Tomas Hlavacek <> wrote on Monday, August 18, 2008 1:20 PM: > Hello! > > I am thinking about aaa local database. Is there any mechanism to > distinguish local users (defined by username ...) or put them into > some groups and give them access to only some services? > > For instance I have two users > > username alice password xxx > username bob password yyy > > aaa new-model > aaa authentication login default local > aaa authentication ppp default local > aaa authorization network default local > > Now bob and alice can login to router and also dial ppp. > > What if I want alice to have right only to login to router and bob > only to dial ppp?
the local database is not really very feature-rich, especially when it comes to PPP/network dialin. You could force bob to only do PPP with aaa authorization exec default local and then username bob autocommand exit or username bob autocommand ppp so bob's login shell will exit right away or, if you want to allow async login via modems, spawn ppp.. Not sure if you can prevent "alice" to dial in via ppp, though. Local DB is mainly used for some last-resort backup when T+/Radius is not available. certainly not a replacement.. Depending on your image/version, you could investigate the "Local AAA Server" feature and point your network authorization there, so you will then arrive at two different user databases locally configured on the device.. oli _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/