Filter
Top Products
1176 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring TACACS/TACACS+ security
32
A user privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the aaa
authorization exec default tacacs command exists in the configuration, the device assigns the user
the privilege level specified by this A-V pair. If the command does not exist in the configuration,
then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User
access.
NOTE
If the aaa authorization exec default tacacs+ command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
“foundry-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default
tacacs+ command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair
is ignored, and the user is granted Super User access.
Also note that in order for the aaa authorization exec default tacacs+ command to work, either the
aaa authentication enable default tacacs+ command, or the aaa authentication login
privilege-mode command must also exist in the configuration.
Configuring an Attribute-Value pair on the TACACS+ server
During TACACS+ exec authorization, the Dell PowerConnect device expects the TACACS+ server to
send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the
user. When the Dell PowerConnect device receives the response, it extracts an A-V pair configured
for the Exec service and uses it to determine the user privilege level.
To set a user privilege level, you can configure the “foundry-privlvl” A-V pair for the Exec service on
the TACACS+ server.
Example
user=bob {
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
foundry-privlvl = 0
}
}
In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The
value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user.
Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value
other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5
(read-only) is used. The foundry-privlvl A-V pair can also be embedded in the group configuration for
the user. See your TACACS+ documentation for the configuration syntax relevant to your server.
If the foundry-privlvl A-V pair is not present, the Dell PowerConnect device extracts the last A-V pair
configured for the Exec service that has a numeric value. The Dell PowerConnect device uses this
A-V pair to determine the user privilege level.
Example
user=bob {
default service = permit
member admin
#Global password
global = cleartext "cat"