Configuring radius authorization, Configuring exec authorization, Configuring command authorization – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 145
Brocade TurboIron 24X Series Configuration Guide
111
53-1003053-01
Configuring RADIUS security
Configuring enable authentication to prompt for password only
If Enable authentication is configured on the device, when a user attempts to gain Super User
access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a
username and password. In this release, you can configure the device to prompt only for a
password. The device uses the username entered at login, if one is available. If no username was
entered at login, the device prompts for both username and password.
To configure the device to prompt only for a password when a user attempts to gain Super User
access to the Privileged EXEC and CONFIG levels of the CLI.
TurboIron(config)#aaa authentication enable implicit-user
Syntax: [no] aaa authentication enable implicit-user
Configuring RADIUS authorization
Devices support RADIUS authorization for controlling access to management functions in the CLI.
Two kinds of RADIUS authorization are supported:
•
Exec authorization determines a user privilege level when they are authenticated
•
Command authorization consults a RADIUS server to get authorization for commands entered
by the user
Configuring exec authorization
When RADIUS exec authorization is performed, the device consults a RADIUS server to determine
the privilege level of the authenticated user. To configure RADIUS exec authorization on the device,
enter the following command.
TurboIron(config)#aaa authorization exec default radius
Syntax: aaa authorization exec default radius | none
If you specify none, or omit the aaa authorization exec command from the device configuration, no
exec authorization is performed.
NOTE
If the aaa authorization exec default radius command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
foundry-privilege-level attribute received from the RADIUS server. If the aaa authorization exec
default radius command does not exist in the configuration, then the value in the
foundry-privilege-level attribute is ignored, and the user is granted Super User access.
Also note that in order for the aaa authorization exec default radius command to work, either the
aaa authentication enable default radius command, or the aaa authentication login privilege-mode
command must also exist in the configuration.
Configuring command authorization
When RADIUS command authorization is enabled, the device consults the list of commands
supplied by the RADIUS server during authentication to determine whether a user can execute a
command he or she has entered.