HP ProCurve 9304M Security Manual page 63

entered at login, if one is available. If no username was entered at login, the device prompts for both username
and password.
To configure the HP device to prompt only for a password when a user attempts to gain Super User access to the
Privileged EXEC and CONFIG levels of the CLI:
ProCurveRS(config)# aaa authentication enable implicit-user
Syntax: [no] aaa authentication enable implicit-user
Configuring RADIUS Authorization
HP devices support RADIUS authorization for controlling access to management functions in the CLI. Two kinds
of RADIUS authorization are supported:
• Exec authorization determines a user's privilege level when they are authenticated
• Command authorization consults a RADIUS server to get authorization for commands entered by the user
Configuring Exec Authorization
When RADIUS exec authorization is performed, the HP device consults a RADIUS server to determine the
privilege level of the authenticated user. To configure RADIUS exec authorization on the HP device, enter the
following command:
ProCurveRS(config)# aaa authorization exec default radius
Syntax: aaa authorization exec default radius | none
If you specify none, or omit the aaa authorization exec command from the device's configuration, no exec
authorization is performed.
NOTE: If the aaa authorization exec default radius command exists in the configuration, following successful
authentication the device assigns the user the privilege level specified by the hp-privilege-level attribute received
from the RADIUS server. If the aaa authorization exec default radius command does not exist in the
configuration, then the value in the hp-privilege-level attribute is ignored, and the user is granted Super User
access.
Also note that in order for the aaa authorization exec default radius command to work, either the
aaa authentication enable default radius command, or the aaa authentication login privilege-mode
command must also exist in the configuration.
Configuring Command Authorization
When RADIUS command authorization is enabled, the HP device consults the list of commands supplied by the
RADIUS server during authentication to determine whether a user can execute a command he or she has
entered.
You enable RADIUS command authorization by specifying a privilege level whose commands require
authorization. For example, to configure the HP device to perform authorization for the commands available at the
Super User privilege level (that is; all commands on the device), enter the following command:
ProCurveRS(config)# aaa authorization commands 0 default radius
Syntax: aaa authorization commands <privilege-level> default radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
• 0 – Authorization is performed (that is, the HP device looks at the command list) for commands available at
the Super User level (all commands)
• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read­
only commands)
• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)
June 2005
Securing Access to Management Functions
2 - 47