Authorization, Accounting – NEC INTELLIGENT L2 SWITCH N8406-022A User Manual

Page 19

Advertising
background image

Accessing the switch 19


Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after
authentication.

The default mapping between TACACS+ authorization privilege levels and switch management access levels is
shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.

Table 4 Default TACACS+ privilege levels

User access level

TACACS+ level

user 0

oper 3

admin 6

Alternate mapping between TACACS+ privilege levels and this switch management access levels is shown in the
table below. Use the command /cfg/sys/tacacs/cmap ena to use the alternate TACACS+ privilege levels.

Table 5 Alternate TACACS+ privilege levels

User access level

TACACS+ level

user 0—1

oper 6—

8

admin 14—15

You can customize the mapping between TACACS+ privilege levels and this switch management access levels.
Use the /cfg/sys/tacacs/usermap command to manually map each TACACS+ privilege level (0-15) to a
corresponding this switch management access level (user, oper, admin, none).

If the remote user is authenticated by the authentication server, the switch verifies the privileges of the remote user
and authorizes the appropriate access. When both the primary and secondary authentication servers are not
reachable, the administrator has an option to allow backdoor access via the console only or console and Telnet
access. The default is disable for Telnet access and enable for console access. The administrator also can enable
secure backdoor (/cfg/sys/tacacs/secbd) to allow access if both the primary and secondary TACACS+ servers fail
to respond.

Accounting

Accounting is the action of recording a user’s activities on the device for the purposes of billing and/or security. It
follows the authentication and authorization actions. If the authentication and authorization is not performed via
TACACS+, no TACACS+ accounting messages are sent out.

You can use TACACS+ to record and track software logins, configuration changes, and interactive commands.

The switch supports the following TACACS+ accounting attributes:

• protocol

(console/telnet/ssh/http)

• start_time
• stop_time
• elapsed_time

NOTE: When using the browser-based Interface, the TACACS+ Accounting Stop records are sent only
if the Quit button on the browser is clicked.

Advertising
Popular Brands
Popular manuals