57
{ The device does not use the username you enter to request user role authentication, and it uses
a username in the $enabn$ format. The variable n represents a user role level, and a domain
name is not included in the username. You can always pass user role authentication when the
password is correct.
{ To obtain a level-n user role, you must create a user account for the level-n user role in the
$enabn$ format on the RADIUS server. The variable n represents the target user role level. For
example, to obtain the authorization of the level-3 user role, you can enter any username. The
device uses the username $enab3$ to request user role authentication from the server.
{ To obtain a non-level-n user role, you must perform the following tasks:
− Create the user account $enab0$ on the server.
− Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The
variable role represents the target user role.
• The device selects an authentication domain for user role authentication in the following order:
a. The ISP domain included in the entered username.
b. The default ISP domain.
• If you execute the quit command after obtaining user role authorization, you are logged out of the
device.
Table 10 User role authentication modes
Keywords Authentication mode Description
local
Local password
authentication only
(local-only)
The device uses the locally configured password for
authentication.
If no local password is configured for a user role in this
mode, an AUX user can obtain the user role authorization
by either entering a string or not entering anything.
scheme
Remote AAA authentication
through HWTACACS or
RADIUS (remote-only)
The device sends the username and password to the
HWTACACS or RADIUS server for remote authentication.
To use this mode, you must perform the following
configuration tasks:
• Configure the required HWTACACS or RADIUS
scheme, and configure the ISP domain to use the
scheme for the user. For more information, see Security
Configuration Guide.
• Add the user account and password on the
HWTACACS or RADIUS server.
local scheme
Local password
authentication first, and
then remote AAA
authentication
(local-then-remote)
Local password authentication is performed first.
If no local password is configured for the user role in this
mode:
• The device performs remote AAA authentication for
VTY users.
• An AUX user can obtain another user role by either
entering a string or not entering anything.
To Next Page
Loading...
Need help?
General
