Table of Contents
Advertisement
You enable TACACS+ command authorization by specifying a privilege level whose commands require
authorization. For example, to configure the HP device to perform authorization for the commands available at the
Super User privilege level (that is, all commands on the device), enter the following command:
HP9300(config)# aaa authorization commands 0 default tacacs+
Syntax: aaa authorization commands <privilege-level> default tacacs+ | radius | none
The <privilege-level> parameter can be one of the following:
•
0 – Authorization is performed for commands available at the Super User level (all commands)
•
4 – Authorization is performed for commands available at the Port Configuration level (port-config and read
only commands)
•
5 – Authorization is performed for commands available at the Read Only level (read-only commands)
NOTE: TACACS+ command authorization is performed only for commands entered from Telnet or SSH
sessions. No authorization is performed for commands entered at the console or the Web management interface.
Configuring TACACS+ Accounting
HP devices support TACACS+ accounting for recording information about user activity and system events. When
you configure TACACS+ accounting on an HP device, information is sent to a TACACS+ accounting server when
specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring TACACS+ Accounting for Telnet/SSH (Shell) Access
To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a
Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out:
HP9300(config)# aaa accounting exec default start-stop tacacs+
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
Configuring TACACS+ Accounting for CLI Commands
You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands
require accounting. For example, to configure the HP device to perform TACACS+ accounting for the commands
available at the Super User privilege level (that is; all commands on the device), enter the following command:
HP9300(config)# aaa accounting commands 0 default start-stop tacacs+
An Accounting Start packet is sent to the TACACS+ accounting server when a user enters a command, and an
Accounting Stop packet is sent when the service provided by the command is completed.
NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed
before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
•
0 – Records commands available at the Super User level (all commands)
•
4 – Records commands available at the Port Configuration level (port-config and read-only commands)
•
5 – Records commands available at the Read Only level (read-only commands)
Configuring TACACS+ Accounting for System Events
You can configure TACACS+ accounting to record when system events occur on the HP device. System events
include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a
system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
Securing Access
3 - 25
Advertisement
Chapters
Table of Contents
