Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

1391

aaa authorization role-only

Configure authentication to use the user’s role only when determining if access to commands is permitted.

C9000

Syntax

aaa authorization role-only

To return to the default setting, use the no aaa authentication role-only command.

Parameters

name

Enter a text string for the name of the user up to 63 characters. It cannot be one of the

system defined roles (sysadmin, secadmin, netadmin, netoperator).

inherit

existing-

role-name

Enter the inherit keyword then specify the system defined role to inherit permissions

from (sysadmin, secadmin, netadmin, netoperator).

Defaults none

Command Modes CONFIGURATION

Command History

Version Description

9.9(0.0) Introduced on the C9010.

9.5(0.0) Introduced on the Z9000, S6000, S4820T, S4810, and MXL.

Usage Information

By default, access to commands are determined by the user’s role (if defined) or by the user’s privilege level. If

the aaa authorization role-only command is enabled, then only the user’s role is used.

Before you enable role-based only AAA authorization:

1. Locally define a system administrator user role.This will give you access to login with full permissions even if

network connectivity to remote authentication servers is not available.

2. Configure login authentication on the console. This ensures that all users are properly identified through

authentication no matter the access point

3. Specify an authentication method (RADIUS, TACACS+, or Local).

4. Specify authorization method (RADIUS, TACACS+ or Local).

5. Verify the configuration has been applied to the console or VTY line.

role

Changes command permissions for roles.

C9000

Syntax

role mode { { { addrole | deleterole } role-name } | reset } command

To delete access to a command, use the no role mode role-name

Parameters

mode

Enter one of the following keywords as the mode for which you are controlling access:

configure for CONFIGURATION mode

exec for EXEC mode

interface for INTERFACE modes

line for LINE mode

route-map for Route-map mode

router for Router mode

addrole Enter the keyword addrole to add permission to the command. You cannot add or

delete rights for the sysadmin role.

1392 Security