beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 81

background image

Multi-Service IronWare Security Configuration Guide

63

53-1003035-02

Configuring RADIUS security

1

You enable RADIUS command authorization by specifying a privilege level whose commands
require authorization. For example, to configure the Brocade device to perform authorization for the
commands available at the Super User privilege level (that is; all commands on the device), enter
the following command.

Brocade(config)# aaa authorization commands 0 default radius

Syntax: [no] aaa authorization commands privilege-level default radius | tacacs+ | none

The privilege-level parameter can be one of the following:

0 – Authorization is performed (that is, the Brocade device looks at the command list) for
commands available at the Super User level (all commands)

4 – Authorization is performed for commands available at the Port Configuration level
(port-config and read-only commands)

5 – Authorization is performed for commands available at the Read Only level (read-only
commands)

NOTE

RADIUS command authorization can be performed only for commands entered from Telnet or SSH
sessions, or from the console. No authorization is performed for commands entered at the Web
Management Interface or Brocade Network Advisor.

NOTE

Since RADIUS command authorization relies on the command list supplied by the RADIUS server
during authentication, you cannot perform RADIUS authorization without RADIUS authentication.

Command authorization and accounting for
console commands

The Brocade devices support command authorization and command accounting for CLI commands
entered at the console. To configure the device to perform command authorization and command
accounting for console commands, enter the following.

Brocade(config)# enable aaa console

Syntax: [no] enable aaa console

CAUTION

If you have previously configured the device to perform command authorization using a RADIUS
server, entering the enable aaa console command may prevent the execution of any subsequent
commands entered on the console.

NOTE

This happens because RADIUS command authorization requires a list of allowable commands from
the RADIUS server. This list is obtained during RADIUS authentication. For console sessions, RADIUS
authentication is performed only if you have configured Enable authentication and specified RADIUS
as the authentication method (for example, with the aaa authentication enable default radius
command). If RADIUS authentication is never performed, the list of allowable commands is never
obtained from the RADIUS server. Consequently, there would be no allowable commands on the
console.

See also other documents in the category Brocade Computer Accessories: