Configuring command authorization – Brocade Virtual ADX Administration Guide (Supporting ADX v03.1.00) User Manual

Brocade Virtual ADX Administration Guide

95

53-1003249-01

Configuring RADIUS security

2

NOTE

If the aaa authorization exec default radius command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
brocade-privilege-level attribute received from the RADIUS server. If the aaa authorization exec
default radius command does not exist in the configuration, then the value in the
brocade-privilege-level attribute is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default radius command to work, either the
aaa authentication enable default radius command, or the aaa authentication login privilege-mode
command must also exist in the configuration.

Configuring command authorization

When RADIUS command authorization is enabled, the Brocade Virtual ADX consults the list of
commands supplied by the RADIUS server during authentication to determine whether a user can
execute a command he or she has entered.

You enable RADIUS command authorization by specifying a privilege level whose commands
require authorization. For example, to configure the Brocade Virtual ADX to perform authorization
for the commands available at the Super User privilege level (that is; all commands on the device),
enter the following command.

Virtual ADX(config)#aaa authorization commands 0 default radius

Syntax: aaa authorization commands privilege-level default radius | tacacs+ | none

The privilege-level variable can be one of the following:

•

0 – Authorization is performed (that is, the Brocade Virtual ADX looks at the command list) for
commands available at the Super User level (all commands)

•

4 – Authorization is performed for commands available at the Port Configuration level
(port-config and read-only commands)

•

5 – Authorization is performed for commands available at the Read Only level (read-only
commands)

NOTE

RADIUS command authorization can be performed only for commands entered from Telnet or SSH
sessions, or from the console. No authorization is performed for commands entered at the Web
Management Interface.

NOTE

Since RADIUS command authorization relies on the command list supplied by the RADIUS server
during authentication, you cannot perform RADIUS authorization without RADIUS authentication.

Command authorization and accounting for console commands

The Brocade Virtual ADX supports command authorization and command accounting for CLI
commands entered at the console. To configure the device to perform command authorization and
command accounting for console commands, enter the following.

Virtual ADX(config)#enable aaa console

Syntax: enable aaa console