Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

AAA authorization for console connection

I have a user configured in the TACACS server to receive privalege level 15. When that user telnets to a router he gets level 15, but when he connects via the console he only gets level 1. A debug trace shows only the authentication, there is no authorization exchange for the console connection. Is there a parameter I am missing?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication ppp if-needed group tacacs+ local

aaa authorization exec default group tacacs+ none

New Member

Re: AAA authorization for console connection

What version of IOS are you using? There are some issues with this in older versions of IOS.

If your IOS supports it, try using the:

aaa authorization console


If not, assign a list to the console and see if this works such as:

aaa authorization exec CONSOLE default group tacacs+

line con 0

author exec CONSOLE

Let us know if this works.

New Member

Re: AAA authorization for console connection

I had tried the list already along with a host of other variations. I am running 12.2-7a. 'aaa authorization console' solved the problem. Thanks!

Cisco Employee

Re: AAA authorization for console connection

As per the following Samle Configuration:

Console port authorization was not added as a feature until Bug ID CSCdi82030 was implemented. Console port authorization is off by default to lessen the likelihood of accidentally being locked out of the router. If a user has physical access to the router via the console, console port authorization is not extremely effective. However, for images in which Bug ID CSCdi82030 has been implemented, console port authorization can be turned on under line con 0 with the hidden command aaa authorization console.

Hope this helps,


New Member

Re: AAA authorization for console connection

Yes, that was the solution.

I notice that once the hidden command is entered and the config saved to startup, it survives a reboot, however, there is no way to tell that it is there other than logging into the console and seeing the result.

CreatePlease to create content