beautypg.com

Configuring radius authorization, Configuring exec authorization, Configuring command authorization – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 145

background image

Brocade TurboIron 24X Series Configuration Guide

111

53-1003053-01

Configuring RADIUS security

Configuring enable authentication to prompt for password only

If Enable authentication is configured on the device, when a user attempts to gain Super User
access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a
username and password. In this release, you can configure the device to prompt only for a
password. The device uses the username entered at login, if one is available. If no username was
entered at login, the device prompts for both username and password.

To configure the device to prompt only for a password when a user attempts to gain Super User
access to the Privileged EXEC and CONFIG levels of the CLI.

TurboIron(config)#aaa authentication enable implicit-user

Syntax: [no] aaa authentication enable implicit-user

Configuring RADIUS authorization

Devices support RADIUS authorization for controlling access to management functions in the CLI.
Two kinds of RADIUS authorization are supported:

Exec authorization determines a user privilege level when they are authenticated

Command authorization consults a RADIUS server to get authorization for commands entered
by the user

Configuring exec authorization

When RADIUS exec authorization is performed, the device consults a RADIUS server to determine
the privilege level of the authenticated user. To configure RADIUS exec authorization on the device,
enter the following command.

TurboIron(config)#aaa authorization exec default radius

Syntax: aaa authorization exec default radius | none

If you specify none, or omit the aaa authorization exec command from the device configuration, no
exec authorization is performed.

NOTE

If the aaa authorization exec default radius command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
foundry-privilege-level attribute received from the RADIUS server. If the aaa authorization exec
default radius command does not exist in the configuration, then the value in the
foundry-privilege-level attribute is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default radius command to work, either the
aaa authentication enable default radius command, or the aaa authentication login privilege-mode
command must also exist in the configuration.

Configuring command authorization

When RADIUS command authorization is enabled, the device consults the list of commands
supplied by the RADIUS server during authentication to determine whether a user can execute a
command he or she has entered.