Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Enable

Does anyone know if there is a way to have two separate AAA authentication enable lists, one for telnet and one for console? So, for example, if someone was logged in through the console, enable would only authenticate locally, but when logged in via telnet, it checks radius first, then locally.

Thanks.

4 REPLIES

Re: AAA Enable

unfortunately no.

Regards,

Prem

Re: AAA Enable

But what are you trying to achieve by this ?

If you want that when you login from console, you should get into privilege exec, but when accessing from telnet there should be authentication and enable authentication. then you can probably have following under line con

line con 0

privilege level 15

Regards,

Prem

New Member

Re: AAA Enable

Thanks for the response.

We would like to do it this way so that when radius is down, which is really the only reason we would ever log in via console, that we do not have to wait for radius to timeout when authenticating.

We also have some non-administrative users who we would like to be able to have log in via console without getting priv 15 access.

Silver

Re: AAA Enable

I can see what the requester is trying to do.

Here is a scenario:

aaa authentication login NOTAC none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 1.2.3.4 key cciesec

line console 0

login authentication NOTAC

line vty 0 15

login authentication VTY

With this configuration, let say user "pbanga" get on the console

port of the device, he will not be able to get into enable mode

in the console session because user pbanga did NOT log into the

console port with his AAA account at the beginning. Therefore,

he can NOT access the console port in privilege enable mode.

In most AAA implementation each user has

his/her own exec and enable password. NO

sharing.

Make sense?

154
Views
0
Helpful
4
Replies