Configuring radius accounting – Brocade BigIron RX Series Configuration Guide User Manual

Page 179

Advertising
background image

BigIron RX Series Configuration Guide

101

53-1002484-04

Configuring RADIUS security

3

NOTE

RADIUS command authorization can be performed only for commands entered from Telnet or SSH
sessions, or from the console. No authorization is performed for commands entered at the Web
Management Interface, or Brocade Network Advisor.

NOTE

Since RADIUS command authorization relies on the command list supplied by the RADIUS server
during authentication, you cannot perform RADIUS authorization without RADIUS authentication.

Command authorization and accounting for console commands

The BigIron RX supports command authorization and command accounting for CLI commands
entered at the console. To configure the device to perform command authorization and command
accounting for console commands, enter the following command.

BigIron RX(config)# enable aaa console

Syntax: [no] enable aaa console

CAUTION

If you have previously configured the device to perform command authorization using a RADIUS
server, entering the enable aaa console command may prevent the execution of any subsequent
commands entered on the console.

NOTE

This happens because RADIUS command authorization requires a list of allowable commands from
the RADIUS server. This list is obtained during RADIUS authentication. For console sessions, RADIUS
authentication is performed only if you have configured Enable authentication and specified RADIUS
as the authentication method (for example, with the aaa authentication enable default radius
command). If RADIUS authentication is never performed, the list of allowable commands is never
obtained from the RADIUS server. Consequently, there would be no allowable commands on the
console.

Configuring RADIUS accounting

The device supports RADIUS accounting for recording information about user activity and system
events. When you configure RADIUS accounting on device, information is sent to a RADIUS
accounting server when specified events occur, such as when a user logs into the device or the
system is rebooted.

Configuring RADIUS accounting for Telnet/SSH (Shell) access

To send an Accounting Start packet to the RADIUS accounting server when an authenticated user
establishes a Telnet or SSH session on the BigIron RX, and an Accounting Stop packet when the
user logs out.

BigIron RX(config)# aaa accounting exec default start-stop radius

Syntax: aaa accounting exec default start-stop radius | tacacs+ | none

Advertising
Popular Brands
Popular manuals