RADIUS Authentication, Authorization, and Accounting

Commands Authorization

Displaying Authorization Information

You can show the authorization information by entering this command:

Syntax: show authorization

Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.

An example of the output is shown.

ProCurve(config)# show authorization

Status and Counters - Authorization Information

Type Method

-------- + ------

Commands RADIUS

Figure 5-10. Example of Show Authorization Command

Configuring Commands Authorization on a RADIUS

Server

Using Vendor Specific Attributes (VSAs)

Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa- tion. The attributes supported with commands authorization are:

HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)

HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.

5-28