Commands Authorization - HP E3800-24G-PoE+-2SFP+ Access Security Manual

RADIUS Authentication, Authorization, and Accounting

Commands Authorization

Note
6-36
Commands Authorization
The RADIUS protocol combines user authentication and authorization steps
into one phase. The user must be successfully authenticated before the
RADIUS server will send authorization information (from the user's profile)
to the Network Access Server (NAS). After user authentication has occurred,
the authorization information provided by the RADIUS server is stored on the
NAS for the duration of the user's session. Changes in the user's authorization
profile during this time will not be effective until after the next authentication
occurs.
You can limit the services for a user by enabling AAA RADIUS authorization.
The NAS uses the information set up on the RADIUS server to control the
user's access to CLI commands.
The authorization type implemented on the switches covered in this guide is
the "commands" method. This method explicitly specifies on the RADIUS
server which commands are allowed on the client device for authenticated
users. This is done on a per-user or per-group basis.
The commands authorization will only be executed for commands entered
from Telnet, SSH, or console sessions. The Web management interface is not
supported.
By default, all users may execute a minimal set of commands regardless of
their authorization status, for example, "exit" and "logout". This minimal set
of commands can prevent deadlock on the switch due to an error in the user's
authorization profile on the RADIUS server.