3Com Switch 4800G 24-Port Configuration Manual page 764

764 C 53: AAA/RADIUS/HWTACACS C
HAPTER
n
ONFIGURATION
To do...
Specify the Specify the service
service types for the user
types for
the user
Authorize the user
to use the FTP
service and specify
a directory for the
user to access
Set the directory accessible to
FTP/SFTP users
Set the priority level of the user level level
Set attributes for a LAN access
user
With the local-user password-display-mode cipher-force command
■
configured, a local user password is always displayed in cipher text, regardless
of the configuration of the password command. In this case, if you use the
save command to save the configuration, all existing local user passwords will
still be displayed in cipher text after the device restarts, even if you restore the
display mode to auto.
Local authentication checks the service types of a local user. If the service types
■
are not available, the user cannot pass authentication. During authorization, a
user with no service type configured is authorized with no service by default.
If you specify an authentication method that requires the username and
■
password, including local authentication, RADIUS authentication and
HWTACACS authentication, the level of the commands that a user can use
after logging in depends on the priority of the user, or the priority of user
interface level as with other authentication methods. For an SSH user using
RSA public key authentication, the commands that can be used depend on the
level configured on the user interface. For details regarding authentication
method and command level, refer to "Controlling Login Users" on page 75 and
"Configuring User Levels and Command Levels" on page 1026 respectively.
Both the service-type and level commands can be used to specify user
■
priority. The one used later has the final effect.
Use the command...
service-type { lan-access |
{ ssh | telnet | terminal } *
[ level level ] }
service-type ftp
[ ftp-directory directory]
work-directory
directory-name
attribute { access-limit
max-user-number | idle-cut
minute | ip ip-address |
location { nas-ip ip-address
port slot-number
subslot-number port-number
| port slot-number
subslot-number
port-number } | mac
mac-address | vlan vlan-id } *
Remarks
Required
No service is authorized to a
user by default
Optional
By default, no service is
authorized to a user and
anonymous access to FTP
service is not allowed. If you
authorize a user to use the
FTP service but do not
specify a directory that the
user can access, the user can
access the root directory of
the device by default.
Optional
By default, FTP/SFTP users
can access the root directory.
Optional
0 by default
Optional
If the user is bound to a
remote port, the nas-ip
parameter must be specified.
If the user is bound to a local
port, the nas-ip parameter
does not need to be
specified. The default value
of nas-ip is 127.0.0.1,
meaning the current host.