What you are encountering is standard behavior for IOS. Cisco, on purpose, does not do authorization on the console by default. The reasoning was that authorization on the console has real potential to lock you out of the router is you are careless or do not understand well what you are doing when you set up authorization. There is a command that will cause the router to do authorization on the console as well as the vty ports. If you want it try this:
Yes it is a hidden command. It does work if configured (and I believe it will be the answer to what you are trying to do). Cisco has positioned it so that you would not do this accidentally. I believe that the risk factor is relatively high with this, so Cisco puts it there if you intentionally use it but makes it obscure as a way of protecting people.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...