Users Guide
Before you enable role-based only AAA authorization:
1. Locally dene a system administrator user role.This will give you access to login with full permissions
even if network connectivity to remote authentication servers is not available.
2. Congure login authentication on the console. This ensures that all users are properly identied through
authentication no matter the access point
3. Specify an authentication method (RADIUS, TACACS+, or Local).
4. Specify authorization method (RADIUS, TACACS+ or Local).
5. Verify the conguration has been applied to the console or VTY line.
Related Commands login authentication, password, radius-server host, tacacs-server host
role
Changes command permissions for roles.
Syntax role mode { { { addrole | deleterole } role-name } | reset } command
To delete access to a command, use the no role mode role-name
Parameters
mode
Enter one of the following keywords as the mode for which you are controlling
access:
congure for CONFIGURATION mode
exec for EXEC mode
interface for INTERFACE modes
line for LINE mode
route-map for Route-map mode
router for Router mode
addrole Enter the keyword addrole to add permission to the command. You cannot add
or delete rights for the sysadmin role.
deleterole
Enter the keyword deleterole to remove access to the command. You cannot add
or delete rights for the sysadmin role.
role-name Enter a text string for the name of the user role up to 63 characters. These are 3
system dened roles you can modify: secadmin, netadmin, and netoperator.
reset Enter the keyword reset to reset all roles back to default for that command.
command Enter the command’s keywords to assign the command to a certain access level.
You can enter one or more keywords.
Defaults none
Command Modes CONFIGURATION
1394
Security