Re: TACACS+ authorization on HP switch (209 Views)
Reply
Advisor
mr_red
Posts: 21
Registered: ‎01-17-2012
Message 1 of 4 (236 Views)
Accepted Solution

TACACS+ authorization on HP switch

Hi guys!

 

I'm trying to reinforce access security on my HP E6600 switch by configuring aaa with a tac_plus server.

I was succesfull testing authentication, but I can't figure out how to setup commands authorizations,  for example tac_plus config :

 

user = username {
        default service = deny
         service = exec {
                priv-lvl = 0
        }
        cmd = show { deny .* }
}

 

doesn't has any effect on the switch, and the user can still execute all commands of level 0.

 

Is authorization feature (with tacacs+) supported on this switch, and how to configure it if yes?

 

Thank you,

 

PS : the firmware version is K.15.07.0008

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 290
Registered: ‎03-21-2011
Message 2 of 4 (217 Views)

Re: TACACS+ authorization on HP switch

Hi,

 

AFAIK, provision only supports tacacs authentication, not authorization. Command authorization can be achieved through a RADIUS server with some VSAs listing the allowed/disallowed commands.

 

 

Best regards,Peter

Please use plain text.
Advisor
mr_red
Posts: 21
Registered: ‎01-17-2012
Message 3 of 4 (209 Views)

Re: TACACS+ authorization on HP switch

Thank you for answering. That was helpful

Please use plain text.
Occasional Advisor
krillean
Posts: 9
Registered: ‎10-31-2012
Message 4 of 4 (88 Views)

Re: TACACS+ authorization on HP switch

According to HP manuals for Procurve switches You should be able to set Privilige Level to either 1 or 15 giving you operator or manager rights. This is made by the command:

 

aaa authentication login privilege-mode

 

But the switch (e.g 3500 or 6600 switch) doesn´t acknowledge the setting "priv-lvl=1" setting on TACACS+ or TACACS.net server. I am guessing the attribute name is different on Procurve but I am not able to find it.

 

Anybody who knows more on this?

 

Best Regards // Kristian Modess

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation