10 messages in net.nether.puck.cisco-nsp[c-nsp] aaa different for console log...
FromSent OnAttachments
Jon LewisJan 11, 2005 2:17 pm 
Jon LewisJan 11, 2005 3:08 pm 
Oliver Boehmer (oboehmer)Jan 11, 2005 3:34 pm 
John LyonsJan 11, 2005 3:50 pm 
Jon LewisJan 11, 2005 8:50 pm 
Oliver Boehmer (oboehmer)Jan 12, 2005 4:11 am 
Jon LewisJan 12, 2005 7:04 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 7:36 am 
Jon LewisJan 12, 2005 8:18 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 8:30 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[c-nsp] aaa different for console logins?Actions...
From:Oliver Boehmer (oboehmer) (oboe@cisco.com)
Date:Jan 12, 2005 4:11:23 am
List:net.nether.puck.cisco-nsp

by default, console sessions are not authorized via AAA (a safeguard against a misconfigured authorization). configure "aaa authorization console" (could be hidden, depending on IOS release) if you want to change this behaviour.

Ah, so thats to stop you from giving out enable on the console accidentally? It does use AAA for authentication on the console without doing anything special.

That will prevent the session from receiving any authorization info (like privilege level), only authentication.

My reason for looking into this is that we use AAA (radius) to authenticate noc staff logins (so we don't have to change enable secrets any time someone leaves) and during emergencies when someone has to console in, I'd like them to get enable without having to tell them the "super secret enable secret".

Ack. But please make sure to define appropriate fallback methods. So in your case, I would replace aaa authorization exec default group radius local by aaa authorization exec default group radius if-authenticated

I.e. when Radius is not available, authorization succeeds if the user has authenticated.

oli