R21xx-HP FlexFabric 11900 Fundamentals Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-basic-2000] quit

# Associate the ACL with the SNMP community and the SNMP group.

[Sysname] snmp-agent community read aaa acl 2000

[Sysname] snmp-agent group v2c groupa acl 2000

[Sysname] snmp-agent usm-user v2c usera groupa acl 2000

Configuring command authorization

By default, commands are available for a user depending only on that user's user roles. When the

authentication mode is scheme, you can configure the command authorization function to further control

access to commands.

After you enable command authorization, a command is available for a user only if the user has the

commensurate user role and is authorized to use the command by the AAA scheme.

This section provides the procedure for configuring command authorization. To make the command

authorization function take effect, you must configure a command authorization method in ISP domain

view. For more information, see Security Configuration Guide.

Configuration procedure

To configure command authorization:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter user interface

view.

user-interface { first-number1

[ last-number1 ] | { aux | vty }

first-number2 [ last-number2 ] }

N/A

3. Enable scheme

authentication.

authentication-mode scheme

By default, the authentication mode is none

for the AUX user interface.

4. Enable command

authorization.

command authorization

By default, command authorization is

disabled, and the commands available for

a user only depend on the user role.

This command takes effect immediately

after it is configured. Configure the

command authorization method in ISP

domain view before configuring this

command.

Configuring command accounting

Command accounting allows the HWTACACS server to record all executed commands that are

supported by the device, regardless of the command execution result. This function helps control and

monitor user behaviors on the device.

When command accounting is disabled, the accounting server does not record the commands executed

by users. If command accounting is enabled but command authorization is not, every executed

command is recorded on the HWTACACS server. If both command accounting and command