Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

131

132

133

134

135

136

137

138

139

140

118 ServerIron ADX Administration Guide

53-1002434-01

Configuring TACACS or TACACS+ security

In the example above, the A-V pair configured for the Exec service is privlvl = 15. The

ServerIron uses the value in this A-V pair to set the user’s privilege level to 0 (super-user), granting

the user full read-write access.

In a configuration that has both a “brocade-privlvl” A-V pair and a non-”brocade-privlvl” A-V pair for

the Exec service, the non-”brocade-privlvl” A-V pair is ignored.

Example

user=bob {

default service = permit

member admin

# Global password

global = cleartext "cat"

service = exec {

brocade-privlvl = 4

privlvl = 15

}

In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl

= 15 A-V pair is ignored by the ServerIron.

If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5

(read-only) is used.

Configuring command authorization

When TACACS+ command authorization is enabled, the ServerIron consults a TACACS+ server to

get authorization for commands entered by the user.

You enable TACACS+ command authorization by specifying a privilege level whose commands

require authorization. For example, to configure the ServerIron to perform authorization for the

commands available at the Super User privilege level (that is, all commands on the device), enter

the following command.

ServerIronADX(config)# aaa authorization commands 0 default tacacs+

Syntax: aaa authorization commands <privilege-level> default tacacs+ | radius | none

The <privilege-level> parameter can be one of the following:

• 0 – Authorization is performed for commands available at the Super User level (all commands)

• 4 – Authorization is performed for commands available at the Port Configuration level

(port-config and read-only commands)

• 5 – Authorization is performed for commands available at the Read Only level (read-only

commands)

NOTE

TACACS+ command authorization can be performed only for commands entered from Telnet or SSH

sessions, or from the console. No authorization is performed for commands entered at the Web

Management Interface or IronView.

TACACS+ command authorization is not performed for the following commands:

• At all levels: exit, logout, end, and quit.

• At the Privileged EXEC level: enable or enable <text>, where <text> is the password configured

for the Super User privilege level.