53
other user line.
The device cannot assign the
security-audit user role to non-AAA
authentication users.
Configuring temporary user role authorization
Temporary user role authorization allows you to obtain another user role without reconnecting to the
device. This feature is useful when you want to use a user role temporarily to configure a feature.
Temporary user role authorization is effective only on the current login. This feature does not change
the user role settings in the user account that you have been logged in with. The next time you are
logged in with the user account, the original user role settings take effect.
Configuration guidelines
When you configure temporary user role authorization, follow these guidelines:
To enable users to obtain another user roles without reconnecting to the device, you must
configure user role authentication.
Table 11 describes the available authentication modes and
configuration requirements.
If HWTACACS authentication is used, the following rules apply:
ï‚¡ The device uses the entered username and password to request role authentication, and it
sends the username to the server in the format username or username@domain-name.
Whether the domain name is included in the username depends on the user-name-format
command in the HWTACACS scheme.
ï‚¡ To obtain a level-n user role, the user account on the server must have the target user role
level or a user role level higher than the target user role. A user account that obtains the
level-n user role can obtain any user roles among level 0 through level-n.
ï‚¡ To obtain a non-level-n user role, make sure the user account on the server meets the
following requirements:
− The account has a user privilege level.
− The HWTACACS custom attribute is configured for the account in the form of
allowed-roles="role". The variable role represents the target user role.
If RADIUS authentication is used, the following rules apply:
ï‚¡ The device does not use the username you entered to request user role authentication. The
device uses a username in the $enabn$ format. The variable n represents a user role level,
and a domain name is not included in the username. You can always pass user role
authentication when the password is correct.
ï‚¡ To obtain a level-n user role, you must create a user account for the level-n user role in the
$enabn$ format on the RADIUS server. The variable n represents the target user role level.
For example, to obtain the authorization of the level-3 user role, you can enter any
username. The device uses the username $enab3$ to request user role authentication from
the server.
ï‚¡ To obtain a non-level-n user role, you must perform the following tasks:
− Create the user account $enab0$ on the server.
− Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role".
The variable role represents the target user role.
The device selects an authentication domain for user role authentication in the following order:
a. The ISP domain included in the entered username.
To Next Page
Loading...
Need help?
General