DELL 9.7(0.0) 사용자 설명서
line vty 7
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 8
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
line vty 9
login authentication ucraaa
authorization exec ucraaa
accounting commands role netadmin ucraaa
!
Configuring TACACS+ and RADIUS VSA Attributes for RBAC
For RBAC and privilege levels, the Dell Networking OS RADIUS and TACACS+ implementation supports
two vendor-specific options: privilege level and roles. The Dell Networking vendor-ID is 6027 and the
supported option has attribute of type string, which is titled “Force10-avpair”. The value is a string in the
following format:
two vendor-specific options: privilege level and roles. The Dell Networking vendor-ID is 6027 and the
supported option has attribute of type string, which is titled “Force10-avpair”. The value is a string in the
following format:
protocol : attribute sep value
“attribute” and “value” are an attribute-value (AV) pair defined in the Dell Network OS TACACS+
specification, and “sep” is “=”. These attributes allow the full set of features available for TACACS+
authorization and are authorized with the same attributes for RADIUS.
specification, and “sep” is “=”. These attributes allow the full set of features available for TACACS+
authorization and are authorized with the same attributes for RADIUS.
Example for Configuring a VSA Attribute for a Privilege Level 15
The following example configures an AV pair which allows a user to login from a network access server
with a privilege level of 15, to have access to EXEC commands.
with a privilege level of 15, to have access to EXEC commands.
The format to create a Dell Network OS AV pair for privilege level is shell:priv-lvl=<number> where
number is a value between 0 and 15.
number is a value between 0 and 15.
Force10-avpair= ”shell:priv-lvl=15“
Example for Creating a AVP Pair for System Defined or User-Defined Role
The following section shows you how to create an AV pair to allow a user to login from a network access
server to have access to commands based on the user’s role. The format to create an AV pair for a user
role is Force10-avpair= ”shell:role=<user-role>“ where user-role is a user defined or system-
defined role.
server to have access to commands based on the user’s role. The format to create an AV pair for a user
role is Force10-avpair= ”shell:role=<user-role>“ where user-role is a user defined or system-
defined role.
In the following example, you create an AV pair for a system-defined role, sysadmin.
Force10-avpair= "shell:role=sysadmin"
Force10-avpair= "shell:role=sysadmin"
In the following example, you create an AV pair for a user-defined role. You must also define a role, using
the userrole myrole inherit command on the switch to associate it with this AV pair.
Force10-avpair= ”shell:role=myrole“
the userrole myrole inherit command on the switch to associate it with this AV pair.
Force10-avpair= ”shell:role=myrole“
The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user
group.
group.
786
Security