KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

171

172

173

174

175

176

177

178

179

180

Example 6 To enable the RADIUS protocol as the authorization method:

HP Switch(config)# aaa authorization commands radius

When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends

an Access-Accept packet that contains two attributes the command list and the command exception

flag. When an authenticated user enters a command on the switch, the switch examines the list of

commands delivered in the RADIUS Access-Accept packet as well as the command exception flag,

which indicates whether the user has permission to execute the commands in the list. See

“Configuring commands authorization on a RADIUS server” (page 163).

After the Access-Accept packet is delivered, the command list resides on the switch. Any changes

to the user's command list on the RADIUS server are not seen until the user is authenticated again.

Creating Local Privilege Levels

This feature allows more granular localized control over user access when accessing the switch

through the console or by telnet or SSH. Instead of allowing access to all commands with the

“manager” command, or very restricted access with the “operator” command, the local access

can be customized to allow the commands that the local account is authorized to execute. The

new local accounts are in addition to and independent of the existing manager and operator

accounts, with the exception that if a username is set for a manager or operator account, that

name cannot be the same as any of the local user account names.

To do this, groups are created that contain up to 16 user accounts. The group has a list of match

commands that determine if that user is authorized to execute that command. Up to 100 local user

accounts are supported. The local user accounts are stored in the configuration as an SHA1 hash,

which is only displayed if “include-credentials” is enabled. A password is required for the local

user accounts, but nothing else.

There is one default group—operator. Users assigned to the operator group have only operator

privileges.

Applying the authorization group to a local user account only occurs if the user logs in using local

as the primary authentication method and the aaa authorization commands local command has

been executed. Authorization groups are not supported when the login method is set as secondary

local authentication.

These commands are authorized at all access levels:

• exit

• logout

• page

• redo

• repeat

• end

Configuring Groups for Local Authorization

You must create a group for local authorization before you can assign local users to it. When

creating the group, at least one command is created as part of that group. Typically, multiple

commands are assigned to a group.

NOTE: You must enable local authorization by executing aaa authorizationcommands

local to use this feature.

To create a group, enter this command.

176 RADIUS Authentication, Authorization, and Accounting