Rpc and error handling, Cli and ssh subsystem, Netconf user privileges – Brocade Multi-Service IronWare Administration Guide (Supporting R05.6.00) User Manual

Page 298

background image

280

Multi-Service IronWare Administration Guide

53-1003028-02

NETCONF in client/server architecture

8

RPC and error handling

If the RPC request fails, an

element, the first detected error, is encoded inside the

element and sent to the client. The server is not required to detect or report multiple

errors. If the server detects multiple errors then the order of the error detection and reporting is at
the discretion of the server.

CLI and SSH subsystem

The NETCONF client must use Secure Shell Version 2 (SSHv2) as the network transport to connect
to the NETCONF server. Only the SSHv2 protocol is supported as the NETCONF transport protocol.

To run NETCONF over SSHv2, the client establishes an SSH transport connection using the SSH
transport protocol to the NETCONF port. The default NETCONF port is 830. The underlying SSH
client and server exchange keys for message integrity and encryption.

The SSHv2 client invokes the ssh-userauth service to authenticate the user. All currently supported
SSH user authentication methods such as the public-key, password, and keyboard-interactive
authentications are supported for a NETCONF session also. If the SSH user authentication is
disabled, the user is allowed full access.

On successful user authentication, the client invokes the ssh-connection service, also known as
the SSH connection protocol. After the SSH session is established, the NETCONF client invokes
NETCONF as an SSH subsystem called netconf.

NETCONF user privileges

Every NETCONF session has a corresponding authentication, authorization, and accounting (AAA)
session. The AAA attributes apply to the NETCONF session. Only authentication and EXEC
authorization are supported. Other forms of accounting and command authorization are not
supported.

The privilege level of the user (read-only(5), read-write(0)) is obtained from the AAA server, if it is
provided. If the privilege level is not provided by the AAA server, the default privilege level applies
for the NETCONF session.

Table 41

provides the mapping between the NETCONF privilege levels and the AAA privilege levels.

Table 42

provides the mapping between the NETCONF privilege levels and the supported NETCONF

operations.

TABLE 41

Privilege levels

AAA privilege level

NETCONF privilege level

0

NETCONF_PRIVILEGE_LEVEL_0

1-5

NETCONF_PRIVILEGE_LEVEL_5

TABLE 42

NETCONF operations and privilege levels

Operations

NETCONF_PRIVILEGE_LEVEL_0

NETCONF_PRIVILEGE_LEVEL_5

Yes

Yes

Yes

Yes

See also other documents in the category Brocade Computer Accessories: