VTY
With this configuration, let say user "pbanga" get on the console
port of the device, he will not be able to get into enable mode
in the console session because user pbanga did NOT log into the
console port with his AAA account at the beginning. Therefore,
he can NOT access the console port in privilege enable mode.
In most AAA implementation each user has
his/her own exec and enable password. NO
sharing.
Make sense?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: