HP ProCurve 9304M Security Manual page 46

Routing switches

Hide thumbs Also See for ProCurve 9304M:

Management and configuration manual (690 pages)

Installation and configuration manual (504 pages)

Installation and getting started manual (348 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

page of 172

/ 172
Contents
Table of Contents
Bookmarks

Table of Contents

Security Guide for ProCurve 9300/9400 Series Routing Switches

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the

aaa authentication enable default tacacs+ command, or the aaa authentication login privilege-mode

command must also exist in the configuration.

Configuring an Attribute-Value Pair on the TACACS+ Server

During TACACS+ exec authorization, the HP device expects the TACACS+ server to send a response containing

an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the HP device receives the

response, it extracts an A-V pair configured for the Exec service and uses it to determine the user's privilege level.

To set a user's privilege level, you can configure the "hp-privlvl" A-V pair for the Exec service on the TACACS+

server. For example:

user=bob {

default service = permit

member admin

# Global password

global = cleartext "cat"

service = exec {

hp-privlvl = 0

}

In this example, the A-V pair hp-privlvl = 0 grants the user full read-write access. The value in the hp-privlvl

A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for

port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the hp-privlvl A-V pair, the

default privilege level of 5 (read-only) is used. The hp-privlvl A-V pair can also be embedded in the group

configuration for the user. See your TACACS+ documentation for the configuration syntax relevant to your server.

If the hp-privlvl A-V pair is not present, the HP device extracts the last A-V pair configured for the Exec service that

has a numeric value. The HP device uses this A-V pair to determine the user's privilege level. For example:

user=bob {

default service = permit

member admin

# Global password

global = cleartext "cat"

service = exec {

privlvl = 15

}

The attribute name in the A-V pair is not significant; the HP device uses the last one that has a numeric value.

However, the HP device interprets the value for a non-"hp-privlvl" A-V pair differently than it does for an "hp-privlvl"

A-V pair. The following table lists how the HP device associates a value from a non-"hp-privlvl" A-V pair with an

HP privilege level.

Value for non-"hp-privlvl" A-V Pair

From 14 – 1

Any other number or 0

In the example above, the A-V pair configured for the Exec service is privlvl = 15. The HP device uses the

value in this A-V pair to set the user's privilege level to 0 (super-user), granting the user full read-write access.

2 - 30

Table 2.3: HP Equivalents for non-"hp-privlvl" A-V Pair Values

HP Privilege Level

0 (super-user)

4 (port-config)

5 (read-only)

June 2005

Table of Contents

This manual is also suitable for:

J4139aProcurve 9308mJ4874a Procurve 9408sl J4138a J8680a ... Show all

HP ProCurve 9304M Security Manual page 46

Related Manuals for HP ProCurve 9304M

Related Products for HP ProCurve 9304M

This manual is also suitable for:

Table of Contents