Security Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
Configuring Local Authentication and Authorization
Downloads: This chapterpdf (PDF - 1.28 MB) The complete bookPDF (PDF - 8.1 MB) | Feedback

Configuring Local Authentication and Authorization

Configuring Local Authentication and Authorization

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​​go/​cfn. An account on is not required.

How to Configure Local Authentication and Authorization

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.


To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods.

Follow these steps to configure AAA to operate without a server by setting the switch to implement AAA in local mode:


    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    aaa authentication login default local

    5.    aaa authorization exec local

    6.    aaa authorization network local

    7.    username name [privilege level] {password encryption-type password}

    8.    end

    9.    show running-config

    10.    copy running-config startup-config

     Command or ActionPurpose
    Step 1 enable

    SwitchController> enable

    Enables privileged EXEC mode. Enter your password if prompted.


    Step 2configure terminal

    SwitchController# configure terminal

    Enters the global configuration mode.

    Step 3aaa new-model

    SwitchController(config)# aaa new-model

    Enables AAA.

    Step 4aaa authentication login default local

    SwitchController(config)# aaa authentication login default local

    Sets the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports.

    Step 5aaa authorization exec local

    SwitchController(config)# aaa authorization exec local

    Configures user AAA authorization, check the local database, and allow the user to run an EXEC shell.

    Step 6aaa authorization network local

    SwitchController(config)# aaa authorization network local

    Configures user AAA authorization for all network-related service requests.

    Step 7username name [privilege level] {password encryption-type password}

    SwitchController(config)# username your_user_name privilege 1 password 7 secret567

    Enters the local database, and establishes a username-based authentication system.

    Repeat this command for each user.

    • For name, specify the user ID as one word. Spaces and quotation marks are not allowed.

    • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 0 gives user EXEC mode access.

    • For encryption-type, enter 0 to specify that an unencrypted password follows. Enter 7 to specify that a hidden password follows.

    • For password, specify the password the user must enter to gain access to the switch. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

    Step 8end

    SwitchController(config)# end

    Returns to privileged EXEC mode.

    Step 9show running-config

    SwitchController# show running-config 

    Verifies your entries.

    Step 10copy running-config startup-config

    SwitchController# copy running-config startup-config 

    (Optional) Saves your entries in the configuration file.


    Monitoring Local Authentication and Authorization

    To display Local Authentication and Authorization configuration, use the show running-config privileged EXEC command.

    Additional References

    Error Message Decoder

    Description Link

    To help you research and resolve system error messages in this release, use the Error Message Decoder tool.



    MIB MIBs Link

    All supported MIBs for this release.

    To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:


    Technical Assistance

    Description Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a user ID and password.