aaa authorization console command

Answered Question
Nov 4th, 2011

Hi,

I don't really understand the need of the command "aaa authorization console".

We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

Am I wrong? Or do these lines apply only to the VTY linse?

Thanks by advance

I have this problem too.
0 votes
Correct Answer by Richard Burts about 2 years 5 months ago

In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Richard Burts Mon, 11/07/2011 - 10:55

In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).

HTH

Rick

ts-stg Fri, 01/13/2012 - 06:47

I learned this locking out form console today in the hard-way

we use as standard

aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 

and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.

So no way to log in without the hard way rebooting and reconfiguring again

Richard Burts Fri, 01/13/2012 - 09:47

Thanks for sharing your experience about authorization problems.I find that many people do not understand well the importance of configuring if-authenticated when configuring authorization. Your post is a good reminder about this important part of the configuration. Many of us have learned these lessons the hard way and we all can benefit from a reminder about the problem.

HTH

Rick

Actions

Login or Register to take actions

This Discussion

Posted November 4, 2011 at 2:17 AM
Stats:
Replies:4 Avg. Rating:5
Views:5562 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard