beautypg.com

Configuring command authorization – H3C Technologies H3C SecPath F1000-E User Manual

Page 262

background image

10

To do…

Use the command…

Remarks

Set the user privilege level

See

Configuring User Privilege

Level Under a User Interface

.

Optional
By default, users logging in

through console port have a

privilege level of 3; users logging
in through other user interfaces

have a privilege level of 0.

Return to system view

quit

––

Set the authentication username
and enter local user view

local-user user-name

Required
No local user is set on the device
by default.

Set the authentication password

password { cipher | simple }
password

Required

Set the service type that can be

used by users

service-type { ssh | telnet |
terminal } *

Required
Users logging in via VTY user
interface use telnet or ssh

service. Users logging in via
console or AUX port use terminal

service.

Configure user attributes

authorization-attribute { acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | vlan vlan-id |
work-directory

directory-name } *

Optional
By default, FTP/SFTP users can

access the device's root directory
with the user level 0.

Configuring Command Authorization

By default, command level for a login user depends on the user level. The user is authorized the
command with the default level not higher than the user level. With the command authorization
configured, the command level for a login user is determined by both the user level and AAA
authorization. If a user executes a command of the corresponding user level, the authorization server
checks whether the command is authorized. If yes, the command can be executed.

The command authorization configuration involves four steps:

1.

Configure the authentication mode as scheme when users log in, which means username and
password are required for authentication.

2.

Enable command authorization. See the following table for details.

3.

Configure a HWTACACS scheme. Specify the IP addresses of the HWTACACS authorization
servers and other related parameters.

4.

Configure the ISP domain to use the HWTACACS scheme for command line users. For more
information about HWTACACS configuration, see HWTACACS Configuration in the Firewall
Web Configuration Manual
.

Follow these steps to enable command authorization: