Authorization
Authorization
SR OS routers support local, RADIUS, and TACACS+ authorization to control the actions of
specific users. Any combination of these authorization methods can be configured to control
actions of specific users:
Local authorization and RADIUS authorization operate by applying a profile based on user
name and password configurations once network access is granted. The profiles are
configured locally as well as VSAs on the RADIUS server. See
(VSAs) on page
Local Authorization
Local authorization uses user profiles and user access information after a user is authenticated.
The profiles and user access information specifies the actions the user can and cannot perform.
By default, local authorization is enabled. Local authorization is disabled only when a
different remote authorization method is configured, such as TACACS+ or RADIUS
authorization.
You must configure profile and user access information locally.
RADIUS Authorization
RADIUS authorization grants or denies access permissions for a router. Permissions include
the use of FTP, Telnet, SSH (SCP), and console access. When granting Telnet, SSH (SCP) and
console access to the router, authorization can be used to limit what CLI commands the user is
allowed to issue and which file systems the user is allowed or denied access.
Once a user has been authenticated using RADIUS (or another method), the router can be
configured to perform authorization. The RADIUS server can be used to:
Page 28
•
Local Authorization on page 28
•
RADIUS Authorization on page 28
•
TACACS+ Authorization on page 29
51.
•
Download the user profile to the router
•
Send the profile name that the node should apply to the router.
Vendor-Specific Attributes
7450 ESS System Mangement Guide