Configuring radius authorization, Configuring exec authorization, Configuring command authorization – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

62

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring RADIUS security

1

To configure the Brocade device to prompt only for a password when a user attempts to gain Super
User access to the Privileged EXEC and CONFIG levels of the CLI, enter the following command.

Brocade(config)# aaa authentication enable implicit-user

Syntax: [no] aaa authentication enable implicit-user

Configuring RADIUS authorization

The Brocade device supports RADIUS authorization for controlling access to management
functions in the CLI. Two kinds of RADIUS authorization are supported:

•

Exec authorization determines a user’s privilege level when they are authenticated

•

Command authorization consults a RADIUS server to get authorization for commands entered
by the user

Configuring Exec authorization

NOTE

Before you configure RADIUS exec authorization on a Brocade device, make sure that the aaa
authentication enable default radius command exists in the configuration.

When RADIUS exec authorization is performed, the Brocade device consults a RADIUS server to
determine the privilege level of the authenticated user.

To configure RADIUS exec authorization on a Brocade device, enter the following command.

Brocade(config)# aaa authentication login default radius

Brocade(config)# aaa authorization exec default radius

Syntax: [no] aaa authorization exec default radius | none

If you specify none, or omit the aaa authorization exec command from the device’s configuration,
no exec authorization is performed.

NOTE

If the aaa authorization exec default radius command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
brocade-privilege-level attribute received from the RADIUS server. If the aaa authorization exec
default radius command does not exist in the configuration, then the value in the
brocade-privilege-level attribute is ignored, and the user is granted Super User access.

For the aaa authorization exec default radius command to work, either the aaa authentication login
default radius command, or the aaa authentication enable default radius command must also exist
in the configuration.

Configuring command authorization

When RADIUS command authorization is enabled, the Brocade device consults the list of
commands supplied by the RADIUS server during authentication to determine whether a user can
execute a command he or she has entered.