Rbac Temporary User Role Authorization Configuration Example (Hwtacacs Authentication) - HP 10500 Series Configuration Manual

[Switch-isp-abc] authentication login radius-scheme abc
[Switch-isp-abc] quit
# Verify that you can use all read and write commands of the radius and arp features. Take radius as an
example.
[Switch] radius scheme rad
[Switch-radius-rad] primary authentication 2.2.2.2
[Switch-radius-rad] display radius scheme rad
...
Output of the RADIUS scheme is omitted.
# Verify that you cannot configure any VLAN except VLANs 1 to 20. Take VLAN 10 and VLAN 30 as
examples.
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] vlan 30
Permission denied.
# Verify that you cannot configure any interface except GigabitEthernet 1/0/1 to GigabitEthernet
1/0/24. Take GigabitEthernet 1/0/2 and GigabitEthernet 1/0/25 as examples.
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/2
[Switch-vlan10] port gigabitethernet 1/0/25
Permission denied.
RBAC temporary user role authorization configuration example
(HWTACACS authentication)
Network requirements
As shown in
Telnet user uses the username test@bbb and is assigned the user role level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The switch
uses the HWTACACS server to provide authentication for changing the user role among level-0 through
level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the
HWTACACS server does not respond, the switch performs local authentication.
Figure 5 Network diagram
Figure 5, the switch uses local authentication for login users, including the Telnet user. The
33