To configure read-write (rw) user with commands "config ip" & "test" denied.
/erc/raddb/users file to be edited on RADIUS server.
rw
Auth-Type == Local,User-Password == "rw"
Access-Priority = rw,
Command-Access = "False",
Commands = "config ip",
Commands += "test"
You must enable user access profile (cli-profile) parameter on RADIUS client.
To configure RADIUS cli-profile on ERS 8600
8600A:6# config radius cli-profile-enable true
Connect to ERS 8600 with telnet using read-write user.
Telnet to ERS 8600 with read-write user (rwa) type some commands
8600A:6# config ip
Permission denied.
8600A:6# config ?
Sub-Context: atm atmcard bootconfig cli cluster diag r-module ethernet fdb
filter ipv6 ipx lacp log mlt naap pos poscard qos rmon slot slpp snmp-server
snmp-v3 stg svlan sys vlacp vlan web-server
Current Context:
info
8600A:6# test
Permission denied.
8600A:6# exit
Read-write user does have access to switch configuration but not to the denied
commands.
Please note that if you prevent access to any command, only the lowest option in the command
tree cannot be accessed. For example, if you prevent access to the CLI command config sys
set for a user, the user is able to display or execute config or config sys.
Authentication, Authorization and Accounting (AAA) for ERS and ES
November 2010
Technical Configuration Guide
avaya.com
28