Configuring tacacs+ authorization, Configuring exec authorization – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

36

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

TACACS and TACACS+ security

•

If the next method in the authentication method list is "enable", the login prompt is skipped,
and the user is prompted for the Enable password (that is, the password configured with the
enable super-user-password command).

•

If the next method in the authentication method list is "line", the login prompt is skipped, and
the user is prompted for the Line password (that is, the password configured with the enable
telnet password command).

Configuring TACACS+ authorization

Brocade devices support TACACS+ authorization for controlling access to management functions in
the CLI. Two kinds of TACACS+ authorization are supported:

•

Exec authorization determines a user privilege level when they are authenticated

•

Command authorization consults a TACACS+ server to get authorization for commands entered
by the user

Configuring EXEC authorization

When TACACS+ EXEC authorization is performed, the Brocade device consults a TACACS+ server to
determine the privilege level of the authenticated user. To configure TACACS+ EXEC authorization
on the Brocade device, enter the following command.

Brocade(config)# aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+ | none

If you specify none, or omit the aaa authorization exec command from the device configuration, no
EXEC authorization is performed.

A user privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the aaa
authorization exec default tacacs command exists in the configuration, the device assigns the user
the privilege level specified by this A-V pair. If the command does not exist in the configuration,
then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User
access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
“foundry-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default
tacacs+ command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair
is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the
aaa authentication enable default tacacs+ command, or the aaa authentication login
privilege-mode command must also exist in the configuration.

Configuring an Attribute-Value pair on the TACACS+ server
During TACACS+ EXEC authorization, the Brocade device expects the TACACS+ server to send a
response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When
the Brocade device receives the response, it extracts an A-V pair configured for the Exec service
and uses it to determine the user privilege level.