Creating Local Privilege Levels - HP 3500yl Series Access Security Manual
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
Creating Local Privilege Levels
This feature allows more granular localized control over user access when
accessing the switch through the console or by telnet or SSH. Instead of
allowing access to all commands with the "manager" command, or very
restricted access with the "operator" command, the local access can be
customized to allow the commands that the local account is authorized to
execute. The new local accounts are in addition to and independent of the
existing manager and operator accounts, with the exception that if a username
is set for a manager or operator account, that name cannot be the same as any
of the local user account names.
To do this, groups are created that contain up to 16 user accounts. The group
has a list of match commands that determine if that user is authorized to
execute that command. Up to 100 local user accounts are supported. The local
user accounts are stored in the configuration as an SHA1 hash, which is only
displayed if "include-credentials" is enabled. A password is required for the
local user accounts, but nothing else.
There is one default group—operator. Users assigned to the operator group
have only operator privileges.
Applying the authorization group to a local user account only occurs if the
user logs in using local as the primary authentication method and the aaa
authorization commands local command has been executed. Authorization
groups are not supported when the login method is set as secondary local
authentication.
These commands are authorized at all access levels:
•
exit
•
logout
•
page
•
redo
•
repeat
•
end
RADIUS Authentication, Authorization, and Accounting
Creating Local Privilege Levels
6-75
Hide quick links:
Advertisement
Chapters
Table of Contents
