Disable Console Login Prompt

I have a Cisco 3650 running 16.3.5b Lan base. I want do disable the login but prompt for the enable password with connecting via the console cable. I am using AAA for ssh access. The "no login local" command isn't an option.

aaa group server tacacs+ Clear_Pass
 server XXX.XXX.XXX.XXX
 server XXX.XXX.XXX.XXX
 server-private XXX.XXX.XXX.XXX timeout 3 key 7 PASSWORD
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface Loopback1
!
aaa authentication login default group tacacs+ local enable
aaa authorization exec default if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

username cisco privilege 15 password 7 CISCO

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 logging synchronous
 transport input ssh
line vty 5 15
 privilege level 15
 logging synchronous
 transport input ssh
Robin HarrisNetwork TechnicianAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
aaa authorization console
!
line console
 login authentication default
line vty 0 15
 login authentication default

Open in new window

I am not sure that I understand you are trying to achieve. The above will force radius authentication (aaa default authentication) on console and vty lines.
Local authentication will be available only if RADIUS is unreachable.
atlas_shudderedSr. Network EngineerCommented:
There are a couple of things you are going to run into right out the gate:

1. No enable password set
2. Assuming you are trying to use the local admin account, it is set to priv 15 and will bypass enable even if it is set
3. This line - aaa authentication login default group tacacs+ local enable - is telling your device to always attempt authentication against tacacs+ if available.  If you have a tacacs host configured and the switch can see it, it will force all auth through that method, never attempting local (to Predrag's point above)
4. If you desire to set local authentication superiority over tacacs for console, you will need to add lines 1, 3 and 4 of the config Predrag posted and then either set local admin to some other value than 15 and build an enable password.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.