4000 Router Series Fundamentals Configuration Guide

# To make sure the user has only the permissions of role1, remove the user from the default user role

network-operator.

[Router-luser-manage-user1] undo authorization-attribute user-role network-operator

[Router-luser-manage-user1] quit

Verifying the configuration

# Telnet to the router, and enter the username and password to access the router. (Details not shown.)

# Verify that you cannot enter any interface view except the views of Ethernet 1/2 to Ethernet 1/4. This

example uses Ethernet 1/1.

<Router> system-view

[Router] interface ethernet1/1

Permission denied.

# Verify that you can access Ethernet 1/2 to Ethernet 1/4 to configure them. This example uses Ethernet

1/2.

[Router] interface ethernet1/2

[Router-Ethernet1/2] ip address 6.6.6.6 24

[Router-Ethernet1/2] quit

# Verify that you can use all read commands of any feature. This example uses display clock.

[Router] display clock

09:31:56 UTC Sat 01/01/2011

[Router] quit

# Verify that you cannot use the write or execute commands of any feature.

<Router> debugging role all

Permission denied.

<Router> ping 192.168.1.58

Permission denied.

RBAC configuration example for RADIUS authentication users

Network requirements

The router in Figure 4 uses the FreeRADIUS server at 10.1.1.1/24 to provide AAA service for login users,

including the Telnet user at 192.168.1.58. This Telnet user uses the username hello@bbb and is assigned

the user role role2.

This user role has the following permissions:

• Performs all the commands in ISP view.

• Performs read and write commands of the features arp and radius.

• Has no access to read commands of the feature route.

• Accesses VLANs 1 to 20 and interfaces Ethernet 1/1 to Ethernet 1/24.

The router and the FreeRADIUS server use the shared key expert and authentication port 1812. The router

delivers usernames with their domain names to the server.