Disable Console Login Prompt
I have a Cisco 3650 running 16.3.5b Lan base. I want do disable the login but prompt for the enable password with connecting via the console cable. I am using AAA for ssh access. The "no login local" command isn't an option.
aaa group server tacacs+ Clear_Pass
server XXX.XXX.XXX.XXX
server XXX.XXX.XXX.XXX
server-private XXX.XXX.XXX.XXX timeout 3 key 7 PASSWORD
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface Loopback1
!
aaa authentication login default group tacacs+ local enable
aaa authorization exec default if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
username cisco privilege 15 password 7 CISCO
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
privilege level 15
logging synchronous
transport input ssh
aaa group server tacacs+ Clear_Pass
server XXX.XXX.XXX.XXX
server XXX.XXX.XXX.XXX
server-private XXX.XXX.XXX.XXX timeout 3 key 7 PASSWORD
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface Loopback1
!
aaa authentication login default group tacacs+ local enable
aaa authorization exec default if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
username cisco privilege 15 password 7 CISCO
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
privilege level 15
logging synchronous
transport input ssh
There are a couple of things you are going to run into right out the gate:
1. No enable password set
2. Assuming you are trying to use the local admin account, it is set to priv 15 and will bypass enable even if it is set
3. This line - aaa authentication login default group tacacs+ local enable - is telling your device to always attempt authentication against tacacs+ if available. If you have a tacacs host configured and the switch can see it, it will force all auth through that method, never attempting local (to Predrag's point above)
4. If you desire to set local authentication superiority over tacacs for console, you will need to add lines 1, 3 and 4 of the config Predrag posted and then either set local admin to some other value than 15 and build an enable password.
1. No enable password set
2. Assuming you are trying to use the local admin account, it is set to priv 15 and will bypass enable even if it is set
3. This line - aaa authentication login default group tacacs+ local enable - is telling your device to always attempt authentication against tacacs+ if available. If you have a tacacs host configured and the switch can see it, it will force all auth through that method, never attempting local (to Predrag's point above)
4. If you desire to set local authentication superiority over tacacs for console, you will need to add lines 1, 3 and 4 of the config Predrag posted and then either set local admin to some other value than 15 and build an enable password.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Open in new window
I am not sure that I understand you are trying to achieve. The above will force radius authentication (aaa default authentication) on console and vty lines.Local authentication will be available only if RADIUS is unreachable.