Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Console Authorisation

We are using AAA with CiscoSecure ACS 3.2. All the 'defaults' are configured to use the ACS server -i.e. aaa authentication login default group ACS local, aaa authorisation exec default group ACS local. We also dynamically map users from Windows AD into a group that don't have Shell (exec) access (these are for remote access and NOT access to routers). If one of these dynamically created users tried to telnet to a router they fail with an Authorisation failure (the desired result), if however the user attempts to gain access via the console he is permitted, he cannot enter enable mode but can do 'show' commands etc. Doing various debugs shows no AAA Auhtorisation is done for the console line, whereas it is for the VTY lines. Is the console port (line con 0) treated differently than the TTY lines (line tty 0 etc) where AAA authorisation is concerned? Is there any way around this behaviour or are we stuck? We are running various IOS versions on Routers and Switches (12.1(x) and 12.2(x)T and the behaviour is the same with all devices.


Cisco Employee

Re: Console Authorisation

That is the expected behaviour that you are seeing. Console authorization is not active by default. Use the following hidden command to enable authorization for console seperately. By default console authorization is disabled.

Console authorization can now be turned on/off.

A hidden command is added to allow this. The command syntax is :

[no] aaa authorization console



Re: Console Authorisation

Thanks Yusuff. When was this command available - we have a mixture of IOS versions but most are 12.1 or above.



Cisco Employee

Re: Console Authorisation

This command was brought in due to bug CSCdi82030 ( The description for this bug doesn't say much, but you can look at the First-Fixed-In field to see what code this command is available in. Anything 12.1 should have it, it's been around for quite a while now.