Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

221

222

223

224

225

226

227

228

229

230

170 FastIron Configuration Guide

53-1002494-02

RADIUS security

Also note that in order for the aaa authorization exec default radius command to work, either the

aaa authentication enable default radius command, or the aaa authentication login privilege-mode

command must also exist in the configuration.

Configuring command authorization

When RADIUS command authorization is enabled, the Brocade device consults the list of

commands supplied by the RADIUS server during authentication to determine whether a user can

execute a command he or she has entered.

You enable RADIUS command authorization by specifying a privilege level whose commands

require authorization. For example, to configure the Brocade device to perform authorization for the

commands available at the Super User privilege level (that is; all commands on the device), enter

the following command.

Brocade(config)#aaa authorization commands 0 default radius

Syntax: aaa authorization commands <privilege-level> default radius | tacacs+ | none

The <privilege-level> parameter can be one of the following:

• 0 – Authorization is performed (that is, the Brocade device looks at the command list) for

commands available at the Super User level (all commands)

• 4 – Authorization is performed for commands available at the Port Configuration level

(port-config and read-only commands)

• 5 – Authorization is performed for commands available at the Read Only level (read-only

commands)

NOTE

RADIUS command authorization can be performed only for commands entered from Telnet or SSH

sessions, or from the console. No authorization is performed for commands entered at the Web

Management Interface.

NOTE

Since RADIUS command authorization relies on the command list supplied by the RADIUS server

during authentication, you cannot perform RADIUS authorization without RADIUS authentication.

Command authorization and accounting for console commands

The Brocade device supports command authorization and command accounting for CLI commands

entered at the console. To configure the device to perform command authorization and command

accounting for console commands, enter the following.

Brocade(config)#enable aaa console

Syntax: enable aaa console

CAUTION

If you have previously configured the device to perform command authorization using a RADIUS

server, entering the enable aaa console command may prevent the execution of any subsequent

commands entered on the console.