Re: Difficult Req : vty use tacacs for enable password but

Here is a little bit different of a setup, but achieves the end goal.
If you configure aaa authentication for login but do not configure aaa
authentication for enable you can make it work like this:

aaa authentication login default group tacacs

Now...on your tacacs server make it so that the user gets priv-lvl 15
when they login automatically. What will happen is that when you
telnet/ssh into a line and authenticate you will be in enable mode,
but when you console in and authenticate you won't and will have to
enter the local enable password. Why? Because aaa authorization,
which is what allows the priv-lvl 15 escalation is disabled by default
on console lines.

On Mon, Oct 8, 2012 at 7:14 AM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
> aaa authentication login noaaa line
> !
> line con 0
> login authen noaaa
>
> (done by memory, but should be should close, if not exact)
>
> Regards,
> Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)
> Sent from my iPhone
>
> On Oct 8, 2012, at 1:39 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
>
>> Hi,
>>
>> Is there any way that I can get all of the vty lines usgin tacacs for
>> enable password but console excluded from this ?
>>
>>
>> Problem is "aaa authentication enable default .... " applies to "default"
>> , so Im not sure how to achieve this requirement.
>>
>>
>> Thanks
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net