Configuring Role-Based Cli Authorization; Configuring Rules And Features For Each Role - Cisco DS-C9216I-K9 Configuration Manual

Chapter 18 Configuring Switch Security
When you are successfully authenticated through a remote AAA server, then the following possibilities
Step 3
apply:
•
•
•
If your user name and password are successfully authenticated, you are allowed to log in.
Step 4

Configuring Role-Based CLI Authorization

Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based
authorization limits access to switch operations by assigning users to roles. This kind of authentication
restricts you to management operations based on the roles to which you have been added.
When you execute a command, perform command completion, or obtain context sensitive help, the
switch software allows the operation to progress if you have permission to access that command.
Each role can contain multiple users and each user can be part of multiple roles. For example, if role1
users are only allowed to perform configuration commands, and role2 users are only allowed to perform
debug commands, then if Joe belongs to both role1 and role2, he can perform configuration as well as
debug commands.
If you belong to multiple roles, you can execute a superset of all the commands permitted by these roles.
Access to a command takes priority over being denied access to a command. For example, suppose you
belong to a TechDocs group and you were denied access to configuration commands. However, you also
belong to the engineering group and have access to configuration commands. In this case, you will have
access to configuration commands.
Any role, when created, does not allow access to the required commands immediately. The administrator
Tip
must configure appropriate rules for each role to allow access to the required commands.

Configuring Rules and Features for Each Role

A rule specifies operations that can be performed by a specific role. Each rule consists of a command
type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF,
zone, VSAN, fcping, interface).
OL-7753-01
If AAA server protocol is RADIUS, the user roles specified in cisco-av-pair attribute is downloaded
with authentication response
If AAA server protocol is TACACS+, then another request is sent to the same server to get the user
roles specified as custom attributes for shell
If user roles were not retrieved successfully from remote AAA server, then the user will have role
of network-operator assigned once he logs in.
Configuring Role-Based CLI Authorization
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
18-11