beautypg.com

Configuring tacacs+ authorization, Configuring exec authorization – Brocade Virtual ADX Administration Guide (Supporting ADX v03.1.00) User Manual

Page 91

background image

Brocade Virtual ADX Administration Guide

79

53-1003249-01

Configuring TACACS or TACACS+ security

2

If the next method in the authentication method list is "enable", the login prompt is skipped,
and the user is prompted for the Enable password (that is, the password configured with the
enable super-user-password command).

If the next method in the authentication method list is "line", the login prompt is skipped, and
the user is prompted for the Line password (that is, the password configured with the enable
telnet password command).

Configuring TACACS+ authorization

Brocade Virtual ADX devices support TACACS+ authorization for controlling access to management
functions in the CLI. Two kinds of TACACS+ authorization are supported:

Exec authorization determines a user’s privilege level when they are authenticated

Command authorization consults a TACACS+ server to get authorization for commands entered
by the user

Configuring Exec authorization

When TACACS+ exec authorization is performed, the Brocade Virtual ADX consults a TACACS+
server to determine the privilege level of the authenticated user. To configure TACACS+ exec
authorization on the Brocade Virtual ADX, enter the following command.

Virtual ADX(config)#aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+ | none

If you specify none, or omit the aaa authorization exec command from the device’s configuration,
no exec authorization is performed.

A user’s privilege level is obtained from the TACACS+ server in the “-privlvl” A-V pair. If the aaa
authorization exec default takas command exists in the configuration, the device assigns the user
the privilege level specified by this A-V pair. If the command does not exist in the configuration,
then the value in the “-privlvl” A-V pair is ignored, and the user is granted Super User access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the “-privlvl”
A-V pair received from the TACACS+ server. If the aaa authorization exec default tacacs+ command
does not exist in the configuration, then the value in the “-privlvl” A-V pair is ignored, and the user is
granted Super User access.

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the
aaa authentication enable default tacacs+ command, or the aaa authentication login
privilege-mode command must also exist in the configuration.

Configuring an attribute-value pair on the TACACS+ server
During TACACS+ exec authorization, the Brocade Virtual ADX expects the TACACS+ server to send a
response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When
the Brocade Virtual ADX receives the response, it extracts an A-V pair configured for the Exec
service and uses it to determine the user’s privilege level.

To set a user’s privilege level, you can configure the “-privlvl” A-V pair for the Exec service on the
TACACS+ server.

See also other documents in the category Brocade Computer Accessories: