Local authentication and authorization for Cisco Routers

Cisco routers support centralized AAA (authentication/authorization/accounting) functions, but a Cisco ACS (Access Control Server) needs to be deployed. If the number of network devices is small, you can use the local authentication and authorization functions of the Cisco router for authentication and authorization, and do not need to deploy Cisco ACS. the following is an example of local authentication and authorization for telnet access to router r1:

I. # username aaa password cisco // set an account and password for the telnet user (the aaa user level is 1 to the lowest level)

Ii. enable secret level 2 CISCO // set a privileged password of level 2 (15 by default, with all permissions)

3. Authorize Level 2 privileged users (only allow the execution of router and network commands)
Privilege exec level 2 configure terminal // allows the execution of the privileged command configure terminal
Privilege configure level 2 router // you can run the Global Command: router
Privilege router level 2 network // allows the execution of the routing process command: network

4. Specify the authentication method for telnet access to the vrotelnet (use the local user database for verification)
Line vty 0 4
Login local

V. Results:
When you use telnet to access a vrotelnet, you are prompted to enter username and password. In this case, user aaa is in user mode (level 1 user ), only a few command sets can be executed (User-mode command sets ).

After you run the enbale 2 command and enter the correct password, you can run the config t, router, and network commands. However, other commands cannot be executed, and local verification and authorization are successful.