Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

781

782

783

784

785

786

787

788

789

790

The following example deletes a user role.

NOTE: If you already have a user ID that exists with a privilege level, you can add the user role to username that has a privilege

DellEMC(conf)# no username john

The following example adds a user, to the secadmin user role.

DellEMC(conf)# username john role secadmin password 0 password

AAA Authentication and Authorization for Roles

This section describes how to congure AAA Authentication and Authorization for Roles.

Conguration Task List for AAA Authentication and Authorization for Roles

This section contains the following AAA Authentication and Authorization for Roles conguration tasks:

• Conguring AAA Authentication for Roles

• Conguring AAA Authorization for Roles

• Conguring TACACS+ and RADIUS VSA Attributes for RBAC

Congure AAA Authentication for Roles

Authentication services verify the user ID and password combination. Users with dened roles and users with privileges are authenticated

with the same mechanism. There are six methods available for authentication: radius, tacacs+, local, enable, line, and none.

When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three methods

allows users to be veried with either a password that is not specic to their user ID or with no password at all. Because of the lack of

security these methods are not available for role only mode. When the system is in role-only mode, users that have only privilege levels are

denied access to the system because they do not have a role. For information about role only mode, see Conguring Role-based Only AAA

Authorization.

NOTE

: Authentication services only validate the user ID and password combination. To determine which commands are

permitted for users, congure authorization. For information about how to congure authorization for roles, see Congure AAA

Authorization for Roles.

To congure AAA authentication, use the aaa authentication command in CONFIGURATION mode.

aaa authentication login {method-list-name | default} method [… method4]

Congure AAA Authorization for Roles

Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use

commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those

commands. Users with dened roles can use commands provided their role is permitted to use those commands. Role inheritance is also

used to determine authorization.

Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius,

tacacs+, local, enable, line, and none.

When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three

methods allows users to be authorized with either a password that is not specic to their userid or with no password at all. Because of the

lack of security, these methods are not available for role-based only mode.

Security

785