ii
Configuring SNMPv1 or SNMPv2c access················································································································· 35
Controlling user access ·············································································································································· 36
FIPS compliance ····························································································································································· 36
Controlling Telnet/SSH logins ······································································································································ 36
Controlling Telnet logins (not supported in FIPS mode)····················································································· 36
Controlling SSH logins
·········································································································································· 36
Configuration example ········································································································································· 37
Controlling SNMP access·············································································································································· 37
Configuration procedure ······································································································································ 37
Configuration example ········································································································································· 38
Configuring command authorization ··························································································································· 39
Configuration procedure ······································································································································ 39
Configuring command accounting ······························································································································· 40
Configuration procedure ······································································································································ 40
Configuring RBAC······················································································································································ 42
Overview········································································································································································· 42
Permission assignment ·········································································································································· 42
Assigning user roles ·············································································································································· 44
FIPS compliance ····························································································································································· 45
Configuration task list ···················································································································································· 45
Creating user roles ························································································································································· 45
Configuring user role rules ············································································································································ 46
Configuring feature groups ··········································································································································· 46
Changing resource access policies ······························································································································ 47
Changing the interface policy of a user role······································································································ 47
Changing the VLAN policy of a user role ·········································································································· 48
Changing the VPN instance policy of a user role ····························································································· 48
Assigning user roles ······················································································································································· 48
Enabling the default user role function················································································································ 48
Assigning user roles to remote AAA authentication users ················································································ 49
Assigning user roles to local AAA authentication users ···················································································· 49
Assigning user roles to non-AAA authentication users on user interfaces ······················································· 50
Configuring temporary user role authorization ·········································································································· 50
Configuration guidelines ······································································································································ 51
Configuring user role authentication ··················································································································· 52
Obtaining temporary user role authorization ···································································································· 52
Displaying RBAC settings ·············································································································································· 52
RBAC configuration examples ······································································································································ 53
RBAC configuration example for local AAA authentication users ··································································· 53
RBAC configuration example for RADIUS authentication users ······································································· 54
RBAC configuration example for HWTACACS authentication users ······························································ 57
Troubleshooting RBAC ··················································································································································· 61
Local users have more access permissions than intended ················································································ 61
Login attempts by RADIUS users always fail ······································································································ 61
Configuring FTP ·························································································································································· 63
FIPS compliance ····························································································································································· 63
Using the device as an FTP server
································································································································ 63
Configuring basic parameters ····························································································································· 64
Configuring authentication and authorization ··································································································· 64
Manually releasing FTP connections ··················································································································· 64
Displaying and maintaining the FTP server ········································································································ 65
FTP server configuration example
························································································································ 65
Using the device as an FTP client ································································································································· 66