R21xx-HP FlexFabric 11900 Fundamentals Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

Enabling the default user role function

An AAA authentication user must have at least one user role to log in to the device. The default user role

function assigns the network-operator user role to a local or remote AAA authenticated user if the AAA

server has not authorized the user to use any user roles. Without the function, AAA authenticated users

cannot access the system if they have no user role authorization.

To enable the default user role function for AAA authentication users:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable the default user role

function.

role default-role enable

The default user role function is

disabled.

Assigning user roles to remote AAA authentication users

For remote AAA authentication users, user roles are configured on the remote authentication server. For

information about configuring user roles for RADIUS users, see the RADIUS server documentation. For

HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user

roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1,

and level-2 to an HWTACACS user.

NOTE:

• To be compatible with privilege-based access control, the device automatically converts privilege-based

user levels (0 to 15) assigned by an AAA server to RBAC user roles (level-0 to level-15).

• If the AAA server assigns a privilege-based user level and a user role to a user, the user can use the

collection of commands and resources accessible to both the user level and the user role.

Assigning user roles to local AAA authentication users

Configure user roles for local AAA authentication users in their local user accounts. Every local user has

a default user role. If this default user role is not suitable, delete it.

To assign a user role to a local user:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a local user and

enter local user view.

local-user user-name class

{ manage | network }

N/A

3. Authorize the user to have a

user role.

authorization-attribute user-role

role-name

Repeat this step to assign the user to up

to 64 user roles.

By default, network-operator is

assigned to local users created by a

network-admin user or level-15 user.