Configuring the authentication parameters for user privilege level switching

A user can switch to a lower privilege level without authentication. To switch to a higher privilege level, however, a user must provide the privilege level switching authentication information (if any). Table 29 shows the privilege level switching authentication modes supported by the device.

Table 29 Privilege level switching authentication modes

Authentication mode

Keywords

Description

Local password

 

The device uses the locally configured passwords for privilege level

 

switching authentication.

authentication only

local

To use this mode, you must set the passwords for privilege level

(local-only)

 

 

switching using the super password command.

 

 

 

 

 

 

 

The device sends the username and password for privilege level

 

 

switching to the HWTACACS or RADIUS server for remote

 

 

authentication.

Remote AAA

 

To use this mode, you must perform the following configuration tasks:

authentication through

 

scheme

Configure the required HWTACACS or RADIUS schemes and

HWTACACS or

 

configure the ISP domain to use the schemes for users. For more

RADIUS

 

 

information, see Access Control Configuration Guide.

 

 

 

 

Add user accounts and specify the user passwords on the

 

 

HWTACACS or RADIUS server.

 

 

 

Local password

 

The device first uses the locally configured passwords for privilege

authentication first and

local

level switching authentication. If no local password is set, the device

then remote AAA

scheme

allows console users to switch their privilege levels without

authentication

 

authentication, but performs AAA authentication for VTY users.

 

 

 

Remote AAA

 

AAA authentication is performed first, and if the remote HWTACACS

authentication first and

scheme

or RADIUS server does not respond or AAA configuration on the

then local password

local

device is invalid, the local password authentication is performed.

authentication

 

 

 

 

 

 

To configure the authentication parameters for a user privilege level:

Step

 

Command

Remarks

1.

Enter system view.

system-view

N/A

 

 

 

 

2.

Set the authentication

super authentication-mode

Optional.

 

mode for user privilege

 

{ local scheme } *

By default, local-only authentication is used.

 

level switching.

 

 

 

 

 

 

 

If local authentication is involved, this step is

3.

Configure the password

super password [ level

required.

By default, a privilege level has no password.

 

for the user privilege

user-level] { cipher

 

 

 

level.

simple } password

If no user privilege level is specified when you

 

 

 

configure the command, the user privilege

level defaults to 3.

If local-only authentication is used, a console user interface user can switch to a higher privilege level, even if the privilege level has not been assigned a password.

137

Page 143
Image 143
HP 200 Unified Threat Management (UTM) Appliance manual Privilege level switching authentication modes