Configuring Local Authentication and Authorization
Your software release
may not support all the features documented in this module. For the latest
caveats and feature information, see Bug Search Tool and the release notes for
your platform and software release. To find information about the features
documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this
Use Cisco Feature
Navigator to find information about platform support and Cisco software image
support. To access Cisco Feature Navigator, go to
An account on Cisco.com is not required.
How to Configure Local Authentication and Authorization
Configuring the Switch for Local Authentication and Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
To secure the switch for HTTP access by using AAA methods, you must configure the
switch with the ip http authentication aaa global
configuration command. Configuring AAA authentication does not secure the switch for
HTTP access by using AAA methods.
Beginning in privileged EXEC mode, follow these steps to configure AAA to operate without a server by setting the switch to implement AAA in local mode:
| ||Command or Action||Purpose|
Device# configure terminal
Enters the global
|Step 2||aaa new-model|
Device(config)# aaa new-model
|Step 3||aaa authentication login default local|
Device(config)# aaa authentication login default local
Sets the login authentication to use the local username database. The
default keyword applies the local user database
authentication to all ports.
|Step 4||aaa authorization exec local|
Device(config)# aaa authorization exec local
Configures user AAA authorization, check the local database, and allow the user to run an EXEC shell.
|Step 5||aaa authorization network local|
Device(config)# aaa authorization network local
Configures user AAA authorization for all network-related service requests.
Device(config)# username your_user_name privilege 1 password 7 secret567
Enters the local database, and establishes a username-based authentication system.
Repeat this command for each user.
For name, specify the user ID as one word. Spaces
and quotation marks are not allowed.
(Optional) For level, specify the privilege level
the user has after gaining access. The range is 0 to 15. Level 15 gives
privileged EXEC mode access. Level 0 gives user EXEC mode access.
For encryption-type, enter 0 to specify that an
unencrypted password follows. Enter 7 to specify that a hidden password
For password, specify the password the user must
enter to gain access to the switch. The password must be from 1 to 25
characters, can contain embedded spaces, and must be the last option
specified in the username command.
privileged EXEC mode.
Monitoring Local Authentication and Authorization
To display Local Authentication and Authorization configuration, use the show running-config privileged EXEC command.
All supported MIBs for this release.
and download MIBs for selected platforms, Cisco IOS releases, and feature sets,
use Cisco MIB Locator found at the following URL:
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and
for Local Authentication and Authorization
|Cisco IOS XE 3.2SE
||This feature was introduced.