Concept Guide
line vty 9
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
!
Conguring TACACS+ and RADIUS VSA Attributes for RBAC
For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-specic options:
privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled
“Force10-avpair”. The value is a string in the following format:
protocol : attribute sep value
“attribute” and “value” are an attribute-value (AV) pair dened in the Dell EMC Networking OS TACACS+ specication, and “sep” is “=”.
These attributes allow the full set of features available for TACACS+ authorization and are authorized with the same attributes for RADIUS.
Example for Conguring a VSA Attribute for a Privilege Level 15
The following example congures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have
access to EXEC commands.
The format to create a Dell EMC Networking AV pair for privilege level is shell:priv-lvl=<number> where number is a value between
0 and 15.
Force10-avpair= ”shell:priv-lvl=15“
Example for Creating a AVP Pair for System Dened or User-Dened Role
The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to
commands based on the user’s role. The format to create an AV pair for a user role is Force10-avpair= ”shell:role=<user-
role
>“ where user-role is a user dened or system-dened role.
In the following example, you create an AV pair for a system-dened role, sysadmin.
Force10-avpair= "shell:role=sysadmin"
In the following example, you create an AV pair for a user-dened role. You must also dene a role, using the userrole myrole
inherit
command on the switch to associate it with this AV pair.
Force10-avpair= ”shell:role=myrole“
The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.
Role Accounting
This section describes how to congure role accounting and how to display active sessions for roles.
This sections consists of the following topics:
• Conguring AAA Accounting for Roles
• Applying an Accounting Method to a Role
• Displaying Active Accounting Sessions for Roles
Security
901