beautypg.com

Configuring tacacs+ authorization, Configuring exec authorization – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 58

background image

40

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring TACACS or TACACS+ security

1

If the next method in the authentication method list is “enable”, the login prompt is skipped,
and the user is prompted for the Enable password (that is, the password configured with the
enable super-user-password command).

If the next method in the authentication method list is “line”, the login prompt is skipped, and
the user is prompted for the Line password (that is, the password configured with the enable
telnet password command).

Configuring TACACS+ authorization

The Brocade device supports TACACS+ authorization for controlling access to management
functions in the CLI. Two kinds of TACACS+ authorization are supported:

Exec authorization determines a user’s privilege level when they are authenticated

Command authorization consults a TACACS+ server to get authorization for commands entered
by the user

Configuring exec authorization

When TACACS+ exec authorization is performed, the Brocade device consults a TACACS+ server to
determine the privilege level of the authenticated user.

To configure TACACS+ exec authorization on a Brocade device, enter the following command.

Brocade(config)# aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+ | radius | none

If you specify none, or omit the aaa authorization exec command from the device’s configuration,
no exec authorization is performed.

A user’s privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the
aaa authorization exec default tacacs command exists in the configuration, the device assigns the
user the privilege level specified by this A-V pair. If the command does not exist in the configuration,
then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User
access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
“foundry-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default
tacacs+ command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair
is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the
aaa authentication enable default tacacs+ command, or the aaa authentication login default
tacacs+ command must also exist in the configuration.

Configuring an attribute-value pair on the TACACS+ server
During TACACS+ exec authorization, the Brocade device expects the TACACS+ server to send a
response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When
the Brocade device receives the response, it extracts an A-V pair configured for the Exec service
and uses it to determine the user’s privilege level.

See also other documents in the category Brocade Computer Accessories: