Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

211

212

213

214

215

216

217

218

219

220

FastIron Configuration Guide 153

53-1002494-02

TACACS and TACACS+ security

In the example above, the A-V pair configured for the Exec service is privlvl = 15. The Brocade

device uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the

user full read-write access.

In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for

the Exec service, the non-”foundry-privlvl” A-V pair is ignored.

Example

user=bob {

default service = permit

member admin

#Global password

global = cleartext "cat"

service = exec {

foundry-privlvl = 4

privlvl = 15

}

In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl =

15 A-V pair is ignored by the Brocade device.

If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5

(read-only) is used.

Configuring command authorization

When TACACS+ command authorization is enabled, the Brocade device consults a TACACS+ server

to get authorization for commands entered by the user.

You enable TACACS+ command authorization by specifying a privilege level whose commands

require authorization. For example, to configure the Brocade device to perform authorization for the

commands available at the Super User privilege level (that is, all commands on the device), enter

the following command.

Brocade(config)#aaa authorization commands 0 default tacacs+

Syntax: aaa authorization commands <privilege-level> default tacacs+ | radius | none

The <privilege-level> parameter can be one of the following:

• 0 – Authorization is performed for commands available at the Super User level (all commands)

• 4 – Authorization is performed for commands available at the Port Configuration level

(port-config and read-only commands)

• 5 – Authorization is performed for commands available at the Read Only level (read-only

commands)

NOTE

TACACS+ command authorization can be performed only for commands entered from Telnet or SSH

sessions, or from the console. No authorization is performed for commands entered at the Web

Management Interface.

TACACS+ command authorization is not performed for the following commands:

• At all levels: exit, logout, end, and quit.

• At the Privileged EXEC level: enable or enable <text>, where <text> is the password configured

for the Super User privilege level.