Configuring A Local User For A Group - HP 3500yl Series Access Security Manual

N o t e
HP Switch(config)# aaa authorization group Bluegroup 100 match-command configure
permit
HP Switch(config)# aaa authorization group Bluegroup 200 match-command telnet
permit
HP Switch(config)# aaa authorization group Bluegroup 300 match-command menu
permit
Figure 6-34. Example of Creating a Local Authorization Group and Assigning the Commands that are
Authorized for the Group
HP Switch(config)# aaa authorization group Redgroup 100 match-command configure
permit
HP Switch(config)# aaa authorization group Redgroup 200 match-command "vlan *"
permit
Figure 6-35. Example of Configuring Authorized Commands for a Group in the Correct Order
Commands are expanded before the comparison is done, for example, sh ver
would be expanded to show version and then this command is compared
against the command strings of the authorization group.
When a command must be preceded by the execution of another command,
then both commands need to be permitted for the command authorization
group. For example, you must execute the configure command before you can
enter the vlan context, so both commands must be permitted.
Some commands cause the switch CLI to enter a special context, such as test
mode, and the input is not processed by the normal CLI. Keyboard input is not
checked against the command authorization group. If these special contexts
are permitted, the user can proceed outside the control and logging of the
command group configuration.

Configuring a Local User for a Group

Local manager user logins and authorized command configuration are mutu-
ally exclusive with RADIUS or TACACS authentication and with RADIUS
authorization and accounting.
RADIUS Authentication, Authorization, and Accounting
Creating Local Privilege Levels
6-77