Implications of enabling authorization in console

Unanswered Question
Oct 18th, 2009
User Badges:
  • Cisco Employee,

Hello all,


I have read that it is not advised to enable authentication in console ports. Can any one point out the reasons for this and best practices as well? I am dealing with a 6509 with Sup 720 and IOS 12.2SX.

Thanks a lot in advance!

Nataniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
namendoz Sun, 10/18/2009 - 16:06
User Badges:
  • Cisco Employee,

So sorry, meant authorization in console ports :(

Jagdeep Gambhir Mon, 10/19/2009 - 01:44
User Badges:
  • Red, 2250 points or more

Nataniel,

It's to prevent the user from accidentally shutting themselves out from

configuring the box"


In other words, what you don't want to have happen is to turn on authorization, have the tacacs+ or radius daemon be unreachable (for whatever) reason, and never again be able to get into your box. It's fine if this happens on vty lines, as long as you have a way to FIX it. Once you can't get to the console anymore, you've got problems.



Regards,

~JG


Do rate helpful posts

namendoz Mon, 10/19/2009 - 03:54
User Badges:
  • Cisco Employee,

Hi JG,


Isn't there an option where I can define to avoid authorization if I was authenticated, just for the case when lose my TACACS server?


Thanks once again!


Regards,


Nataniel

Jagdeep Gambhir Tue, 10/20/2009 - 12:32
User Badges:
  • Red, 2250 points or more

Hi Nataniel,

"aaa authorization console"command is disabled by default.


So authorization on console is disabled.


Regards,

~JG


Do rate helpful posts

Actions

This Discussion