beautypg.com

Configuring command authorization – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 130

background image

96

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring TACACS/TACACS+ security

service = exec {

priv-lvl = 15

}

}

The attribute name in the A-V pair is not significant; the device uses the last one that has a numeric
value. However, the device interprets the value for a non-”foundry-privlvl” A-V pair differently than it
does for a “foundry-privlvl” A-V pair. The following table lists how the device associates a value from
a non-”foundry-privlvl” A-V pair with a privilege level.

In the example above, the A-V pair configured for the Exec service is priv-lvl = 15. The device
uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the user full
read-write access.

In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for
the Exec service, the non-”foundry-privlvl” A-V pair is ignored.

Example

user=bob {

default service = permit

member admin

#Global password

global = cleartext "cat"

service = exec {

foundry-privlvl = 4

priv-lvl = 15

}

}

In this example, the user would be granted a privilege level of 4 (port-config level). The priv-lvl
=

15 A-V pair is ignored by the device.

If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5
(read-only) is used.

Configuring command authorization

When TACACS+ command authorization is enabled, the device consults a TACACS+ server to get
authorization for commands entered by the user.

You enable TACACS+ command authorization by specifying a privilege level whose commands
require authorization. For example, to configure the device to perform authorization for the
commands available at the Super User privilege level (that is, all commands on the device), enter
the following command.

TurboIron(config)#aaa authorization commands 0 default tacacs+

Syntax: aaa authorization commands default tacacs+ | radius | none

The parameter can be one of the following:

TABLE 21

Brocade equivalents for non-“foundry-privlvl” A-V pair values

Value for non-“foundry-privlvl” A-V pair

Brocade privilege level

15

0 (super-user)

From 14 – 1

4 (port-config)

Any other number or 0

5 (read-only)

See also other documents in the category Brocade Computer Accessories: