Quote:> This does not seem to be possible in recent releases because the enable
> authentication method lists do not allow for "local" authentication as
> an option.
I believe this was never possible. Even when authenticating against TACACS
or RADIUS the router will prompt only for password and use predefined name
$enab15$ when querying AAA server. The only time when you get prompted for
username and password is when you connect via console (not via telnet) and
then request enable mode. What is possible is to assign privilege level 15
to a locally defined user. Then user will get enable mode whenever he or she
Quote:> Looking for "local" specified for the enable mode authentication method
> does yield some hits on CCO and some older releases seem to have
> supported this. It seems that Cisco removed this support for some
> (security?) reason. The "aaa authentication local-override" is also
> deprecated but I could find no explanations for the reason. That may
> have possibly been helpful here.
local-override functionality is now achieved by specifying 'local' before
'group ...'. If you do so, the router will first try to authenticate against
local database, if name matches but password not, access will be denied, if
however user doesn't exist in local database, then the router will contact
AAA server. But again, this won't prompt username when entering enabling
mode unless done from console.