Man. Today I was putting a core 4507R switch onto our Tacacs AAA controls. The main IT admin for that site got all fussy about what if my tacacs account is locked out and its an emergency? Did not like the answer well call the Corporate helpdesk to have it unlocked. So I had to figure out how to make only the console port ignore tacacs AAA and use the local login database instead. Here is what I had to add to the aaa commands.
- Create a local user account under global config mode.
username local-MYNAMEHERE privilege 15 password MYPASSWORDHERE
- Next under global config mode
aaa authentication login console local
aaa authorization exec console local
aaa authorization commands 0 console local
aaa authorization commands 1 console local
aaa authorization commands 15 console local
aaa authorization console
- Then under the console line interface
authorization commands 0 console
authorization commands 1 console
authorization commands 15 console
authorization exec console
login authentication console