01-31-2007 03:41 PM - edited 03-10-2019 02:57 PM
Hi,
I have just put TACACS on a few IOS devices, I am only using a default group which is set up to provide level 15 priviliges. As I am using the same default group on both vty and console I would expect access by the 2 methods to be the same but when I telnet in I get level 15 straight to the # prompt, but when I console in I still get prompted for the enable secret.
Any ideas
Regards
Chris Ayres
Solved! Go to Solution.
01-31-2007 08:46 PM
Chris
You are finding a behavior that Cisco has done for a long time (and probably for good reason). The TACACS authentication/authorization to put someone directly into privilege mode by default works on the vty and does not work on the console.
The rationale is that if you make a mistake in configuring authentication/authorization (very easy to do - especially if your understanding of what you are doing is a bit weak) it would be easy to lock yourself out of the device. So by default it works on vty and does not work on console (prividing away to recover from problems). There is a hidden command that you can use to also have this work on the console (be very careful that your config works properly before you enable it on the console).
If you want it, try this:
aaa authorization console
HTH
Rick
01-31-2007 08:46 PM
Chris
You are finding a behavior that Cisco has done for a long time (and probably for good reason). The TACACS authentication/authorization to put someone directly into privilege mode by default works on the vty and does not work on the console.
The rationale is that if you make a mistake in configuring authentication/authorization (very easy to do - especially if your understanding of what you are doing is a bit weak) it would be easy to lock yourself out of the device. So by default it works on vty and does not work on console (prividing away to recover from problems). There is a hidden command that you can use to also have this work on the console (be very careful that your config works properly before you enable it on the console).
If you want it, try this:
aaa authorization console
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide