cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
39504
Views
10
Helpful
4
Replies

aaa authorization console command

parisdooz12
Level 1
Level 1

Hi,

I don't really understand the need of the command "aaa authorization console".

We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

Am I wrong? Or do these lines apply only to the VTY linse?

Thanks by advance

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).

HTH

Rick

HTH

Rick

perfect, thanks!

I learned this locking out form console today in the hard-way

we use as standard

aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 

and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.

So no way to log in without the hard way rebooting and reconfiguring again

Thanks for sharing your experience about authorization problems.I find that many people do not understand well the importance of configuring if-authenticated when configuring authorization. Your post is a good reminder about this important part of the configuration. Many of us have learned these lessons the hard way and we all can benefit from a reminder about the problem.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: