Configuring Local Authentication and Authorization

How to Configure the Switch for Local Authentication and Authorization

You can configure authentication, authorization, and accounting (AAA) to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.


Note


To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa command in global configuration mode. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods.


To configure AAA to operate without a server by setting the switch to implement AAA in local mode, perform this procedure.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables AAA.

Step 4

aaa authentication login default local

Example:

Device(config)# aaa authentication login default local

Sets the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports.

Step 5

aaa authorization exec default local

Example:

Device(config)# aaa authorization exec default local

Configures user AAA authorization, check the local database, and allow the user to run an EXEC shell.

Step 6

aaa authorization network default local

Example:

Device(config)# aaa authorization network default local

Configures user AAA authorization for all network-related service requests.

Step 7

username name [privilege level] {password encryption-type password}

Example:

Device(config)# username your_user_name privilege 1 password 7 secret567

Enters the local database, and establishes a username-based authentication system.

Repeat this command for each user.

  • name : Specify the user ID as one word. Spaces and quotation marks are not allowed.

  • level : (Optional) Specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 0 gives user EXEC mode access.

  • encryption-type : Enter 0 to specify an unencrypted password. Enter 7 to specify a hidden password .

  • password : Specify the password the user must enter to gain access to the switch. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

Step 8

end

Example:

Device(config-line)# end

Returns to privileged EXEC mode.

Step 9

show running-config

Example:

Device# show running-config

Verifies your entries.

Step 10

copy running-config startup-config

Example:

Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Monitoring Local Authentication and Authorization

Table 1. Commands for Displaying Local Authentication and Authorization
Command Purpose

show running-config

Displays the local authentication and authorization configuration.

Feature History for Local Authentication and Authorization

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS Release 15.2(7)E1

Local Authentication and Authorization

This feature helps AAA to operate without a server by setting the device to implement AAA in local mode.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.