184 Configuring Authentication, Authorization, and Accounting
profiles have an implicit “deny all” rule, such that any command that does
not match any rule in the profile is considered to have been denied by that
profile.
A user can be assigned to more than one profile. If there are conflicting rules
in profiles, the “permit” rule always takes precedence over the “deny” rule.
That is, if any profile assigned to a user permits a command, then the user is
permitted access to that command. A user may be assigned up to 16 profiles.
A number of profiles are provided by default. These profiles cannot be altered
by the switch administrator. See "Administrative Profiles" on page 202 for the
list of default profiles.
If the successful authorization method does not provide an administrative
profile for a user, then the user is permitted access based upon the user's
privilege level. This means that, if a user successfully passes enable
authentication or if exec authorization assigns a privilege level, the user is
permitted access to all commands. This is also true if none of the
administrative profiles provided are configured on the switch. If some, but
not all, of the profiles provided in the authentication are configured on the
switch, then the user is assigned the profiles that exist, and a message is
logged that indicates which profiles could not be assigned.
Accounting
Accounting is used to record security events, such as a user logging in or
executing a command. Accounting records may be sent upon completion of
an event (stop-only) or at both the beginning and end of an event (start-
stop). There are three types of accounting: commands, dot1x, and exec.
•
Commands
—Sends accounting records for command execution.
•
Dot1x
—Sends accounting records for network access.
•
Exec
—Sends accounting records for management access (logins).
For more information about the data sent in accounting records, see "Which
RADIUS Attributes Does the Switch Support?" on page 196 and "Using
TACACS+ Servers to Control Management Access" on page 199.
Table 10-4 shows the valid methods for each type of accounting:
To Next Page
Loading...
Need help?
General