https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697680#M426534 <HTML><HEAD></HEAD><BODY><P>Your config looks appropriate to accomplish what you are trying to. I use this (usually as backup for TACACS), and it works great. Have you tried your config and had issues? The only difference from my working configs is I do not have aaa authoriz commands 0 and 15 in my config. </P><P></P><P></P><P>One side note, if it's a recent IOS I suggest using secret instead of password for your local users. That will prevent the password from being reversed if someone gets your config. For example:</P><P></P><P>username admin priv 15 secret mypassword</P><P></P><P>Hope this helps. </P></BODY></HTML> Sun, 24 Sep 2006 01:08:01 GMT ethiel 2006-09-24T01:08:01Z https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697679#M426533 <P>Hi,</P><P></P><P>Is it possible to make authorization using local database (not tacacs or radius)?</P><P>I have username admin that has to have access to configuration on router. I also have usename and passwords for IPsec users, but they shouldn't have access to configuration. But both (if they know enable secret) can enter privilege level.</P><P>Here is the config output,: </P><P></P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login USAUTH local</P><P>aaa authorization console</P><P>aaa authorization exec USAUTH local </P><P>aaa authorization commands 0 USAUTH local </P><P>aaa authorization commands 15 USAUTH local </P><P>!</P><P>username admin privilege 15 password 7 044D0E0D06</P><P>username user1 privilege 0 password 7 121013161C</P><P>username user2 privilege 0 password 7 121B0A051D</P><P>!</P><P>line con 0</P><P> authorization commands 0 USAUTH</P><P> authorization commands 15 USAUTH</P><P> authorization exec USAUTH</P><P> login authentication USAUTH</P><P></P><P></P> Sun, 10 Mar 2019 21:45:42 GMT https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697679#M426533 Antonio_1_2 2019-03-10T21:45:42Z https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697680#M426534 <HTML><HEAD></HEAD><BODY><P>Your config looks appropriate to accomplish what you are trying to. I use this (usually as backup for TACACS), and it works great. Have you tried your config and had issues? The only difference from my working configs is I do not have aaa authoriz commands 0 and 15 in my config. </P><P></P><P></P><P>One side note, if it's a recent IOS I suggest using secret instead of password for your local users. That will prevent the password from being reversed if someone gets your config. For example:</P><P></P><P>username admin priv 15 secret mypassword</P><P></P><P>Hope this helps. </P></BODY></HTML> Sun, 24 Sep 2006 01:08:01 GMT https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697680#M426534 ethiel 2006-09-24T01:08:01Z https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697681#M426535 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes I tried that config and it doesn't work. It works with tacacs, but with local authentication/authorization all users regardless of privilege level, can enter privilege mod (enable) if they now appropriate enable secret. </P><P>Is there a way that I can acomplish this with local authorization: when user1 tries to enter enable mod, he will be rejected because whe has prevelege level 0.</P><P></P><P>Thanks,</P><P>Vedran</P><P> </P></BODY></HTML> Mon, 25 Sep 2006 06:32:38 GMT https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697681#M426535 Antonio_1_2 2006-09-25T06:32:38Z https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697682#M426536 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>hope I clear understand your need. User logging in different privilege level then 15 should use such way of enable command:</P><P>enable [privilege-level] [view [view-name]]</P><P></P><P>So for priv.level 0 use command "enable 0"</P><P></P><P>Hope it will help you.</P><P></P><P>Michal</P></BODY></HTML> Mon, 25 Sep 2006 06:46:36 GMT https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697682#M426536 kidli 2006-09-25T06:46:36Z https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697683#M426537 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I forgot to announce that you should also define permitted commands set for appropriate privilege level using commands privilege or privilege level. Link to reference guide is provided below:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_p1ht.htm#wp1215217" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_p1ht.htm#wp1215217</A></P><P></P><P>Nice day.</P><P>Michal</P></BODY></HTML> Mon, 25 Sep 2006 07:11:13 GMT https://community.cisco.com/t5/network-access-control/local-authorization/m-p/697683#M426537 kidli 2006-09-25T07:11:13Z