1. Overview:
In the medium and small scale network, the network manager of the net center often needs to a certain degree authorization to the administrator of a remote site, but does not want the site administrator to use all the router privilege password, this article has done a simple analysis and the discussion to the above question.
2. Router local authentication and authorization
The Cisco router supports centralized AAA (authentication/authorization/accounting) functionality, but requires the deployment of a Cisco ACS (Access control server), and if the number of network devices is limited, the local authentication and authorization capabilities of the Cisco router can be used to authenticate and authorize. And you don't need to deploy Cisco ACS. Here is an example of a local authentication and authorization to implement Telnet access to the router R1:
(1) Set an account number and password for the Telnet user (AAA User level is 1 lowest):
hostname R1
Username AAA password Cisco
(2) Set a privileged password with a level of 2 (default is 15, with all permissions)
Enable Secret Level 2 CISCO
(3) Privileged user authorization for Level 2 (only router and network commands are allowed)
Privilege EXEC Level 2 Configure terminal
Allow execute Privileged command config t
Privilege Configure Level 2 router
Allow global commands to execute: router
Privilege Router Level 2 network
Allow execution of routing process commands: Network
(4) Specifies the authentication method for Telnet access to the router R1 (authenticated using local user database)
Line vty 0 4
Login Local
(5) Results
When Telnet access to R1, first prompts for username and password, at which point user AAA is User mode (Level 1), and only a few command sets (user mode command set) can be executed.
After you use the Enbale 2 command and enter the correct password, you can have permissions to execute the config t,router and network commands, but other commands cannot be executed, local authentication and authorization is successful.