Table of Contents
Advertisement
Foundry Switch and Router Installation and Configuration Guide
Method Parameter
none
NOTE: For examples of how to define authentication-method lists for types of authentication other than RADIUS,
see "Configuring Authentication-Method Lists" on page 3-47.
Configuring RADIUS Authorization
Foundry devices support RADIUS authorization for controlling access to management functions in the CLI. When
RADIUS authorization is enabled, the Foundry device consults the list of commands supplied by the RADIUS
server during authentication to determine whether a user can execute a command he or she has entered.
You enable RADIUS authorization by specifying a privilege level whose commands require authorization. For
example, to configure the Foundry device to perform authorization for the commands available at the Super User
privilege level (that is; all commands on the device), enter the following command:
BigIron(config)# aaa authorization commands 0 default radius
Syntax: aaa authorization commands <privilege-level> default radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
•
0 – Authorization is performed (that is, the Foundry device looks at the command list) for commands available
at the Super User level (all commands)
•
4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-
only commands)
•
5 – Authorization is performed for commands available at the Read Only level (read-only commands)
NOTE: RADIUS authorization is performed only for commands entered from Telnet or SSH sessions. No
authorization is performed for commands entered at the console, the Web management interface, or IronView.
NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during
authentication, you cannot perform RADIUS authorization without RADIUS authentication.
NOTE: A user's privilege level is set during RADIUS authentication, not with an aaa authorization command.
The command aaa authorization exec default radius is ignored by the system.
Configuring RADIUS Accounting
Foundry devices support RADIUS accounting for recording information about user activity and system events.
When you configure RADIUS accounting on a Foundry device, information is sent to a RADIUS accounting server
when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring RADIUS Accounting for Telnet/SSH (Shell) Access
To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a
Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:
BigIron(config)# aaa accounting exec default start-stop radius
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
3 - 40
Table 3.5: Authentication Method Values (Continued)
Description
Do not use any authentication method. The device automatically
permits access.
December 2000
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
