login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 5
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 6
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 7
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 8
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 9
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
!
Conguring TACACS+ and RADIUS VSA Attributes for RBAC
For RBAC and privilege levels, the Dell Networking OS RADIUS and TACACS+ implementation supports two vendor-specic options:
privilege level and roles. The Dell Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled
“Force10-avpair”. The value is a string in the following format:
protocol : attribute sep value
“attribute” and “value” are an attribute-value (AV) pair dened in the Dell Network OS TACACS+ specication, and “sep” is “=”. These
attributes allow the full set of features available for TACACS+ authorization and are authorized with the same attributes for RADIUS.
Example for Conguring a VSA Attribute for a Privilege Level 15
The following example congures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have
access to EXEC commands.
The format to create a Dell Network OS AV pair for privilege level is shell:priv-lvl=<number> where number is a value between 0
and 15.
Force10-avpair= ”shell:priv-lvl=15“
Example for Creating a AVP Pair for System Dened or User-Dened Role
The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to
commands based on the user’s role. The format to create an AV pair for a user role is Force10-avpair= ”shell:role=<user-
role
>“ where user-role is a user dened or system-dened role.
In the following example, you create an AV pair for a system-dened role, sysadmin.
Force10-avpair= "shell:role=sysadmin"
In the following example, you create an AV pair for a user-dened role. You must also dene a role, using the userrole myrole
inherit
command on the switch to associate it with this AV pair.
Force10-avpair= ”shell:role=myrole“
The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.
Security
733
To Next Page
Loading...
