Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to prevent local aaa users to login


Please could you help me with my question:

My Cisco router R1 aaa configuration:

username user1 privilege 15 password user1

username user2 password user2

aaa authentication login default local

aaa authorization exec default local

aaa authentication ppp PPP_MODEM local

aaa authorization network PPP_MODEM local

So, I want to:

allow user1 to have full terminal access to R1

deny user2 to have any terminal access to R1 but allow user2 to connect to R1 via PPP.

I can configure privilege 0 to user2, but user2 will be able to access R1 terminal lines!

How can I prevent user2 to have management access to R1 using only local AAA services?


Re: how to prevent local aaa users to login

It is set to No Privilege by default. Set this to use group level settings. You also have to configure the enable password for the user

Here is a copy of my AAA settings:


aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+


The method no_tacacs is used for the console to prevent admin-lockouts. Doing a debug aaa authen & author was quite helpful in getting this to work.