60
# Verify that you can use all read and write commands of the radius and arp features. This example
uses radius.
[Switch] radius scheme rad
[Switch-radius-rad] primary authentication 2.2.2.2
[Switch-radius-rad] display radius scheme rad
…
Output of the RADIUS scheme is omitted.
# Verify that you cannot configure any VLAN except VLANs 1 to 20. Take VLAN 10 and VLAN 30 as
examples.
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] vlan 30
Permission denied.
# Verify that you cannot configure any interface except GigabitEthernet 1/0/1 to GigabitEthernet
1/0/20. Take GigabitEthernet 1/0/2 and GigabitEthernet 1/0/22 as examples.
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/2
[Switch-vlan10] port gigabitethernet 1/0/22
Permission denied.
RBAC temporary user role authorization configuration
example (HWTACACS authentication)
Network requirements
As shown in Figure 21, the switch uses local authentication for login users, including the Telnet user
at 192.168.1.58. The user account for the Telnet user is test@bbb and is assigned the user role
level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The
switch uses the HWTACACS server to provide authentication for changing the user role among
level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is
invalid or the HWTACACS server does not respond, the switch performs local authentication.
Figure 21 Network diagram
Configuration procedure
1. Configure the switch:
# Assign an IP address to VLAN-interface 2, the interface connected to the Telnet user.
<Switch> system-view
Internet
Switch
Telnet user
192.168.1.58/24
HWTACACS server
10.1.1.1/24
Vlan-int2
192.168.1.70/24
Vlan-int3
10.1.1.2/24
To Next Page
Loading...
Need help?
General