Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
131132133134135136137138139140
ServerIron ADX Administration Guide 117
53-1002434-01
Configuring TACACS or TACACS+ security
2
Configuring an attribute-value pair on the TACACS+ server
During TACACS+ exec authorization, the ServerIron expects the TACACS+ server to send a response
containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the
ServerIron receives the response, it extracts an A-V pair configured for the Exec service and uses it
to determine the user’s privilege level.
To set a user’s privilege level, you can configure the “brocade-privlvl” A-V pair for the Exec service
on the TACACS+ server.
Example
user=bob {
default service = permit
member admin
# Global password
global = cleartext "cat"
service = exec {
brocade-privlvl = 0
}
}
In this example, the A-V pair brocade-privlvl = 0 grants the user full read-write access. The
value in the brocade-privlvl A-V pair is an integer that indicates the privilege level of the user.
Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value
other than 0, 4, or 5 is specified in the brocade-privlvl A-V pair, the default privilege level of 5
(read-only) is used. The brocade-privlvl A-V pair can also be embedded in the group configuration
for the user. Refer to your TACACS+ documentation for the configuration syntax relevant to your
server.
If the brocade-privlvl A-V pair is not present, the ServerIron extracts the last A-V pair configured for
the Exec service that has a numeric value. The ServerIron uses this A-V pair to determine the
user’s privilege level.
Example
user=bob {
default service = permit
member admin
# Global password
global = cleartext "cat"
service = exec {
privlvl = 15
}
}
The attribute name in the A-V pair is not significant; the ServerIron uses the last one that has a
numeric value. However, the ServerIron interprets the value for a non-”brocade-privlvl” A-V pair
differently than it does for a “brocade-privlvl” A-V pair. The following table lists how the ServerIron
associates a value from a non-”brocade-privlvl” A-V pair with a Brocade privilege level.
TABLE 8 Brocade equivalents for non-“brocade-privlvl” A-V pair values
Value for non-“brocade-privlvl” A-V Pair Brocade privilege level
15 0 (super-user)
From 14 – 1 4 (port-config)
Any other number or 0 5 (read-only)