Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

201

202

203

204

205

206

207

208

209

210

FastIron Configuration Guide 151

53-1002494-02

TACACS and TACACS+ security

Telnet and SSH prompts when the TACACS+ Server is unavailable

When TACACS+ is the first method in the authentication method list, the device displays the login

prompt received from the TACACS+ server. If a user attempts to login through Telnet or SSH, but

none of the configured TACACS+ servers are available, the following takes place:

• If the next method in the authentication method list is "enable", the login prompt is skipped,

and the user is prompted for the Enable password (that is, the password configured with the

enable super-user-password command).

• If the next method in the authentication method list is "line", the login prompt is skipped, and

the user is prompted for the Line password (that is, the password configured with the enable

telnet password command).

Configuring TACACS+ authorization

Brocade devices support TACACS+ authorization for controlling access to management functions in

the CLI. Two kinds of TACACS+ authorization are supported:

• Exec authorization determines a user privilege level when they are authenticated

• Command authorization consults a TACACS+ server to get authorization for commands entered

by the user

Configuring exec authorization

When TACACS+ exec authorization is performed, the Brocade device consults a TACACS+ server to

determine the privilege level of the authenticated user. To configure TACACS+ exec authorization on

the Brocade device, enter the following command.

Brocade(config)#aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+ | none

If you specify none, or omit the aaa authorization exec command from the device configuration, no

exec authorization is performed.

A user privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the aaa

authorization exec default tacacs command exists in the configuration, the device assigns the user

the privilege level specified by this A-V pair. If the command does not exist in the configuration,

then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User

access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following

successful authentication the device assigns the user the privilege level specified by the

“foundry-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default

tacacs+ command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair

is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the

aaa authentication enable default tacacs+ command, or the aaa authentication login

privilege-mode command must also exist in the configuration.