I am try to setup limited access on all lines on a router with certain privileges for certain users in the local user database but it doesnt seem to be working. If I login with "tcsuser" via a VTY line everything works fine, the user is only able to execute certain low level commands. However if I login in the console port with the same "tcsuser" username which is a level 0 username, this user has full access. I want this user to only have the same access whether he/she is using vty lines or console lines.
Here is an undocumented Cisco fact: AAA authorization does not apply to console sessions. Long story short, it keeps you from being locked out of the box in case you configure a proper authentication backup method but an improper authorization backup method. Here's how to make console sessions also follow AAA authorization; it is a hidden command executed at global config:
Have all users first login and authenticate to exec mode using their password configured in the local user database. Level 15 authentication should be via an Enable Secret password shared with your admin types.
Configuring default as your list name in the aaa new-model configuration specifies that all (vty, console, http) router access will use the methods that follow. There is no need to specify an authentication command in the vty or console configuration the ios by default, uses the default configuration.
#In the example below a line password is configured
#for console and vty. The default list #authentication method in the aaa new-model #configuration is the local user database identified #with the keyword local. If local authentication #fails for any reason the second authentication #method is the line password identified with the #keyword line.
# This command enables a line password used as a #secondary authentication method.
(config-line)#password 7 mylinepassword
#The command in line 2 authenticates all router #access to exec mode using the local user database. #This is specified with the keyword local. The line #keyword is a second authentication method used in #the event the user database authentication fails #for some reason. The last line authenticates level #15 (privileged) using the local Enable Secret #password.
(config)#aaa authentication login default local line
(config)#aaa authentication enable default enable
#configure your local user database (do not #configure privilege levels.)
(config)#username joeuser password 0 joeuser01
#Enable secret password is used to authenticate #privileged level 15(config)#enable secret myenablesecret
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...