Service Manual
NOTE: If you already have a user ID that exists with a privilege level, you can add the user role to username that has a
privilege
Dell (conf) #no username john
The following example adds a user, to the secadmin user role.
Dell (conf)#username john role secadmin password 0 password
AAA Authentication and Authorization for Roles
This section describes how to congure AAA Authentication and Authorization for Roles.
Conguration Task List for AAA Authentication and Authorization for Roles
This section contains the following AAA Authentication and Authorization for Roles conguration tasks:
• Conguring AAA Authentication for Roles
• Conguring AAA Authorization for Roles
• Conguring TACACS+ and RADIUS VSA Attributes for RBAC
Congure AAA Authentication for Roles
Authentication services verify the user ID and password combination. Users with dened roles and users with privileges are
authenticated with the same mechanism. There are six methods available for authentication: radius, tacacs+, local, enable, line, and
none.
When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three
methods allows users to be veried with either a password that is not specic to their user ID or with no password at all. Because of
the lack of security these methods are not available for role only mode. When the system is in role-only mode, users that have only
privilege levels are denied access to the system because they do not have a role. For information about role only mode, see
Conguring Role-based Only AAA Authorization.
NOTE: Authentication services only validate the user ID and password combination. To determine which commands are
permitted for users, congure authorization. For information about how to congure authorization for roles, see
Congure AAA Authorization for Roles.
To congure AAA authentication, use the aaa authentication command in CONFIGURATION mode.
aaa authentication login {method-list-name | default} method [… method4]
Congure AAA Authorization for Roles
Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use
commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those
commands. Users with dened roles can use commands provided their role is permitted to use those commands. Role inheritance is
also used to determine authorization.
Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius,
tacacs+, local, enable, line, and none.
When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three
methods allows users to be authorized with either a password that is not specic to their userid or with no password at all. Because
of the lack of security, these methods are not available for role-based only mode.
To congure AAA authorization, use the aaa authorization exec command in CONFIGURATION mode. The aaa
authorization exec command determines which CLI mode the user will start in for their session; for example, Exec mode or
Exec Privilege mode. For information about how to congure authentication for roles, see
Congure AAA Authentication for Roles.
aaa authorization exec {method-list-name | default} method [… method4]
672
Security