57
[Switch-luser-manage-user1] undo authorization-attribute user-role network-operator
[Switch-luser-manage-user1] quit
Verifying the configuration
# Telnet to the switch, and enter the username and password to access the switch. (Details not
shown.)
# Verify that you can create VLANs 10 to 20. This example uses VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Verify that you cannot create any VLANs other than VLANs 10 to 20. This example uses VLAN 30.
[Switch] vlan 30
Permission denied.
# Verify that you can use all read commands of any feature. This example uses display clock.
[Switch] display clock
09:31:56 UTC Tues 01/01/2013
[Switch] quit
# Verify that you cannot use the write or execute commands of any feature.
<Switch> debugging role all
Permission denied.
<Switch> ping 192.168.1.58
Permission denied.
RBAC configuration example for RADIUS authentication
users
Network requirements
As shown in Figure 20, the switch uses the FreeRADIUS server at 10.1.1.1/24 to provide AAA
service for login users, including the Telnet user at 192.168.1.58. The user account for the Telnet
user is hello@bbb and is assigned the user role role2.
The user role role2 has the following permissions:
Can use all commands in ISP view.
Can use the read and write commands of the arp and radius features.
Cannot access the read commands of the acl feature.
Can configure only VLANs 1 to 20 and interfaces GigabitEthernet 1/0/1 to GigabitEthernet
1/0/20.
The switch and the FreeRADIUS server use the shared key expert and authentication port 1812.
The switch delivers usernames with their domain names to the server.
To Next Page
Loading...
Need help?
General