[c-nsp] aaa local database
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Aug 18 08:12:23 EDT 2008
Tomas Hlavacek <> wrote on Monday, August 18, 2008 1:20 PM:
> Hello!
>
> I am thinking about aaa local database. Is there any mechanism to
> distinguish local users (defined by username ...) or put them into
> some groups and give them access to only some services?
>
> For instance I have two users
>
> username alice password xxx
> username bob password yyy
>
> aaa new-model
> aaa authentication login default local
> aaa authentication ppp default local
> aaa authorization network default local
>
> Now bob and alice can login to router and also dial ppp.
>
> What if I want alice to have right only to login to router and bob
> only to dial ppp?
the local database is not really very feature-rich, especially when it
comes to PPP/network dialin.
You could force bob to only do PPP with
aaa authorization exec default local
and then
username bob autocommand exit
or
username bob autocommand ppp
so bob's login shell will exit right away or, if you want to allow async
login via modems, spawn ppp..
Not sure if you can prevent "alice" to dial in via ppp, though.
Local DB is mainly used for some last-resort backup when T+/Radius is
not available. certainly not a replacement..
Depending on your image/version, you could investigate the "Local AAA
Server" feature and point your network authorization there, so you will
then arrive at two different user databases locally configured on the
device..
oli
More information about the cisco-nsp
mailing list