Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Ratgeber Für Administratoren
Security Management
403
Managed Switches
CLI: Configure Command Authorization by a TACACS+ Server
(Netgear Switch)(Config)#aaa authorization commands commandlist tacacs
(Netgear Switch)(Config)#tacacs-server host 10.100.5.13
(Netgear Switch)(Config)#exit
(Netgear Switch)(Config)#tacacs-server key 12345678
(Netgear Switch)(Config)#line telnet
(Netgear Switch)(Config-telnet)#authorization commands default
(Netgear Switch)#show authorization methods
show authorization methods : Command Is Not Authorized
(Netgear Switch)#show authorization methods
Command Authorization Method Lists
-------------------------------------
dfltCmdAuthList : none
commandlist
: tacacs
Line Command Method List
--------- ---------------------
Console dfltCmdAuthList
Telnet commandlist
SSH
dfltCmdAuthList
Exec Authorization Method Lists
-------------------------------------
dfltExecAuthList : none
Line Exec Method List
--------- ---------------------
Console dfltExecAuthList
Telnet dfltExecAuthList
SSH
dfltExecAuthList
Exec Authorization
When user command authentication succeeds, the user receives access to the user EXEC
mode. You can also provide a user direct access to the privileged EXEC mode by using the
EXEC authorization method.
mode. You can also provide a user direct access to the privileged EXEC mode by using the
EXEC authorization method.
If the EXEC authorization method uses a TACACS+ authorization server, a separate session
is established with the TACACS+ server to return the authorization attributes.
is established with the TACACS+ server to return the authorization attributes.
If the EXEC authorization method uses a RADIUS authorization server, service–type
attribute
attribute
6 or Cisco
vendor-specific attribute (VSA) “shell:priv-lvl” is used. If the service-type
attribute value is returned as administrator or the Cisco VSA “shell:priv-lvl” is at least
FD_USER_MGR_ADMIN_ACCESS_LEVEL(15), the user receives access to the privileged
EXEC mode.
FD_USER_MGR_ADMIN_ACCESS_LEVEL(15), the user receives access to the privileged
EXEC mode.
Because the RADIUS protocol does not support authorization, the privilege level attribute
must be returned with the authentication response. If the service-type attribute is already
must be returned with the authentication response. If the service-type attribute is already