8-32
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 8 Configuring Switch-Based Authentication
Configuring the Switch for Local Authentication and Authorization
Configuring the Switch for Local Authentication and
Authorization
You can configure AAA to operate without a server by setting the switch to implement AAA in local
mode. The switch then handles authentication and authorization. No accounting is available in this
configuration.
Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:
To disable AAA, use the
no aaa new-model
global configuration command. To disable authorization,
use the
no aaa authorization
{
network
|
exec
}
method1
global configuration command.
Note
To secure the switch for HTTP access by using AAA methods, you must configure the switch with the
ip http authentication aaa
global configuration command. Configuring AAA authentication does not
secure the switch for HTTP access by using AAA methods.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication login default local
Set the login authentication to use the local username database. The
default
keyword applies the local user database authentication to all
ports.
Step 4
aaa authorization exec local
Configure user AAA authorization, check the local database, and allow
the user to run an EXEC shell.
Step 5
aaa authorization network local
Configure user AAA authorization for all network-related service
requests.
Step 6
username
name
[
privilege
level
]
{
password
encryption-type
password
}
Enter the local database, and establish a username-based authentication
system.
Repeat this command for each user.
•
For
name
, specify the user ID as one word. Spaces and quotation
marks are not allowed.
•
(Optional) For
level
, specify the privilege level the user has after
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 0 gives user EXEC mode access.
•
For
encryption-type
, enter 0 to specify that an unencrypted password
follows. Enter 7 to specify that a hidden password follows.
•
For
password
, specify the password the user must enter to gain access
to the switch. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the
username
command.
Step 7
end
Return to privileged EXEC mode.
Step 8
show running-config
Verify your entries.
Step 9
copy running-config startup-config
(Optional) Save your entries in the configuration file.