beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 54

background image

are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5
is specified in the foundry-privlvl A-V pair, the default privilege level of 5 (read-only) is used. The
foundry-privlvl A-V pair can also be embedded in the group configuration for the user. See your
TACACS+ documentation for the configuration syntax relevant to your server.

If the foundry-privlvl A-V pair is not present, the Brocade device extracts the last A-V pair configured
for the Exec service that has a numeric value. The Brocade device uses this A-V pair to determine the
user privilege level.

user=bob {

default service = permit

member admin

#Global password

global = cleartext "cat"

service = exec {

privlvl = 15

}

}

The attribute name in the A-V pair is not significant; the Brocade device uses the last one that has a
numeric value. However, the Brocade device interprets the value for a non-"foundry-privlvl" A-V pair
differently than it does for a "foundry-privlvl" A-V pair. The following table lists how the Brocade device
associates a value from a non-"foundry-privlvl" A-V pair with a Brocade privilege level.

Brocade equivalents for non-"foundry-privlvl" A-V pair values

TABLE 4

Value for non-"foundry-privlvl" A-V pair

Brocade privilege level

15

0 (super-user)

From 14 - 1

4 (port-config)

Any other number or 0

5 (read-only)

In the example above, the A-V pair configured for the Exec service is privlvl = 15 . The Brocade
device uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the user
full read-write access.

In a configuration that has both a "foundry-privlvl" A-V pair and a non-"foundry-privlvl" A-V pair for the
Exec service, the non-"foundry-privlvl" A-V pair is ignored.

user=bob {

default service = permit

member admin

#Global password

global = cleartext "cat"

service = exec {

foundry-privlvl = 4

privlvl = 15

}

}

In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl = 15
A-V pair is ignored by the Brocade device.

If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5
(read-only) is used.

Security Access

54

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: