Configuration restrictions and guidelines
When you configure temporary user role authorization, follow these guidelines:
To enable users to obtain another user roles without reconnecting to the device, you must configure user role authentication. Table 10 describes the available authentication modes and configuration requirements.
If HWTACACS authentication is used, the following rules apply:
The device uses the entered username and password to request role authentication, and it sends the username to the server in the format username or username@domain-name. Whether the domain name is included in the username depends on the user-name-format command in the HWTACACS scheme.
To obtain a level-n user role, the user account on the server must have the target user role level or a user role level higher than the target user role. A user account that obtains the level-n user role can obtain any user roles among level 0 through level-n.
To obtain a non-level-n user role, make sure the user account on the server meets the following requirements:
The account has a user privilege level.
The HWTACACS custom attribute is configured for the account in the form of allowed-roles="role". The variable role represents the target user role.
If RADIUS authentication is used, the following rules apply:
The device does not use the username you enter to request user role authentication. and it uses a username in the $enabn$ format. The variable n represents a user role level, and a domain name is not included in the username. You can always pass user role authentication when the password is correct.
To obtain a level-n user role, you must create a user account for the level-n user role in the $enabn$ format on the RADIUS server. The variable n represents the target user role level. For example, to obtain the authorization of the level-3 user role, you can enter any username. The device uses the username $enab3$ to request user role authentication from the server.
To obtain a non-level-n user role, you must perform the following tasks:
Create the user account $enab0$ on the server.
Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The variable role represents the target user role.
The device selects an authentication domain for user role authentication in the following order:
The ISP domain included in the entered username.
The default ISP domain.
If you execute the quit command after obtaining user role authorization, you are logged out of the device.
Table 10: User role authentication modes
Keywords
Authentication mode
Description
local
Local password authentication only (local-only)
The device uses the locally configured password for authentication.
If no local password is configured for a user role in this mode, an AUX user can obtain the user role authorization by either entering a string or not entering anything.
scheme
Remote AAA authentication through HWTACACS or RADIUS (remote-only)
The device sends the username and password to the HWTACACS or RADIUS server for remote authentication.
To use this mode, you must perform the following configuration tasks:
Configure the required HWTACACS or RADIUS scheme, and configure the ISP domain to use the scheme for the user. For more information, see Security Configuration Guide.
Add the user account and password on the HWTACACS or RADIUS server.
local scheme
Local password authentication first, and then remote AAA authentication (local-then-remote)
Local password authentication is performed first.
If no local password is configured for the user role in this mode:
The device performs remote AAA authentication for VTY users.
An AUX user can obtain another user role by either entering a string or not entering anything.
scheme local
Remote AAA authentication first, and then local password authentication (remote-then-local)
Remote AAA authentication is performed first.
Local password authentication is performed in either of the following situations:
The HWTACACS or RADIUS server does not respond.
The remote AAA configuration on the device is invalid.