Re: TACACS+ authorization on HP switch (551 Views)
Reply
Advisor
mr_red
Posts: 22
Registered: ‎01-17-2012
Message 1 of 4 (570 Views)
Accepted Solution

TACACS+ authorization on HP switch

Hi guys!

 

I'm trying to reinforce access security on my HP E6600 switch by configuring aaa with a tac_plus server.

I was succesfull testing authentication, but I can't figure out how to setup commands authorizations,  for example tac_plus config :

 

user = username {
        default service = deny
         service = exec {
                priv-lvl = 0
        }
        cmd = show { deny .* }
}

 

doesn't has any effect on the switch, and the user can still execute all commands of level 0.

 

Is authorization feature (with tacacs+) supported on this switch, and how to configure it if yes?

 

Thank you,

 

PS : the firmware version is K.15.07.0008

Honored Contributor
Peter_Debruyne
Posts: 324
Registered: ‎03-21-2011
Message 2 of 4 (551 Views)

Re: TACACS+ authorization on HP switch

Hi,

 

AFAIK, provision only supports tacacs authentication, not authorization. Command authorization can be achieved through a RADIUS server with some VSAs listing the allowed/disallowed commands.

 

 

Best regards,Peter

Advisor
mr_red
Posts: 22
Registered: ‎01-17-2012
Message 3 of 4 (543 Views)

Re: TACACS+ authorization on HP switch

Thank you for answering. That was helpful

Occasional Advisor
krillean
Posts: 9
Registered: ‎10-31-2012
Message 4 of 4 (422 Views)

Re: TACACS+ authorization on HP switch

According to HP manuals for Procurve switches You should be able to set Privilige Level to either 1 or 15 giving you operator or manager rights. This is made by the command:

 

aaa authentication login privilege-mode

 

But the switch (e.g 3500 or 6600 switch) doesn´t acknowledge the setting "priv-lvl=1" setting on TACACS+ or TACACS.net server. I am guessing the attribute name is different on Procurve but I am not able to find it.

 

Anybody who knows more on this?

 

Best Regards // Kristian Modess

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.