Re: AAA

Hi Mohammad,
for the console AAA authorization is a bit different that for the
regular VTY lines.

First, you'd have to authenticate yourself and authorize exec process
for console as local

enable password cisco
username cisco password 0 cisco
username user1 privilege 7 password 0 cisco
aaa authentication login CON local
aaa authorization exec CON local
line con 0
   authorization exec CON
   login authentication CON

You can also promote/demote some commands to level 7 here. I reckon you
have done all (or most) of the lines above. When you enter the last
command, you should see something like this:

Rack1R6(config)#line con 0
Rack1R6(config-line)#author exec CON
%Authorization without the global command 'aaa authorization console' is
useless

At the end you'd have to explicitly enable authorization for console by
entering
aaa authorization console

After that all should be sweet

User Access Verification

Username:
Username: user1
Password:

Rack1R6#who
     Line User Host(s) Idle Location
* 0 con 0 user1 idle 00:00:00

   Interface User Mode Idle Peer Address

Rack1R6#sh priv
Current privilege level is 7

Make sure you don't lock yourself out while experimenting with console
authorization. :-0

Happy studies,
A.

On 5/12/2012 6:49 AM, Mohammad Mousa wrote:
> Hi Jay
>
> My first question is, when i used the two separate statement .. Why I can't access the router even I put wrong username and password ?
> The second one, I need to create username George password George for example.i want to give him only to enter the confg mode and interface mode and don't anything else . Why this cant' happen unless you telnet the router. Why you can't make it from the console if you login with same username ! Thanks a lot jay, apprcieate that.
> On May 11, 2012, at 11:29 PM, "Jay McMickle"<jay.mcmickle_at_yahoo.com> wrote:
>
>> I might have misunderstood your 1st question, but when you enter both lines you put, the second overrides the first (only showing the 2nd line).
>>
>> If you want it to fall back, use-
>> ....local def line none (on the same line)
>>
>> Second question-
>> Priv 1 and 15 are the only ones that work.
>>
>> Regards,
>> Jay McMickle- CCIE #35355
>> Sent from iJay
>>
>> On May 11, 2012, at 12:58 PM,<mohd-mousa_at_hotmail.com> wrote:
>>
>>> Hi guys,
>>>
>>> I have two qestions regarding the aaa authentication,
>>>
>>> first, when i do the following commmand
>>> -aaa authentication login default local
>>> -aaa authentication login default none
>>>
>>> guys, i know that the first statment will authenticate based on the username
>>> and password defined on the local database of the router.
>>> Second statment i used it to avoid lock my self of the router.
>>>
>>> When i get out the router and get in, it will ask me the username and password.
>>> and can't get in ( if i don't put the username and pass).
>>> my question is should i access the router even without authentication as the
>>> second statment said.
>>>
>>>
>>>
>>> Second, i know there are two level (8 for the usermode , 15 for the conf mode)
>>>
>>> i have the following command
>>> usename k privileage 9 pass k
>>> privielage exe level 9 configure terminal
>>> privielage configure level 9 interface
>>> aaa authorization exec default local
>>>
>>> Why this command only work when i telnet to this router, while itsn't working
>>> when i get through the console ?
>>>
>>> when i get through the telnet
>>> show privi ---- he gave me level 9 (after i put the username& pass) it worked
>>> fine
>>> when i get through the console
>>> show privi ---- it gave me level 15 ( after i put the usename& pass )
>>>
>>> Thanks in advance
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun May 13 2012 - 21:07:04 ART