Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2116
Views
0
Helpful
6
Replies

Authorization on the Console Port

heyligerb
Level 1
Level 1

‎10-10-2001 05:02 PM - edited ‎03-08-2019 08:51 PM

I am try to setup limited access on all lines on a router with certain privileges for certain users in the local user database but it doesn’t seem to be working. If I login with "tcsuser" via a VTY line everything works fine, the user is only able to execute certain low level commands. However if I login in the console port with the same "tcsuser" username which is a level 0 username, this user has full access. I want this user to only have the same access whether he/she is using vty lines or console lines.

What is the deal?

Note: This is not a TACACS/RADIUS integration

Thanks,

See Config below:

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

no logging buffered

no logging buffered

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login conmethod local

aaa authentication login auxmethod local

aaa authentication login vtymethod local

aaa authorization exec conmethod local

aaa authorization exec vtymethod local

aaa authorization exec auxmethod local

!

username tcsadmin privilege 15 password 0 password

username ptsadmin privilege 15 password 0 password

username ptsuser password 0 password

username tcsuser password 0 password

memory-size iomem 25

ip subnet-zero

no ip finger

no ip domain-lookup

ip domain-name xcentri.com

ip name-server 192.168.0.2

ip name-server 192.168.0.18

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

interface Ethernet0

ip address 172.16.254.56 255.255.0.0

half-duplex

!

interface FastEthernet0

ip address 192.168.0.17 255.255.255.0

speed auto

!

ip kerberos source-interface any

ip classless

no ip http server

!

!

line con 0

exec-timeout 15 0

authorization exec conmethod

login authentication conmethod

transport input none

line aux 0

line vty 0 4

exec-timeout 15 0

authorization exec vtymethod

login authentication vtymethod

!

end

Labels:
0 Helpful
6 Replies 6

mazhar71
Level 1
Level 1

‎10-15-2001 04:11 AM

Only on console port even if you configure authorization , it is ignored. This is the way it works. On other types of line authorization works great.

0 Helpful

robert.hyde
Level 1
Level 1

‎10-15-2001 12:42 PM

Here is an undocumented Cisco fact: AAA authorization does not apply to console sessions. Long story short, it keeps you from being locked out of the box in case you configure a proper authentication backup method but an improper authorization backup method. Here's how to make console sessions also follow AAA authorization; it is a hidden command executed at global config:

aaa authorization console

That should do the trick. Good luck!

0 Helpful

heyligerb
Level 1
Level 1
In response to robert.hyde

‎10-17-2001 11:58 AM

Tried aaa authorization console and it took the command but it didn't seem to initiate any authorization on the console.

Oh well.

No biggie.

Thanks for you help

Brian

0 Helpful

jscinocca
Level 1
Level 1
In response to heyligerb

‎10-17-2001 01:32 PM

Honestly man,, If I were you don't place AAA on the console.

What happens if you forgot the password or something happens, like you misconfigure it.

Its bad, then you have to perform password recovery.

Thats mean downing the router.

0 Helpful

heyligerb
Level 1
Level 1
In response to jscinocca

‎10-17-2001 04:37 PM

Well you know the solution to that. Don't forget your password! This is a sample config, we will be using TACACS so I won't forget it, but thanks for the advice.

0 Helpful

wjmichael
Level 1
Level 1

‎10-26-2001 08:45 AM

Brian,

You need to simplify your configuration.

Have all users first login and authenticate to exec mode using their password configured in the local user database. Level 15 authentication should be via an Enable Secret password shared with your admin types.

Configuring “default” as your list name in the aaa new-model configuration specifies that all (vty, console, http) router access will use the methods that follow. There is no need to specify an authentication command in the vty or console configuration the ios by default, uses the “default” configuration.

#In the example below a line password is configured

#for console and vty. The default list #authentication method in the aaa new-model #configuration is the local user database identified #with the keyword local. If local authentication #fails for any reason the second authentication #method is the line password identified with the #keyword line.

# This command enables a line password used as a #secondary authentication method.

(config-line)#password 7 mylinepassword

#

#The command in line 2 authenticates all router #access to exec mode using the local user database. #This is specified with the keyword local. The line #keyword is a second authentication method used in #the event the user database authentication fails #for some reason. The last line authenticates level #15 (privileged) using the local Enable Secret #password.

(config)#aaa new-model

(config)#aaa authentication login default local line

(config)#aaa authentication enable default enable

#

#configure your local user database (do not #configure privilege levels.)

(config)#username joeuser password 0 joeuser01

#

#Enable secret password is used to authenticate #privileged level 15(config)#enable secret myenablesecret

#

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents