Controlling Management Access to the ProCurve Secure Router
Using the AAA Subsystem to Control Management Access
N o t e
2-26
contacts a TACACS+ server in the first group and that server does not
authorize the user to enter the enable mode context, the ProCurve Secure
Router will not attempt to authorize that user with any other TACACS+ groups
listed.
For example, the following command creates the Admin named list and
authorizes authenticated users to enter the enable mode context. That is, if a
user authenticates successfully, that user will automatically enter the enable
mode context when he or she starts a CLI session:
ProCurve (config)# aaa authorization exec Admin if-authenticated
Assign the Named List
To assign the named list you created to a console, Telnet, or SSH line, you must
move to the line configuration mode context. To completely enforce this
security measure, you must ensure that you assign the named list to all of the
Telnet or SSH lines that you have enabled. For example, if you have enabled
all five Telnet lines, you must assign the named list to all five lines.
Assign a Named List for the Basic or Enable Mode Context. To assign
a named list that grants access to the basic or enable mode context, enter the
following command from the appropriate line configuration mode context:
Syntax: authorization commands [1 | 15] [default | <named list>]
Enter 1 to grant access to the basic mode, or enter 15 to grant access to the
enable mode.
Enter default to assign the default list, or replace <named list> with the list
that you have created.
For example, you might use the aaa authorization command to create a
named list called Authorize and then assign it to all of the Telnet lines. You
might also include the 15 option because you want this named list to control
who can enter commands from the enable mode context. From the global
configuration mode context, enter:
ProCurve (config)# line telnet 0 4
ProCurve (config-telnet04)# authorization commands 15 Authorize
If the AAA subsystem is not enabled (by entering aaa on at the global
configuration mode context), the authorization command will not be avail-
able at the line configuration mode context.