Authorization; Accounting - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Chapter 28 Configuring RADIUS and TACACS+
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
When you log in to a Cisco MDS switch successfully using the Fabric Manager or Device Manager via
Note
Telnet or SSH and if that switch is configured for AAA server-based authentication, a temporary SNMP
user entry is automatically created with an expiry time of one day. The SNMPv3 protocol data units
(PDUs) with your Telnet/SSH login name as the SNMPv3 user are authenticated by the switch. The
management station can temporarily use the Telnet/SSH login name as the SNMPv3
passphrase. This temporary SNMP login is only allowed if you have one or more active MDS Shell
sessions. If you do not have an active session at any given time, your login is deleted and you will not
be allowed to perform SNMP v3 operations.

Authorization

By default, two roles exist in all Cisco MDS switches:
•
•
If you use a SAN Volume Controller (SVC) setup, two more default roles exist in all Cisco MDS
switches:
•
•
Note
These four default roles cannot be changed or deleted. You can create additional roles and configure the
following options:
•
•
Note

Accounting

The accounting feature tracks and maintains a log of every management session used to access the
switch. This information can be used to generate reports for troubleshooting and auditing purposes.
Accounting logs can be stored locally or sent to remote AAA servers.
OL-8222-01, Cisco MDS SAN-OS Release 3.x
Network operator (
network-operator
operator cannot make any configuration changes.
Network administrator (
network-admin
configuration changes. The administrator can also create and customize up to 64 additional roles.
SVC administrator (svc-admin)— Has permission to view the entire configuration and make
SVC-specific configuration changes within the
SVC operator (svc-operator)—Has permission to view the entire configuration. The operator
cannot make any configuration changes.
Refer to the Cisco MDS 9000 Family SAN Volume Controller Configuration Guide for more
information on SVC.
Configure role-based authorization by assigning user roles locally or using remote AAA servers.
Configure user profiles on a remote AAA server to contain role information. This role information
is automatically downloaded and used when the user is authenticated through the remote AAA
server.
If a user only belongs to one of the newly-created roles and that role is subsequently deleted,
then the user immediately defaults to the network-operator role.
)—Has permission to view the configuration only. The
)— Has permission to execute all commands and make
prompt.
switch(svc)
Cisco MDS 9000 Family CLI Configuration Guide
Switch AAA Functionalities
and
auth priv
28-3