Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
1
Replies

TACACS console question

Go to solution
chrisayres
Level 1
Level 1

‎01-31-2007 03:41 PM - edited ‎03-10-2019 02:57 PM

Hi,

I have just put TACACS on a few IOS devices, I am only using a default group which is set up to provide level 15 priviliges. As I am using the same default group on both vty and console I would expect access by the 2 methods to be the same but when I telnet in I get level 15 straight to the # prompt, but when I console in I still get prompted for the enable secret.

Any ideas

Regards

Chris Ayres

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-31-2007 08:46 PM

Chris

You are finding a behavior that Cisco has done for a long time (and probably for good reason). The TACACS authentication/authorization to put someone directly into privilege mode by default works on the vty and does not work on the console.

The rationale is that if you make a mistake in configuring authentication/authorization (very easy to do - especially if your understanding of what you are doing is a bit weak) it would be easy to lock yourself out of the device. So by default it works on vty and does not work on console (prividing away to recover from problems). There is a hidden command that you can use to also have this work on the console (be very careful that your config works properly before you enable it on the console).

If you want it, try this:

aaa authorization console

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-31-2007 08:46 PM

Chris

You are finding a behavior that Cisco has done for a long time (and probably for good reason). The TACACS authentication/authorization to put someone directly into privilege mode by default works on the vty and does not work on the console.

The rationale is that if you make a mistake in configuring authentication/authorization (very easy to do - especially if your understanding of what you are doing is a bit weak) it would be easy to lock yourself out of the device. So by default it works on vty and does not work on console (prividing away to recover from problems). There is a hidden command that you can use to also have this work on the console (be very careful that your config works properly before you enable it on the console).

If you want it, try this:

aaa authorization console

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents