62
Assigning user roles to non-AAA authentication users on
user lines
Specify user roles for the following two types of login users on the user lines:
• Users who use password authentication or no authentication.
• SSH clients that use publickey or password-publickey authentication. User roles assigned to
these SSH clients are specified in their respective local device management user accounts.
For more information about user lines, see "Login overview" and "Logging in to the CLI." For more
informatio
n about SSH, see Security Configuration Guide.
To assign a user role to non-AAA authentication users on a user line:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter user line view or
use line class view.
• Enter user line view:
line { first-num1 [ last-num1 ]
| { aux | vty } first-num2
[ last-num2 ] }
• Enter user line class view:
line class { aux | vty }
For information about the priority
order and application scope of the
configurations in user line view and
user line class view, see "Logging in
to the CLI"
3. Specify a user role on the
user line.
user-role
role-name
Repeat this step to specify a
maximum of 64 user roles on a user
line.
By default, network-admin is
specified on the AUX user line, and
network-operator is specified on any
other user line.
The device does not assign the
security-audit user role to the users
who are logged in to the device
through the current user line.
Configuring temporary user role authorization
Temporary user role authorization allows you to obtain another user role without reconnecting to the
device. This feature is useful when you want to use a user role temporarily to configure a feature.
Temporary user role authorization is effective only on the current login. This function does not
change the user role settings in the user account that you have been logged in with. The next time
you are logged in with the user account, the original user role settings take effect.
Configuration guidelines
When you configure temporary user role authorization, follow these guidelines:
• To enable a user to obtain another user role without reconnecting to the device, you must
configure user role authentication. Table 10 de
scribes the available authentication modes and
configuration requirements.
• If HWTACACS authentication is used, the following rules apply:
{ The device uses the entered username and password to request role authentication, and it
sends the username to the server in the format username or username@domain-name.
To Next Page
Loading...
Need help?
General