Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Authorization on the Console Port

I am try to setup limited access on all lines on a router with certain privileges for certain users in the local user database but it doesn’t seem to be working. If I login with "tcsuser" via a VTY line everything works fine, the user is only able to execute certain low level commands. However if I login in the console port with the same "tcsuser" username which is a level 0 username, this user has full access. I want this user to only have the same access whether he/she is using vty lines or console lines.

What is the deal?

Note: This is not a TACACS/RADIUS integration

Thanks,

See Config below:

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

no logging buffered

no logging buffered

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login conmethod local

aaa authentication login auxmethod local

aaa authentication login vtymethod local

aaa authorization exec conmethod local

aaa authorization exec vtymethod local

aaa authorization exec auxmethod local

!

username tcsadmin privilege 15 password 0 password

username ptsadmin privilege 15 password 0 password

username ptsuser password 0 password

username tcsuser password 0 password

memory-size iomem 25

ip subnet-zero

no ip finger

no ip domain-lookup

ip domain-name xcentri.com

ip name-server 192.168.0.2

ip name-server 192.168.0.18

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

interface Ethernet0

ip address 172.16.254.56 255.255.0.0

half-duplex

!

interface FastEthernet0

ip address 192.168.0.17 255.255.255.0

speed auto

!

ip kerberos source-interface any

ip classless

no ip http server

!

!

line con 0

exec-timeout 15 0

authorization exec conmethod

login authentication conmethod

transport input none

line aux 0

line vty 0 4

exec-timeout 15 0

authorization exec vtymethod

login authentication vtymethod

!

end

6 REPLIES
New Member

Re: Authorization on the Console Port

Only on console port even if you configure authorization , it is ignored. This is the way it works. On other types of line authorization works great.

New Member

Re: Authorization on the Console Port

Here is an undocumented Cisco fact: AAA authorization does not apply to console sessions. Long story short, it keeps you from being locked out of the box in case you configure a proper authentication backup method but an improper authorization backup method. Here's how to make console sessions also follow AAA authorization; it is a hidden command executed at global config:

aaa authorization console

That should do the trick. Good luck!

New Member

Re: Authorization on the Console Port

Tried aaa authorization console and it took the command but it didn't seem to initiate any authorization on the console.

Oh well.

No biggie.

Thanks for you help

Brian

New Member

Re: Authorization on the Console Port

Honestly man,, If I were you don't place AAA on the console.

What happens if you forgot the password or something happens, like you misconfigure it.

Its bad, then you have to perform password recovery.

Thats mean downing the router.

New Member

Re: Authorization on the Console Port

Well you know the solution to that. Don't forget your password! This is a sample config, we will be using TACACS so I won't forget it, but thanks for the advice.

New Member

Re: Authorization on the Console Port

Brian,

You need to simplify your configuration.

Have all users first login and authenticate to exec mode using their password configured in the local user database. Level 15 authentication should be via an Enable Secret password shared with your admin types.

Configuring “default” as your list name in the aaa new-model configuration specifies that all (vty, console, http) router access will use the methods that follow. There is no need to specify an authentication command in the vty or console configuration the ios by default, uses the “default” configuration.

#In the example below a line password is configured

#for console and vty. The default list #authentication method in the aaa new-model #configuration is the local user database identified #with the keyword local. If local authentication #fails for any reason the second authentication #method is the line password identified with the #keyword line.

# This command enables a line password used as a #secondary authentication method.

(config-line)#password 7 mylinepassword

#

#The command in line 2 authenticates all router #access to exec mode using the local user database. #This is specified with the keyword local. The line #keyword is a second authentication method used in #the event the user database authentication fails #for some reason. The last line authenticates level #15 (privileged) using the local Enable Secret #password.

(config)#aaa new-model

(config)#aaa authentication login default local line

(config)#aaa authentication enable default enable

#

#configure your local user database (do not #configure privilege levels.)

(config)#username joeuser password 0 joeuser01

#

#Enable secret password is used to authenticate #privileged level 15(config)#enable secret myenablesecret

#

309
Views
0
Helpful
6
Replies