Configuring Command Authorization; Configuration Procedure - HP 6125XLG Configuration Manual

[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000

Configuring command authorization

By default, commands are available for a user depending only on that user's user roles. When the
authentication mode is scheme, you can configure the command authorization function to further control
access to commands.
After you enable command authorization, a command is available for a user only if the user has the
commensurate user role and is authorized to use the command by the AAA scheme.
This section provides the procedure for configuring command authorization. To make the command
authorization function take effect, you must configure a command authorization method in ISP domain
view. For more information, see Security Configuration Guide.

Configuration procedure

To configure command authorization:
Step
1. Enter system view.
2. Enter user interface
view.
3. Enable scheme
authentication.
Command
system-view
user-interface { first-number1
[ last-number1 ] | { aux | console
| vty } first-number2
[ last-number2 ] }
authentication-mode scheme
39
Remarks
N/A
N/A
The defaults are as follows:
•
Console user interface—Authentication
is disabled.
•
AUX user interface—Authentication is
disabled if the device started up with
the default configuration file, and
password authentication is enabled if
the device started up with empty
configuration.
•
VTY user interface—Password
authentication is enabled.
For more information about empty
configuration and the default configuration
file, see "Managing configuration files."