Cisco Cisco Packet Data Interworking Function (PDIF) Guía Para Resolver Problemas
Command Line Interface Overview
▀ CLI Administrative Users
▄ Cisco ASR 5000 Series Enhanced Feature Configuration Guide
OL-22982-01
CLI Administrative Users
This section contains information on the administrative user types and privileges supported by the system.
Administrative User Types
There are two types of administrative users supported by the system:
Context-level administrative users: This user type is configured at the context-level and relies on the AAA
subsystems for validating usernames and passwords during login. This is true for both administrative user
accounts configured locally through a configuration file or on an external RADIUS server. Passwords for these
user types are assigned once and are accessible in the configuration file.
accounts configured locally through a configuration file or on an external RADIUS server. Passwords for these
user types are assigned once and are accessible in the configuration file.
Local-users: This user type provides support for ANSI T1.276-2003 password security protection. Local-user
account information, such as passwords, password history, and lockout states, is maintained in non-volatile
memory on the CompactFlash module and in the Shared Configuration Task (SCT). This information is
maintained in a separate file, not in configuration files used by the system. As such, the configured local-user
accounts are not visible with the rest of the system configuration.
memory on the CompactFlash module and in the Shared Configuration Task (SCT). This information is
maintained in a separate file, not in configuration files used by the system. As such, the configured local-user
accounts are not visible with the rest of the system configuration.
Local-user and context-level administrative accounts can be used in parallel. However, a mechanism is provided to de-
activate context-level administrative user accounts thereby providing access only to local-user accounts.
activate context-level administrative user accounts thereby providing access only to local-user accounts.
Authenticating Administrative Users with RADIUS
To authorize users via RADIUS, you must include two RADIUS attributes in the RADIUS Access-Accept message:
RFC 2865 standard Service-Type
Starent Vendor-Specific Attribute (VSA) SN1-Admin-Permission.
The default permission is none (0), meaning that service is refused even if properly authenticated via RADIUS.
RADIUS Mapping System
RADIUS server configuration depends on the type of server used and the instructions distributed by the server
manufacturer. The following table shows the attribute/value mapping system that is constant, regardless of server
manufacturer or model:
manufacturer. The following table shows the attribute/value mapping system that is constant, regardless of server
manufacturer or model:
Table 1. RADIUS Attribute/Value Mapping System
Attribute
Value