[Device-line-vty0-63] authentication-mode scheme
# Enable command authorization for the user lines.
[Device-line-vty0-63] command authorization
[Device-line-vty0-63] quit
# Configure an HWTACACS scheme that does the following:
•
Uses the HWTACACS server at 192.168.2.20:49 for authentication and authorization. In this
example, the HWTACACS server provides authentication and authorization services at port 49.
Uses the shared key expert.
•
Removes domain names from usernames sent to the HWTACACS server.
•
[Device] hwtacacs scheme tac
[Device-hwtacacs-tac] primary authentication 192.168.2.20 49
[Device-hwtacacs-tac] primary authorization 192.168.2.20 49
[Device-hwtacacs-tac] key authentication expert
[Device-hwtacacs-tac] key authorization expert
[Device-hwtacacs-tac] server-type standard
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-predefined domain system to use the HWTACACS scheme tac for login user
authentication and command authorization and to use local authentication and local authorization as
the backup method.
[Device] domain system
[Device-isp-system] authentication login hwtacacs-scheme tac local
[Device-isp-system] authorization command hwtacacs-scheme tac local
[Device-isp-system] quit
# Create local user monitor, set the password to 123, assign the Telnet service, and set the default user
role to level- 1 .
[Device] local-user monitor
[Device-luser-manage-admin] password cipher 123
[Device-luser-manage-admin] service-type telnet
[Device-luser-manage-admin] authorization-attribute user-role level-1
43