Netgear M4200-10MG-PoE+ (GSM4210P) - Multigigabit Managed Switch with 8*2.5G and 2x10G SFP+ Layer 3 관리자 가이드
Security Management
353
Managed Switches
Command Authorization
Authorization determines if a user is authorized to perform certain activities such as entering
specific EXEC commands.
TACACS+ servers support command authorization. The RADIUS protocol does not support
command authorization but you can use a vendor-specific attribute (VSA) with attribute value
(AV) pair 26 to download a list of commands that are permitted or denied for a user. This list
of commands is downloaded from the RADIUS server. When a user executes a command,
the command is validated against the downloaded command list for the user. Any change in
a user command authorization access list takes effect after a user has logged on and logged
in again.
command authorization but you can use a vendor-specific attribute (VSA) with attribute value
(AV) pair 26 to download a list of commands that are permitted or denied for a user. This list
of commands is downloaded from the RADIUS server. When a user executes a command,
the command is validated against the downloaded command list for the user. Any change in
a user command authorization access list takes effect after a user has logged on and logged
in again.
The vendor-specific attribute netgear-cmdAuth is defined as follows:
VENDOR netgear 4526
ATTRIBUTE netgear-cmdAuth 1 string netgear
Specify the command in the following format.
netgear-cmdAuth = "deny:spanning-tree;interface *",
Note:
The maximum length of the command string in the vendor attribute
cannot be longer than 64 bytes. RADIUS-based command
authorization supports a maximum of 50 commands.
cannot be longer than 64 bytes. RADIUS-based command
authorization supports a maximum of 50 commands.
Note:
You can use both a TACACS+ server and a RADIUS server for
command authorization. If the first method of command authorization
returns an error, the second method is used for command
authorization.
command authorization. If the first method of command authorization
returns an error, the second method is used for command
authorization.
CLI Example 1: Configure Command Authorization by a
TACACS+ Server
TACACS+ Server
The following example shows how to use the CLI to configure command authorization by a
TACACS+ server for a Telnet user and allow the user to access specific commands only.
TACACS+ server for a Telnet user and allow the user to access specific commands only.
1.
Change the authentication mode for Telnet users to TACACS.
(Netgear Switch)(Config)#aaa authentication login "networkList" tacacs