beautypg.com

Configuring tacacs+ authorization, Configuring exec authorization – Brocade BigIron RX Series Configuration Guide User Manual

Page 163

background image

BigIron RX Series Configuration Guide

85

53-1002484-04

Configuring TACACS and TACACS+ security

3

Configuring TACACS+ authorization

The device supports TACACS+ authorization for controlling access to management functions in the
CLI. Two kinds of TACACS+ authorization are supported:

Exec authorization determines a user’s privilege level when they are authenticated

Command authorization consults a TACACS+ server to get authorization for commands entered
by the user

Configuring Exec authorization

When TACACS+ exec authorization is performed, the device consults a TACACS+ server to
determine the privilege level of the authenticated user.

To configure TACACS+ exec authorization on the device, enter the following command.

BigIron RX(config)# aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+ | radius | none

If you specify none, or omit the aaa authorization exec command from the device’s configuration,
no exec authorization is performed.

A user’s privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the
aaa authorization exec default tacacs command exists in the configuration, the device assigns the
user the privilege level specified by this A-V pair. If the command does not exist in the configuration,
then the value in the “foundryprivlvl” A-V pair is ignored, and the user is granted Super User access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
“foundry-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default
tacacs+ command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair
is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the
aaa authentication enable default tacacs+ command, or the aaa authentication login
privilege-mode command must also exist in the configuration.

Configuring an Attribute-Value pair on the TACACS+ server

During TACACS+ exec authorization, the Brocade device expects the TACACS+ server to send a
response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When
the BigIron RX receives the response, it extracts an A-V pair configured for the Exec service and
uses it to determine the user’s privilege level.

To set a user’s privilege level, you can configure the “foundry-privlvl” A-V pair for the Exec service on
the TACACS+ server.

user=bob {

default service = permit

member admin

# Global password

global = cleartext "cat"

See also other documents in the category Brocade Computer Accessories: