IBM 12.1(22)EA6 User Manual
5-15
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Controlling Switch Access with TACACS+
To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the
switch uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.
switch uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the tacacs+ keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.
parameters that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
•
Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
TACACS+.
•
Use the local database if authentication was not performed by using TACACS+.
Note
Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
been configured.
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for
privileged EXEC access and network services:
privileged EXEC access and network services:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
command.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa authorization network tacacs+
Configure the switch for user TACACS+ authorization for all
network-related service requests.
network-related service requests.
Step 3
aaa authorization exec tacacs+
Configure the switch for user TACACS+ authorization to determine if the
user has privileged EXEC access.
user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
autocommand information).
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.