Configuration restrictions and guidelines
When you configure temporary user role authorization, follow these guidelines:
To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. Table 9 describes the available authentication modes and configuration requirements.
If HWTACACS authentication is used, the following rules apply:
If the device is not enabled to automatically obtain the login username as the authentication username, you must enter a username to request role authentication.
The device sends the username to the server in the username or username@domain-name format. Whether the domain name is included in the username depends on the user-name-format command in the HWTACACS scheme.
To obtain a level-n user role, the user account on the server must have the target user role level or a level higher than the target user role. A user account that obtains the level-n user role can obtain any user role among level 0 through level-n.
To obtain a non-level-n user role, make sure the user account on the server meets the following requirements:
The account has a user privilege level.
The HWTACACS custom attribute is configured for the account in the form of allowed-roles="role". The variable role represents the target user role.
If RADIUS authentication is used, the following rules apply:
The device does not use the username you enter or the automatically obtained login username to request user role authentication. It uses a username in the $enabn$ format. The variable n represents a user role level, and a domain name is not included in the username. You can always pass user role authentication when the password is correct.
To obtain a level-n user role, you must create a user account for the level-n user role in the $enabn$ format on the RADIUS server. The variable n represents the target user role level. For example, to obtain the authorization of the level-3 user role, you can enter any username. The device uses the username $enab3$ to request user role authentication from the server.
To obtain a non-level-n user role, you must perform the following tasks:
Create a user account named $enab0$ on the server.
Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The variable role represents the target user role.
The device selects an authentication domain for user role authentication in the following order:
The ISP domain included in the entered username.
The default ISP domain.
If you execute the quit command after obtaining user role authorization, you are logged out of the device.
Table 9: User role authentication modes
Keywords | Authentication mode | Description |
|---|---|---|
local | Local password authentication only (local-only) | The device uses the locally configured password for authentication. If no local password is configured for a user role in this mode, an AUX user can obtain the user role by either entering a string or not entering anything. |
scheme | Remote AAA authentication through HWTACACS or RADIUS (remote-only) | The device sends the username and password to the HWTACACS or RADIUS server for remote authentication. To use this mode, you must perform the following configuration tasks:
|
local scheme | Local password authentication first, and then remote AAA authentication (local-then-remote) | Local password authentication is performed first. If no local password is configured for the user role in this mode:
|
scheme local | Remote AAA authentication first, and then local password authentication (remote-then-local) | Remote AAA authentication is performed first. Local password authentication is performed in either of the following situations:
|