Mark,

That's what i originally planned on doing, but i don't get the login local option under line con 0. I'm assuming it's because of the AAA config that i have.

These are the options under con 0:

line con 0

login ?

authentication Authentication parameters

login authentication ?

WORD Use an authentication list with this name.

default Use the default authentication list.

Here's how to set it up with the correct syntax.

aaa authentication login console local

line console 0

login authentication console

HTH,

Mark

Mark,

That worked and forced me to use local username when connecting to the switch through the console port. The problem that i'm running into now that i use local username and password, it doesn't like the enable password that i'm putting in.

I get the "% Error in authentication." message. Any thoughts?

Thanks,

Gary

Gary

Mark has good advice here. The real issue is that while you can split user authentication so that vty uses the authentication server and the console just uses local authentication, when it comes to enable you have only one choice, they both will use the remote authentication server or they will both use local authentication. And if you are going to the remote authentication server but the user authenticated locally, then the authentication server does not know who the user is and whether to admit them to enable mode or not. If you specify the privilege level with the user ID then you should get the functionality that you want.

HTH

Rick

Hi Rick,

I was trying to do the same thing but for some reason, whatever happens, the switch will try to look for my username and password from the TACACS server and it will never check local database when I type "enable". I tried regular "enable" and "enable 15". I tried to create the same username as the one I have in TACACS locally but changed the password to something different to know where the switch is picking up the "enable auth".

Thanks,

John

aaa authentication login CONSOLE line

aaa authorization exec CONSOLE none

aaa authorization commands 0 CONSOLE none

aaa authorization commands 1 CONSOLE none

aaa authorization commands 15 CONSOLE none

line con 0

authorization exec CONSOLE

login authentication CONSOLE

authorization commands 0 CONSOLE

authorization commands 1 CONSOLE

authorization commands 15 CONSOLE

I believe that your issue is that you have specified authentication using line. This will look for a password configured on the console and not for your ID. Change it to aaa authentication login CONSOLE local and let us know if it works better. 

HTH

rick

Thanks for the reply Rick.

Apparently it is already asking for username and password after hitting enable.

When accessing the switch through console, our objective is to just use the line con 0 password which is working, aaa authentication login CONSOLE line and login authentication console combo.

We are hoping that if we hit enable, it will use the enable secret password instead but since we are using "aaa authentication enable default group tacacs+ enable", it is still looking for TACACS. So after hitting enable, it asks for username/password combo instead of just password which is the enable secret.

Also, isn't that the switch will check what was stated under "aaa authen enable" instead of "aaa authen login" when hitting "enable" command?

I haven't tried to simulate what you're saying as the PC I am using to go through console is dead and need someone to boot it up for me.

Thanks,

John

John

I understood your first post to indicate that you wanted to login with your ID. I now understand that your question is about enable authentication. Please consider what I said in a previous post in this thread about enable authentication. You can configure enable authentication to use tacacs with local as an alternative/backup method. But when you authenticate it will try the primary and use the backup only if primary fails. 

If you want to get to enable on the console and bypass tacacs I have two suggestions each of which mean that anyone who logs in on console will be in enable mode which might be acceptable or might not. 

- on the console configure privilege level 15

- configure your local account to have privilege level 15. Change the console authentication to use local and not line. And be sure that the console has authorization local. 

HTH

Rick

Thanks again Rick. Yes I have tried the privilege level 15 earlier and after the line console password when connecting, it will immediately jump to privilege mode. Thank you so much for you inputs.

John

you are welcome. Both of my suggestions have some down side but they are as close as I can come to what you really want. Unfortunately there is not a way to bypass tacacs if tacacs is working. 

HTT

Rick