Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
37
53-1002601-01
TACACS and TACACS+ security
To set a user privilege level, you can configure the “foundry-privlvl” A-V pair for the Exec service on
the TACACS+ server.
the TACACS+ server.
Example
user=bob {
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
foundry-privlvl = 0
}
}
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
foundry-privlvl = 0
}
}
In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The
value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user.
Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value
other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5
(read-only) is used. The foundry-privlvl A-V pair can also be embedded in the group configuration for
the user. See your TACACS+ documentation for the configuration syntax relevant to your server.
Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value
other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5
(read-only) is used. The foundry-privlvl A-V pair can also be embedded in the group configuration for
the user. See your TACACS+ documentation for the configuration syntax relevant to your server.
If the foundry-privlvl A-V pair is not present, the Brocade device extracts the last A-V pair configured
for the Exec service that has a numeric value. The Brocade device uses this A-V pair to determine
the user privilege level.
for the Exec service that has a numeric value. The Brocade device uses this A-V pair to determine
the user privilege level.
Example
user=bob {
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
privlvl = 15
}
}
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
privlvl = 15
}
}
The attribute name in the A-V pair is not significant; the Brocade device uses the last one that has
a numeric value. However, the Brocade device interprets the value for a non-”foundry-privlvl” A-V
pair differently than it does for a “foundry-privlvl” A-V pair. The following table lists how the Brocade
device associates a value from a non-”foundry-privlvl” A-V pair with a Brocade privilege level.
a numeric value. However, the Brocade device interprets the value for a non-”foundry-privlvl” A-V
pair differently than it does for a “foundry-privlvl” A-V pair. The following table lists how the Brocade
device associates a value from a non-”foundry-privlvl” A-V pair with a Brocade privilege level.
In the example above, the A-V pair configured for the Exec service is privlvl = 15. The Brocade
device uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the
user full read-write access.
user full read-write access.
In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for
the Exec service, the non-”foundry-privlvl” A-V pair is ignored.
the Exec service, the non-”foundry-privlvl” A-V pair is ignored.
TABLE 5
Brocade equivalents for non-“foundry-privlvl” A-V pair values
Value for non-“foundry-privlvl” A-V pair
Brocade privilege level
15
0 (super-user)
From 14 – 1
4 (port-config)
Any other number or 0
5 (read-only)