From: Paul Howell (paul.howell@gmail.com)
Date: Tue Aug 07 2007 - 04:23:02 ART
Hi Lim,
The vty ports will always go through aaa authorization, however that is not
the default with the console. The default will cause the IOS to respect any
login settings under "line con 0".
Without "aaa authorization console", you could put "privilege level 15"
under the console configuration. This would cause any user logging in to
have immediate level 15 access. Once "aaa authorization console" is added,
the IOS respects what is listed in the AAA configuration (overriding what is
configured under the console).
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_a1h.htm#wp1126581
- Paul
On 8/6/07, Toh Soon, Lim <tohsoon28@gmail.com> wrote:
>
> Hi Brian,
>
> I had previously added that command as mentioned in my post. It works.
>
> I guess the command "aaa authorization console" is required as far as
> console authorization is concerned.
>
> I twisted the config a little as follows:
>
> !
> aaa new-model
> aaa authentication login MYLOGIN local-case
> aaa authorization exec MYAUTHO local
> !
> username user1 privilege 15 secret cisco123
> !
> line con 0
> password cisco123
> login authentication MYLOGIN
> authorization exec MYAUTHO
> !
>
> I faced the same problem until I configured "aaa authorization console".
>
>
> Thank you.
>
> B.Rgds,
> Lim TS
>
>
> On 8/7/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
> >
> > Try adding this command to the global configuration:
> >
> > aaa authorization console
> >
> > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> > On Aug 6, 2007, at 3:35 PM, Toh Soon, Lim wrote:
> >
> > > Hi Group,
> > >
> > > I'm facing an issue with the following AAA config:
> > >
> > > !
> > > aaa new-model
> > > aaa authentication login default local-case
> > > aaa authorization exec default local
> > > !
> > > username user1 privilege 15 secret cisco123
> > > !
> > > line con 0
> > > password cisco123
> > > !
> > > line vty 0 4
> > > password cisco123
> > > !
> > >
> > > When I telnet to the router and log in as user1, I'm put to
> > > privileged EXEC
> > > mode (Router# prompt). However, when I console and log in as user1,
> > > I'm only
> > > put to user EXEC mode (Router> prompt). I have to type enable and
> > > provide
> > > the enable secret password to get to Level 15. What am I missing here?
> > >
> > > I resolve the issue by adding the global command "aaa authorization
> > > console". Advise me if this is the right thing to do.
> > >
> > > I'm kinda confused with the command reference in DocCD that says:
> > >
> > > This command (aaa authorization console) by itself does not turn on
> > > authorization of the console line. It needs to be used in
> > > conjunction with
> > > the authorization command under console line configurations.
> > >
> > >
> > > Thank you.
> > >
> > > B.Rgds,
> > > Lim TS
> > >
> > > ______________________________________________________________________
> > > _
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART