11-04-2011 02:17 AM - edited 03-10-2019 06:31 PM
Hi,
I don't really understand the need of the command "aaa authorization console".
We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
Am I wrong? Or do these lines apply only to the VTY linse?
Thanks by advance
Solved! Go to Solution.
11-07-2011 10:55 AM
In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).
HTH
Rick
11-07-2011 10:55 AM
In IOS by default Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).
HTH
Rick
11-10-2011 11:59 AM
perfect, thanks!
01-13-2012 06:47 AM
I learned this locking out form console today in the hard-way
we use as standard
aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default local group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated
and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.
So no way to log in without the hard way rebooting and reconfiguring again
01-13-2012 09:47 AM
Thanks for sharing your experience about authorization problems.I find that many people do not understand well the importance of configuring if-authenticated when configuring authorization. Your post is a good reminder about this important part of the configuration. Many of us have learned these lessons the hard way and we all can benefit from a reminder about the problem.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide