Command-Level Authorization - Cisco SCE 8000 10GBE Software Configuration Manual

Chapter 5 Configuring the Management Interface and Security
•
Once the user privilege level has been determined, the user is granted access to a specified set of
commands according to the level granted.
As with login authentication, if the server is unavailable, the next authentication method is attempted, as
explained in

Command-Level Authorization

When command level authorization is enabled, each CLI command that is issued must be authorized by
the external TACACS server before the system actually executes the command. You can configure the
authorization level at which command level authorization is required. For example, you can require
command level authorization only at root level.
As with login and privilege level authentication, if the TACACS+ server is unavailable, the regular fall
back mechanism will be used.
General AAA Fallback and Recovery Mechanism
The Cisco SCE platform uses a fall-back mechanism to maintain service availability in case of an error.
The AAA methods available are:
•
•
•
•
In the current implementation the order of the methods used isn't configurable but the customer can
choose which of the methods are used. The current order is:
•
•
•
•
If the server goes to AAA fault, the Cisco SCE platform will not be accessible until one of the AAA
Caution
methods is restored. In order to prevent this, it is advisable to use the "none" method as the last AAA
method. If the Cisco SCE platform becomes inaccessible, the shell function "AAA_MethodsReset" will
allow you to delete the current AAA method settings and set the AAA method used to "enable".
To run the "AAA_MethodsReset" shell function, complete the following steps:
1. Connect to AUX with username "root"
2. Run the debug shell: scos_xinetd --service debug-shell --on
3. Use Telnet to access the shell: telnet localhost 2301
4. Run the shell function: AAA_MethodsReset
OL-30621-02
Verifies that the user has sufficient privileges to enter the requested privilege level.
"General AAA Fallback and Recovery Mechanism" section on page
TACACS+ – AAA is performed by the use of a TACACS+ server, allows authentication,
authorization and accounting.
Local – AAA is performed by the use of a local database, allows authentication and authorization.
Enable – AAA is performed by the use of user configured passwords, allows authentication and
authorization.
None – no authentication\authorization\accounting is performed.
TACACS+
Local
Enable
None
TACACS+ Authentication, Authorization, and Accounting
Cisco SCE 8000 10GBE Software Configuration Guide
5-17.
5-17