4000 Router Series Fundamentals Configuration Guide

Ste

Command

Remarks

4. Enable command

authorization.

command authorization

By default, command authorization is

disabled, and the commands available for

a user only depend on the user role.

Configuration example

Network requirements

Configure the device in Figure 34 so a user can use Host A to log in to the device and execute only

commands that are authorized by the HWTACACS server or, when the HWTACACS server is not

available, the device itself.

Figure 34 Network diagram

Configuration procedure

# Assign IP addresses to relevant interfaces and make sure the device and the HWTACACS server can

reach each other and the device and Host A can reach each other. (Details not shown.)

# Enable the Telnet server.

<Device> system-view

[Device] telnet server enable

# Enable scheme authentication for user lines VTY 0 through VTY 4.

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

# Enable command authorization for the user lines.

[Device-line-vty0-63] command authorization

[Device-line-vty0-63] quit

# Configure an HWTACACS scheme that uses the HWTACACS server at 192.168.2.20:49 for

authentication and authorization, uses the shared key expert, and removes domain names from

usernames sent to the HWTACACS server. (In this example, the HWTACACS server provides

authentication and authorization services at port 49.)

[Device] hwtacacs scheme tac

[Device-hwtacacs-tac] primary authentication 192.168.2.20 49

[Device-hwtacacs-tac] primary authorization 192.168.2.20 49

[Device-hwtacacs-tac] key authentication simple expert

[Device-hwtacacs-tac] key authorization simple expert

[Device-hwtacacs-tac] user-name-format without-domain

[Device-hwtacacs-tac] quit