Cisco – AAA Exclude Console Port for Local Backup access

Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands.

  1. Create a local user account under global config mode.
    username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE
  2. Next under global config mode
    aaa authentication login console local
    aaa authorization exec console local
    aaa authorization commands 0 console local
    aaa authorization commands 1 console local
    aaa authorization commands 15 console local
    aaa authorization console
  3. Then under the console line interface
    authorization commands 0 console
    authorization commands 1 console
    authorization commands 15 console
    authorization exec console
    login authentication console
Share