Configuring command authorization – H3C Technologies H3C SecPath F1000-E User Manual
Page 262
10
To do…
Use the command…
Remarks
Set the user privilege level
See
Optional
By default, users logging in
through console port have a
privilege level of 3; users logging
in through other user interfaces
have a privilege level of 0.
Return to system view
quit
––
Set the authentication username
and enter local user view
local-user user-name
Required
No local user is set on the device
by default.
Set the authentication password
password { cipher | simple }
password
Required
Set the service type that can be
used by users
service-type { ssh | telnet |
terminal } *
Required
Users logging in via VTY user
interface use telnet or ssh
service. Users logging in via
console or AUX port use terminal
service.
Configure user attributes
authorization-attribute { acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | vlan vlan-id |
work-directory
directory-name } *
Optional
By default, FTP/SFTP users can
access the device's root directory
with the user level 0.
Configuring Command Authorization
By default, command level for a login user depends on the user level. The user is authorized the
command with the default level not higher than the user level. With the command authorization
configured, the command level for a login user is determined by both the user level and AAA
authorization. If a user executes a command of the corresponding user level, the authorization server
checks whether the command is authorized. If yes, the command can be executed.
The command authorization configuration involves four steps:
1.
Configure the authentication mode as scheme when users log in, which means username and
password are required for authentication.
2.
Enable command authorization. See the following table for details.
3.
Configure a HWTACACS scheme. Specify the IP addresses of the HWTACACS authorization
servers and other related parameters.
4.
Configure the ISP domain to use the HWTACACS scheme for command line users. For more
information about HWTACACS configuration, see HWTACACS Configuration in the Firewall
Web Configuration Manual.
Follow these steps to enable command authorization: