To enable a user to obtain another user role without reconnecting to the device, you must configure
•
user role authentication.
requirements.
If HWTACACS authentication is used, the following rules apply:
•
The device uses the entered username and password to request role authentication, and it sends
the username to the server in the format username or username@domain-name. Whether the
domain name is included in the username depends on the user-name-format command in the
HWTACACS scheme.
To obtain a level-n user role, the user account on the server must have the target user role level
or a user role level higher than the target user role. A user account that obtains the level-n user
role can obtain any user roles among level 0 through level-n.
To obtain a non-level-n user role, make sure the user account on the server meets the following
requirements:
The account has a user privilege level.
−
The HWTACACS custom attribute is configured for the account in the form of
−
allowed-roles="role". The variable role represents the target user role.
If RADIUS authentication is used, the following rules apply:
•
The device does not use the username you enter to request user role authentication. It uses a
username in the $enabn$ format. The variable n represents a user role level, and a domain
name is not included in the username. You can always pass user role authentication when the
password is correct.
To obtain a level-n user role, you must create a user account for the level-n user role in the
$enabn$ format on the RADIUS server. The variable n represents the target user role level. For
example, to obtain the authorization of the level-3 user role, you can enter any username. The
device uses the username $enab3$ to request user role authentication from the server.
To obtain a non-level-n user role, you must perform the following tasks:
Create the user account $enab0$ on the server.
−
Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The
−
variable role represents the target user role.
The device selects an authentication domain for user role authentication in the following order:
•
a.
The ISP domain included in the entered username.
b.
The default ISP domain.
If you execute the quit command after obtaining user role authorization, you are logged out of the
•
device.
Table 7 User role authentication modes
Keywords
Authentication mode
Local password
local
authentication only
(local-only)
Table 7
describes the available authentication modes and configuration
Description
The device uses the locally configured password for
authentication.
If no local password is configured for a user role in this
mode, an AUX user can obtain the user role authorization
by either entering a string or not entering anything.
26