Disable Console Login Prompt

I have a Cisco 3650 running 16.3.5b Lan base. I want do disable the login but prompt for the enable password with connecting via the console cable. I am using AAA for ssh access. The "no login local" command isn't an option.

aaa group server tacacs+ Clear_Pass
 server XXX.XXX.XXX.XXX
 server XXX.XXX.XXX.XXX
 server-private XXX.XXX.XXX.XXX timeout 3 key 7 PASSWORD
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface Loopback1
!
aaa authentication login default group tacacs+ local enable
aaa authorization exec default if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

username cisco privilege 15 password 7 CISCO

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 logging synchronous
 transport input ssh
line vty 5 15
 privilege level 15
 logging synchronous
 transport input ssh
Robin HarrisNetwork TechnicianAsked:
Who is Participating?
 
JustInCaseCommented:
aaa authorization console
!
line console
 login authentication default
line vty 0 15
 login authentication default

Open in new window

I am not sure that I understand you are trying to achieve. The above will force radius authentication (aaa default authentication) on console and vty lines.
Local authentication will be available only if RADIUS is unreachable.
0
 
atlas_shudderedSr. Network EngineerCommented:
There are a couple of things you are going to run into right out the gate:

1. No enable password set
2. Assuming you are trying to use the local admin account, it is set to priv 15 and will bypass enable even if it is set
3. This line - aaa authentication login default group tacacs+ local enable - is telling your device to always attempt authentication against tacacs+ if available.  If you have a tacacs host configured and the switch can see it, it will force all auth through that method, never attempting local (to Predrag's point above)
4. If you desire to set local authentication superiority over tacacs for console, you will need to add lines 1, 3 and 4 of the config Predrag posted and then either set local admin to some other value than 15 and build an enable password.
0
All Courses

From novice to tech pro — start learning today.