HPE Networking
Showing results for 
Search instead for 
Do you mean 

TACACS+ authorization on HP switch

SOLVED
Go to Solution
Advisor

TACACS+ authorization on HP switch

Hi guys!

 

I'm trying to reinforce access security on my HP E6600 switch by configuring aaa with a tac_plus server.

I was succesfull testing authentication, but I can't figure out how to setup commands authorizations,  for example tac_plus config :

 

user = username {
        default service = deny
         service = exec {
                priv-lvl = 0
        }
        cmd = show { deny .* }
}

 

doesn't has any effect on the switch, and the user can still execute all commands of level 0.

 

Is authorization feature (with tacacs+) supported on this switch, and how to configure it if yes?

 

Thank you,

 

PS : the firmware version is K.15.07.0008

1 ACCEPTED SOLUTION
Highlighted
Honored Contributor

Re: TACACS+ authorization on HP switch

Hi,

 

AFAIK, provision only supports tacacs authentication, not authorization. Command authorization can be achieved through a RADIUS server with some VSAs listing the allowed/disallowed commands.

 

 

Best regards,Peter

3 REPLIES
Highlighted
Honored Contributor

Re: TACACS+ authorization on HP switch

Hi,

 

AFAIK, provision only supports tacacs authentication, not authorization. Command authorization can be achieved through a RADIUS server with some VSAs listing the allowed/disallowed commands.

 

 

Best regards,Peter

Advisor

Re: TACACS+ authorization on HP switch

Thank you for answering. That was helpful

Occasional Advisor

Re: TACACS+ authorization on HP switch

According to HP manuals for Procurve switches You should be able to set Privilige Level to either 1 or 15 giving you operator or manager rights. This is made by the command:

 

aaa authentication login privilege-mode

 

But the switch (e.g 3500 or 6600 switch) doesn´t acknowledge the setting "priv-lvl=1" setting on TACACS+ or TACACS.net server. I am guessing the attribute name is different on Procurve but I am not able to find it.

 

Anybody who knows more on this?

 

Best Regards // Kristian Modess