2-24
Controlling Management Access to the ProCurve Secure Router
Using the AAA Subsystem to Control Management Access
Configuring Authorization
After you enable the AAA subsystem, you can use a TACACS+ server to control
not only who can access the Secure Router OS but also who can actually enter
unprivileged or privileged commands. That is, you can determine which users
are authorized to configure the router from the basic or enable mode context.
Configuring authorization through the TACACS+ server involves the following
steps:
1. Create a list to specify what an authorized user is allowed to access. In
this guide and in the SROS Command Line Interface Reference Guide,
this list is called a “named list.” You can define a named list to authorize
users to:
• access the basic mode context or the enable mode context
• immediately enter the enable mode context when they start a new CLI
session
2. Assign the named list to a line configuration mode context.
If you want to enforce authorization for console sessions, you must also enable
authorization for the console line.
Of course, the AAA subsystem must be enabled, and the TACACS+ server must
be defined. (See “Define the TACACS+ Server” on page 2-35.)
Creating a Named List to Allow Authorized Users to Access
the Basic Mode Context or the Enable Mode Context
You must create a named list for authorization, just as you create a named list
for authentication. In this named list, you specify if users are authorized to
enter commands from the basic mode context or the enable mode context.
You also define the TACACS+ servers that will answer the authorization
request.
You use the aaa authorization command to both create the named list and
specify its contents. From the global configuration mode context, enter:
Syntax: aaa authorization commands [1 | 15] [default | <named list>] [group {tacacs+
| <groupname>}] [if-authenticated | none]
Include 1 or 15 to specify the level of commands for which you want to
configure authorization: 1 is unprivileged access, which is the basic mode, and
15 is privileged access, which is the enable mode.
To Next Page
Loading...
Need help?
General
