RBAC configuration examples
RBAC configuration example for local AAA authentication
users
Unless otherwise noted, devices in the configuration example are operating in non-FIPS mode.
Network requirements
The switch in
user has the username user1@bbb and is assigned the user role role1.
Configure role1 to have the following permissions:
Executes the read commands of any feature.
•
•
Configures no VLANs except VLANs 10 to 20.
Figure 16 Network diagram
Configuration procedure
# Assign an IP address to VLAN-interface 2, the interface connected to the Telnet user.
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Enable Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user interfaces for Telnet users.
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit
# Enable local authentication and authorization for the ISP domain bbb.
[Switch] domain bbb
[Switch-isp-bbb] authentication login local
[Switch-isp-bbb] authorization login local
[Switch-isp-bbb] quit
# Create the user role role1.
[Switch] role name role1
# Configure rule 1 to permit the user role to access read commands of all features.
[Switch-role-role1] rule 1 permit read feature
# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.
[Switch-role-role1] rule 2 permit command system-view ; vlan *
Figure 16
performs local AAA authentication for the Telnet user at 192.168.1.58. This Telnet
53