Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA and TACACS on everything BUT NOT console

Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?

1 REPLY
New Member

Re: AAA and TACACS on everything BUT NOT console

I do not think you can separate method list for

the enable piece. I've asked Cisco about this

in the past and they told me that it is not

possible. You can have a different method list

for the console for the "exec" mode but not

the enable or privilege mode. It is either

"tacacs" or "enable" or some other

combinations but not a separate method list for "enable" by itself. Maybe cisco added

this new feature in 12.4. I've my my testing

on both 12.2T and 12.3T and, IMHO, it is not

possible to separate the enable piece. Here

is my config:

username cisco password cisco

enable secret cisco

aaa authentication login notac local

aaa authentication login VTY group tacacs+ local

aaa authentication login web local enable

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec TAC start-stop group tacacs+

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 TAC start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 TAC start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 10 TAC start-stop group tacacs+

aaa accounting commands 15 TAC start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection TAC start-stop group tacacs+

aaa session-id common

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

login authentication notac

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

280
Views
0
Helpful
1
Replies
CreatePlease login to create content