63
Whether the domain name is included in the username depends on the user-name-format
command in the HWTACACS scheme.
{ To obtain a level-n user role, the user account on the server must have the target user role
level or a user role level higher than the target user role. A user account that obtains the
level-n user role can obtain any user roles among level 0 through level-n.
{ To obtain a non-level-n user role, make sure the user account on the server meets the
following requirements:
− The account has a user privilege level.
− The HWTACACS custom attribute is configured for the account in the form of
allowed-roles="role". The variable role represents the target user role.
• If RADIUS authentication is used, the following rules apply:
{ The device does not use the username you enter to request user role authentication, and it
uses a username in the $enabn$ format. The variable n represents a user role level, and a
domain name is not included in the username. You can always pass user role authentication
when the password is correct.
{ To obtain a level-n user role, you must create a user account for the level-n user role in the
$enabn$ format on the RADIUS server. The variable n represents the target user role level.
For example, to obtain the authorization of the level-3 user role, you can enter any
username. The device uses the username $enab3$ to request user role authentication from
the server.
{ To obtain a non-level-n user role, you must perform the following tasks:
− Create the user account $enab0$ on the server.
− Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role".
The variable role represents the target user role.
• The device selects an authentication domain for user role authentication in the following order:
a. The ISP domain included in the entered username.
b. The default ISP domain.
• If you execute the quit command after obtaining user role authorization, you are logged out of
the device.
Table 10 User role authentication modes
Keywords Authentication mode Description
local
Local password
authentication only
(local-only)
The device uses the locally configured password for
authentication.
If no local password is configured for a user role in this
mode, an AUX user can obtain the user role
authorization by either entering a string or not entering
anything.
scheme
Remote AAA
authentication through
HWTACACS or RADIUS
(remote-only)
The device sends the username and password to the
HWTACACS or RADIUS server for remote
authentication.
To use this mode, you must perform the following
configuration tasks:
• Configure the required HWTACACS or RADIUS
scheme, and configure the ISP domain to use the
scheme for the user. For more information, see
Security Configuration Guide.
• Add the user account and password on the
HWTACACS or RADIUS server.
To Next Page
Loading...
Need help?
General