BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
48 Chapter 1: Accessing the Switch BMD00113, September 2009
Authorization
Authorization is the action of determining a user’s privileges on the device, and usually takes place
after authentication.
The default mapping between TACACS+ authorization levels and BLADE OS management access
levels is shown in Table 4. The authorization levels listed in this table must be defined on the
TACACS+ server.
Alternate mapping between TACACS+ authorization levels and BLADE OS management access
levels is shown in Table 5. Use the /cfg/sys/tacacs/cmap ena command to use the
alternate TACACS+ authorization levels.
You can customize the mapping between TACACS+ privilege levels and GbE2c management
access levels. Use the /cfg/sys/tacacs/usermap command to manually map each
TACACS+ privilege level (0-15) to a corresponding GbE2c management access level.
If the remote user is successfully authenticated by the authentication server, the switch verifies the
privileges of the remote user and authorizes the appropriate access. The administrator has an option
to allow backdoor access via Telnet (/cfg/sys/tacacs/bckdoor). The default value for
Telnet access is disabled. The administrator also can enable secure backdoor
(/cfg/sys/tacacs/secbd), to allow access if both the primary and the secondary TACACS+
servers fail to respond.
Table 4 Default TACACS+ Authorization Levels
BLADE OS User Access Level TACACS+ Level
user 0
oper 3
admin 6
Table 5 Alternate TACACS+ Authorization Levels
BLADE OS User Access Level TACACS+ Level
user 0–1
oper 6–8
admin 14–15