Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

221

222

223

224

225

226

227

228

229

230

FastIron Configuration Guide 171

53-1002494-02

RADIUS security

This happens because RADIUS command authorization requires a list of allowable commands

from the RADIUS server. This list is obtained during RADIUS authentication. For console sessions,

RADIUS authentication is performed only if you have configured Enable authentication and

specified RADIUS as the authentication method (for example, with the aaa authentication enable

default radius command). If RADIUS authentication is never performed, the list of allowable

commands is never obtained from the RADIUS server. Consequently, there would be no allowable

commands on the console.

RADIUS accounting

Brocade devices support RADIUS accounting for recording information about user activity and

system events. When you configure RADIUS accounting on a Brocade device, information is sent to

a RADIUS accounting server when specified events occur, such as when a user logs into the device

or the system is rebooted.

Configuring RADIUS accounting for Telnet/SSH (Shell) access

To send an Accounting Start packet to the RADIUS accounting server when an authenticated user

establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when

the user logs out.

Brocade(config)#aaa accounting exec default start-stop radius

Syntax: aaa accounting exec default start-stop radius | tacacs+ | none

Configuring RADIUS accounting for CLI commands

You can configure RADIUS accounting for CLI commands by specifying a privilege level whose

commands require accounting. For example, to configure the Brocade device to perform RADIUS

accounting for the commands available at the Super User privilege level (that is; all commands on

the device), enter the following command.

Brocade(config)#aaa accounting commands 0 default start-stop radius

An Accounting Start packet is sent to the RADIUS accounting server when a user enters a

command, and an Accounting Stop packet is sent when the service provided by the command is

completed.

NOTE

If authorization is enabled, and the command requires authorization, then authorization is

performed before accounting takes place. If authorization fails for the command, no accounting

takes place.

Syntax: aaa accounting commands <privilege-level> default start-stop radius | tacacs | none

The <privilege-level> parameter can be one of the following:

• 0 – Records commands available at the Super User level (all commands)

• 4 – Records commands available at the Port Configuration level (port-config and read-only

commands)

• 5 – Records commands available at the Read Only level (read-only commands)