Published On: August 3ʳᵈ, 2020 08:22

Security Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

How to Configure Local Authentication and Authorization

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.


Note

To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods.


Follow these steps to configure AAA to operate without a server by setting the switch to implement AAA in local mode:

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Device> enable


Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal


Enters global configuration mode.

Step 3

aaa new-model

Example:


Device(config)# aaa new-model


Enables AAA.

Step 4

aaa authentication login default local

Example:


Device(config)# aaa authentication login default local


Sets the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports.

Step 5

aaa authorization exec default local

Example:


Device(config)# aaa authorization exec default local


Configures user AAA authorization, check the local database, and allow the user to run an EXEC shell.

Step 6

aaa authorization network default local

Example:


Device(config)# aaa authorization network default local


Configures user AAA authorization for all network-related service requests.

Step 7

username name [privilege level] {password encryption-type password}

Example:


Device(config)# username your_user_name privilege 1 password 7 secret567


Enters the local database, and establishes a username-based authentication system.

Repeat this command for each user.

  • For name , specify the user ID as one word. Spaces and quotation marks are not allowed.

  • (Optional) For level , specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 0 gives user EXEC mode access.

  • For encryption-type , enter 0 to specify that an unencrypted password follows. Enter 7 to specify that a hidden password follows.

  • For password , specify the password the user must enter to gain access to the switch. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

Step 8

end

Example:


Device(config)# end


Exits global configuration mode and returns to privileged EXEC mode.

Monitoring Local Authentication and Authorization

To display Local Authentication and Authorization configuration, use the show running-config command in privileged EXEC mode.

Additional References for Local Authentication and Authorization

Related Documents

Related Topic

Document Title

IOS commands

Cisco IOS Master Command List, All Releases

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History for Local Authentication and Authorization

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

Local Authentication and Authorization

This feature helps AAA to operate without a server by setting the device to implement AAA in local mode.

Support for this feature was introduced on all the models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.