Foundry Networks Switch and Router Installation And Configuration Manual page 90

Foundry Switch and Router Installation and Configuration Guide
Configuring Exec Authorization
When TACACS+ exec authorization is performed, the Foundry device consults a TACACS+ server to determine
the privilege level of the authenticated user. To configure TACACS+ exec authorization on the Foundry device,
enter the following command:
BigIron(config)# aaa authorization exec default tacacs+
Syntax: aaa authorization exec default tacacs+ | none
Configuring an Attribute-Value Pair on the TACACS+ Server
During TACACS+ exec authorization, the TACACS+ server sends the Foundry device a response containing an A-
V (Attribute-Value) pair that specifies the privilege level of the user. When it receives the response, the Foundry
device extracts the first A-V pair configured for the Exec service and uses it to determine the user's privilege level.
To set a user's privilege level, you configure an A-V pair for the Exec service on the TACACS+ server that specifies
the user's privilege level. For example:
user=bob {
default service = permit
member admin
# Global password
global = cleartext "cat"
service = exec {
privlvl = 0
}
}
In this example, the first A-V pair configured for the Exec service is privlvl = 0, which grants the user full read-
write access. The Attribute name in the A-V pair is not significant. The Value must be an integer (0, 4, or 5) that
indicates the privilege level of the user. When no privilege level is specified, the default privilege level of 5 (read-
only) is used. The A-V pair can also be embedded in the group configuration for the user. See your TACACS+
documentation for the configuration syntax relevant to your server.
Configuring Command Authorization
When TACACS+ command authorization is enabled, the Foundry device consults a TACACS+ server to get
authorization for commands entered by the user.
You enable TACACS+ command authorization by specifying a privilege level whose commands require
authorization. For example, to configure the Foundry device to perform authorization for the commands available
at the Super User privilege level (that is, all commands on the device), enter the following command:
BigIron(config)# aaa authorization commands 0 default tacacs+
Syntax: aaa authorization commands <privilege-level> default tacacs+ | radius | none
The <privilege-level> parameter can be one of the following:
• 0 – Authorization is performed for commands available at the Super User level (all commands)
• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-
only commands)
• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)
NOTE: TACACS+ command authorization is performed only for commands entered from Telnet or SSH
sessions. No authorization is performed for commands entered at the console, the Web management interface,
or IronView.
3 - 26 December 2000