Configuring tacacs+ authorization, Configuring exec authorization – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Configuring TACACS+ authorization

Brocade devices support TACACS+ authorization for controlling access to management functions in the
CLI. Two kinds of TACACS+ authorization are supported:

• Exec authorization determines a user privilege level when they are authenticated
• Command authorization consults a TACACS+ server to get authorization for commands entered by

the user

Configuring exec authorization

When TACACS+ exec authorization is performed, the Brocade device consults a TACACS+ server to
determine the privilege level of the authenticated user. To configure TACACS+ exec authorization on
the Brocade device, enter the following command.

device(config)#aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+[none]

If you specify none , or omit the aaa authorization exec command from the device configuration, no
exec authorization is performed.

A user privilege level is obtained from the TACACS+ server in the "foundry-privlvl" A-V pair. If the aaa
authorization exec default tacacs+ command exists in the configuration, the device assigns the user
the privilege level specified by this A-V pair. If the command does not exist in the configuration, then the
value in the "foundry-privlvl" A-V pair is ignored, and the user is granted Super User access.

NOTE
If the aaa authorization exec default tacacs+ command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the "foundry-
privlvl" A-V pair received from the TACACS+ server. If the aaa authorization exec default tacacs+
command does not exist in the configuration, then the value in the "foundry-privlvl" A-V pair is ignored,
and the user is granted Super User access.Also note that in order for the aaa authorization exec
default tacacs+ command to work, either theaaa authentication enable default tacacs+ command,
or the aaa authentication login privilege-mode command must also exist in the configuration.

Configuring an Attribute-Value pair on the TACACS+ server

During TACACS+ exec authorization, the Brocade device expects the TACACS+ server to send a
response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the
Brocade device receives the response, it extracts an A-V pair configured for the Exec service and uses
it to determine the user privilege level.

To set a user privilege level, you can configure the "foundry-privlvl" A-V pair for the Exec service on the
TACACS+ server.

user=bob {

default service = permit

member admin

#Global password

global = cleartext "cat"

service = exec {

foundry-privlvl = 0

}

}

In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The value
in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values

Configuring TACACS+ authorization

FastIron Ethernet Switch Security Configuration Guide

53

53-1003088-03