[c-nsp] aaa local database

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Aug 18 08:12:23 EDT 2008


Tomas Hlavacek <> wrote on Monday, August 18, 2008 1:20 PM:

> Hello!
> 
> I am thinking about aaa local database. Is there any mechanism to
> distinguish local users (defined by username ...) or put them into
> some groups and give them access to only some services?
> 
> For instance I have two users
> 
> username alice password xxx
> username bob password yyy
> 
> aaa new-model
> aaa authentication login default local
> aaa authentication ppp default local
> aaa authorization network default local
> 
> Now bob and alice can login to router and also dial ppp.
> 
> What if I want alice to have right only to login to router and bob
> only to dial ppp?

the local database is not really very feature-rich, especially when it
comes to PPP/network dialin.
You could force bob to only do PPP with

aaa authorization exec default local

  and then 

username bob autocommand exit  
  or
username bob autocommand ppp

so bob's login shell will exit right away or, if you want to allow async
login via modems, spawn ppp..

Not sure if you can prevent "alice" to dial in via ppp, though. 

Local DB is mainly used for some last-resort backup when T+/Radius is
not available. certainly not a replacement..

Depending on your image/version, you could investigate the "Local AAA
Server" feature and point your network authorization there, so you will
then arrive at two different user databases locally configured on the
device..

	oli


More information about the cisco-nsp mailing list