This feature allows more granular localized control over user access when accessing the switch through the console or by telnet or SSH. Instead of allowing access to all commands with the “manager” command, or very restricted access with the “operator” command, the local access can be customized to allow the commands that the local account is authorized to execute. The new local accounts are in addition to and independent of the existing manager and operator accounts, with the exception that if a username is set for a manager or operator account, that name cannot be the same as any of the local user account names.
To do this, groups are created that contain up to 16 user accounts. The group has a list of match commands that determine if that user is authorized to execute that command. Up to 100 local user accounts are supported. The local user accounts are stored in the configuration as an SHA1 hash, which is only displayed if “include-credentials” is enabled. A password is required for the local user accounts, but nothing else.
There is one default group—operator. Users assigned to the operator group have only operator privileges.
Applying the authorization group to a local user account only occurs if the user logs in using local as the primary authentication method and the aaa authorization commands local command has been executed. Authorization groups are not supported when the login method is set as secondary local authentication.
These commands are authorized at all access levels:
You must create a group for local authorization before you can assign local users to it. When creating the group, at least one command is created as part of that group. Typically, multiple commands are assigned to a group.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: You must enable local authorization by executing |
|
|
To create a group, enter this command:
Syntax:
[no]
aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log]Create a local authorization group with the specified name. The name is case-sensitive and may not contain spaces. Duplicate names are not allowed. You can create a maximum of 16 groups. The name of the group can have a maximum of 16 characters.
The
<is the CLI command. It must be surrounded in double quotes of it contains any spaces, for example,command-string>“vlan*”.The
<is a POSIX regular expression and follows POSIX matching rules. For example, the “*” character means match the preceding character zero or more times, so ab*c will match “ac”, “abc”, “abbc”, etc. The “.” character means match any character, so “.*” would match anything, while the command string “aaa.*” would match commands that have “aaa” followed by zero or more characters. The “^” character means match to the beginning of the string, so “^aaa.*” would mean the string must start with “aaa” and can have anything after that.command-string>
Typically multiple commands are assigned to a group. Each command is entered on a separate line. Commands are evaluated in numerical order of the sequence number until a match is found, then the permit or deny action for that command is executed.
When a command must be preceded by the execution of another command, then both commands need to be permitted for the command authorization group. For example, you must execute the configure command before you can enter the vlan context, so both commands must be permitted.
Configuring authorized commands for a group in the correct order
HP Switch(config)# aaa authorization group Redgroup 100 match-command configure permit HP Switch(config)# aaa authorization group Redgroup 200 match-command “vlan *” permit
Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI. Keyboard input is not checked against the command authorization group. If these special contexts are permitted, the user can proceed outside the control and logging of the command group configuration.
Local manager user logins and authorized command configuration are mutually exclusive with RADIUS or TACACS authentication and with RADIUS authorization and accounting.
To create a local user enter this command for the group with the appropriate authorizations.
Syntax:
[no]
aaa authorization local-user <username> group <group-name> password <plaintext|sha1> <password>Defines a local user for a defined group.
The local user being added to the authorization group. The username can have a maximum of 16 characters. It must not contain spaces and is case-sensitive.
password <plaintext|sha1 <password>The plaintext password string can have a maximum of 16 characters. It must not contain spaces and is case-sensitive.
NOTE: You are not allowed to actually enter the plaintext password in-line as part of the command; you will be prompted for it. The password is obscured when you enter it. The password is obscured when you enter it. This is similar to entering the password for the manager or operator.
If include-credentials is enabled, displaying the configuration shows the user passwords as SHA1 hash. If include-credentials is not enabled, then no password information is shown.
If a user is assigned to a command group and the group is subsequently deleted, the user will have operator privileges.
To display information about users and command authorization for command groups, enter this command.
Syntax:
Displays information about users and command authorization for command groups.
Specifying the group parameter without any group names displays information for all configured groups.
Showing command information for all groups
HP Switch(config)# show authorization group Local Management Groups - Authorization Information Group Name: Redgroup Username ---------------- User1 User2 Sequence # | Permission Command Expression Log ---------- + ---------- --------------------- ------- 100 | Permit configure Disable 200 | Permit vlan * Disable Group Name: Bluegroup Username ---------------- User3 Sequence # | Permission Command Expression Log ---------- + ---------- --------------------- ------- 100 | Permit configure Disable 200 | Permit telnet Disable 300 | Permit menu Disable