Introduction, Switching user privilege level – H3C Technologies H3C S7500E Series Switches User Manual

1-21

Switching User Privilege Level

Introduction

Users can switch to a user privilege level temporarily without logging out and terminating the current

connection. After the switch, users can continue to configure the switch without the need of relogin, but

the commands that they can execute have changed. For example, if the current user privilege level is 3,

the user can configure system parameters. After switching to the user privilege level 0, the user can

only execute some simple commands, like ping and tracert, and only a few display commands. The

switching operation is effective for the current login. After the user relogs in, the user privilege restores

to the original level.

z

To avoid misoperations, the administrators are recommended to log in to the switch by using a

lower privilege level and view switch operating parameters, and when they have to maintain the

switch, they can switch to a higher level temporarily

z

When the administrators need to leave for a while or ask someone else to manage the switch

temporarily, they can switch to a lower privilege level before they leave to restrict the operation by

others.

Setting the authentication mode for user privilege level switch

z

A user can switch to a privilege level equal to or lower than the current one unconditionally and is

not required to input the password (if any).

z

A user is required to input the password (if any) to switch to a higher privilege level for security

sake. The authentication falls into one of the following four categories:

Authentication

mode

Meaning

Description

local

Local password

authentication

The switch authenticates a user by using the privilege level switch

password input by the user.

When this mode is applied, you need to set the password for

privilege level switch with the super password command.

scheme

Remote AAA

authentication

through

HWTACACS or

RADIUS

The switch sends the username and password for privilege level

switch to the HWTACACS or RADIUS server for remote

authentication.

When this mode is applied, you need to perform the following

configurations:

z

Configure HWTACACS or RADIUS scheme and reference the

created scheme in the ISP domain. For more information, see

AAA Configuration in the Security Configuration Guide.

z

Create the corresponding user and configure password on the

HWTACACS or RADIUS server.