Users Guide

ManualsBrandsDell ManualsAccess PlatformsOS9

771

772

773

774

775

776

777

778

779

780

Configuring TACACS+ and RADIUS VSA Attributes for RBAC

For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-

specific options: privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of

type string, which is titled “Force10-avpair”. The value is a string in the following format:

protocol : attribute sep value

“attribute” and “value” are an attribute-value (AV) pair defined in the Dell EMC Networking OS TACACS+ specification, and

“sep” is “=”. These attributes allow the full set of features available for TACACS+ authorization and are authorized with the

same attributes for RADIUS.

Example for Configuring a VSA Attribute for a Privilege Level 15

The following example configures an AV pair which allows a user to login from a network access server with a privilege level of

15, to have access to EXEC commands.

The format to create a Dell EMC Networking AV pair for privilege level is shell:priv-lvl=<number> where number is a

value between 0 and 15.

Force10-avpair= ”shell:priv-lvl=15“

Example for Creating a AVP Pair for System Defined or User-Defined Role

The following section shows you how to create an AV pair to allow a user to login from a network access server to have access

to commands based on the user’s role. The format to create an AV pair for a user role is Force10-

avpair= ”shell:role=<user-role>“ where user-role is a user defined or system-defined role.

In the following example, you create an AV pair for a system-defined role, sysadmin.

Force10-avpair= "shell:role=sysadmin"

In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole

myrole inherit command on the switch to associate it with this AV pair.

Force10-avpair= ”shell:role=myrole“

The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.

Role Accounting

This section describes how to configure role accounting and how to display active sessions for roles.

This sections consists of the following topics:

● Configuring AAA Accounting for Roles

● Applying an Accounting Method to a Role

● Displaying Active Accounting Sessions for Roles

Configuring AAA Accounting for Roles

To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.

aaa accounting {system | exec | commands {level | role role-name}} {name | default}

{start-stop | wait-start | stop-only} {tacacs+}

Example of Configuring AAA Accounting for Roles

The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a

secadmin user role.

DellEMC(conf)#aaa accounting command role secadmin default start-stop tacacs+

780

Security