Access Security Guide K/KA/KB.15.15
Figure 119 Example of optional accounting update period and accounting suppression on unknown
user
Configuring commands authorization on a RADIUS server
Using Vendor Specific Attributes (VSAs)
Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange
with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the
vendor-specific information.
The list of commands that are permitted (or denied) execution by the user are called regular
expressions. The system compares those regular expressions against the full command name to
determine whether the user is allowed to execute the command. For example, assume a RADIUS
user is defined as follows:
User1
• User-Password = “hpswitch”
• Service-Type = Administrative-User,
• HP-Command-Exception = 1, # Deny_list
• HP-Command-String = “config”
User1 is blocked from executing all commands that contain “config” in the name, which includes
the following commands:
• configure
• show running-config (sh run)
• show config
To block User 1 from executing only the “configure” command, the regular expression would be:
User1
• User-Password = “hpswitch”
• Service-Type = Administrative-User,
• HP-Command-Exception = 1, # Deny_list
• HP-Command-String = “^configure$”
The ^ metacharacter defines the start of the string and the $ character defines the end of the string.
Do not leave a space between the semi-colon and the start of the next regular expression. So the
HP-Command-String with more than one regular expression defined may look as follows:
HP-Command-String = “^configure$;^show running-config$”.
In this case, User1 is blocked from executing the commands “configure” and “show running-config”
but is able to execute the “show config” command.
The attributes supported with commands authorization are:
• HP-Command-String: List of commands (regular expressions) that are permitted (or denied)
execution by the user. The commands are delimited by semi-colons and must be between 1
Configuring 163