71
[Switch-isp-bbb] authentication login local
# Configure ISP domain bbb to use local authorization for login users.
[Switch-isp-bbb] authorization login local
# Apply the HWTACACS scheme hwtac to the ISP domain for user role authentication.
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac
[Switch-isp-bbb] quit
# Create a device management user named test and enter local user view. Set the service type
to Telnet, and set the password to aabbcc.
[Switch] local-user test class manage
[Switch-luser-manage-test] service-type telnet
[Switch-luser-manage-test] password simple aabbcc
# Assign level-0 to the user.
[Switch-luser-manage-test] authorization-attribute user-role level-0
# Delete the default user role network-operator.
[Switch-luser-manage-test] undo authorization-attribute user-role network-operator
[Switch-luser-manage-test] quit
# Set the local authentication password to 654321 for the user role level-3.
[Switch] super password role level-3 simple 654321
# Set the local authentication password to 654321 for the user role network-admin.
[Switch] super password role network-admin simple 654321
[Switch] quit
2. Configure the HWTACACS server:
This example uses ACSv4.0.
a. Access the User Setup page.
b. Add a user account named test. (Details not shown.)
c. In the Advanced TACACS+ Settings area, configure the following parameters:
− Select Level 3 for the Max Privilege for any AAA Client option.
If the target user role is only network-admin for temporary user role authorization, you
can select any level from the Max Privilege for any AAA Client option.
− Select the Use separate password option, and specify enabpass as the password.
To Next Page
Loading...
