I believe that users of Cisco routers have some knowledge about local verification and authorization. Next we will give a comprehensive introduction to this issue. In small-and medium-sized networks, network administrators in the network center often need to authorize the administrator of a remote site to a certain extent, rather than asking the site administrator to use all the Cisco router privilege passwords, this article provides a simple analysis and discussion of the above issues.
Local Cisco router authentication and authorization
Cisco routers support centralized AAA (authentication/authorization/accounting) functions, but a Cisco ACS (Access Control Server) needs to be deployed. If the number of network devices is small, you can use the local authentication and authorization functions of the Cisco router for authentication and authorization, and do not need to deploy Cisco ACS. the following is an example of local authentication and authorization for telnet access to router r1:
(1) set an account and password for the telnet user (the aaa user level is 1 minimum ):
Hostname r1
Username aaa password cisco
(2) Set a privileged password of level 2 (15 by default, with all permissions)
Enable secret level 2 CISCO
(3) Level 2 privileged user authorization (only allow the execution of router and network commands)
Privilege exec level 2 configure terminal
Allow the execution of the privileged command config t
Privilege configure level 2 router
Allow Global Command Execution: router
Privilege router level 2 network
Allow the execution of the routing process command: network
(4) authentication method for telnet access to Cisco router r1 (using local user database verification)
Line vty 0 4
Login local
(5) When performing telnet access to r1, the system will first prompt you to enter username and password. In this case, user aaa is in user mode (level 1 user ), only a few command sets can be executed (User-mode command sets ). After you run the enbale 2 command and enter the correct password, you can run the config t, router, and network commands. However, other commands cannot be executed, and local verification and authorization are successful.