Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch Fundamentals Configuration Guide - Page 51

Assigning user roles

Add to My Manuals
Save this manual to your list of manuals

Page 51 highlights

User role name level-n (n = 0 to 15) security-audit Permissions • level-0-Has access to the commands of ping, quit, ssh2, super, system-view, telnet, and tracert. Level-0 access rights are configurable. • level-1-Has access to the display commands (except display history-command all) of all features and resources in the system, in addition to all access rights of the user role level-0. Level-1 access rights are configurable. • level-2 to level-8, and level-10 to level-14-Have no access rights by default. Access rights are configurable. • level-9-Has access to all features and resources except RBAC (debugging commands excluded), local users, file management, device management, and the display history-command all command. Level-9 access rights are configurable. • level-15-Has the same access rights as the role network-admin. Security log manager. The user role has access to security log files: • It has access to the commands for displaying and maintaining security log files, for example, the dir, display security-logfile summary, and more commands. • It has access to the commands for managing security log files and security log file system, for example, the info-center security-logfile directory, mkdir, and security-logfile save commands. For more information about security log management, see Network Management and Monitoring. For more information about file system management, see "Managing the file system." IMPORTANT: Only the security-audit user role has access to security log files. Other user roles do not have the access right even if you have configured the user roles to have the access permission. Assigning user roles You assign access rights to users by assigning at least one user role. The users can use the collection of commands and resources accessible to any user role assigned to them. For example, user role A denies access to the qos apply policy command and permits access to only interface Ten-GigabitEthernet 1/1/5, and user role B permits access to the qos apply policy command and all interfaces. With these two user roles, you can access any interface to use the qos apply policy command. Depending on the authentication method, user role assignment has the following methods: • AAA authorization-If scheme authentication is used, the AAA module handles user role assignment. { If the user passes local authorization, the device assigns the user roles specified in the local user account. { If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server to the user. The AAA server can be a RADIUS or HWTACACS server. • None-AAA authorization-If the user uses password authentication or no authentication, the device assigns user roles specified on the user interface. This method also applies to SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective local device management user accounts. 44

Section	Page
Title Page	1
Contents	3
Using the CLI	8
CLI views	8
Entering system view from user view	9
Returning to the upper-level view from any view	9
Returning to user view	10
Accessing the CLI online help	10
Using the undo form of a command	11
Entering a command	11
Editing a command line	11
Entering a string or text type value for an argument	12
Abbreviating commands	12
Configuring and using command keyword aliases	12
Usage guidelines	12
Configuration procedure	12
Configuring and using command hotkeys	13
Enabling redisplaying entered-but-not-submitted commands	14
Understanding command-line error messages	14
Using the command history function	15
Controlling the CLI output	16
Pausing between screens of output	16
Output controlling keys	16
Disabling pausing between screens of output	16
Numbering each output line from a display command	16
Filtering the output from a display command	17
Saving the output from a display command to a file	19
Viewing and managing the output from a display command effectively	21
Saving the running configuration	21
Login overview	22
FIPS compliance	22
Login methods at a glance	22
Logging in through the console port for the first device access	24
Logging in to the CLI	27
CLI overview	27
CLI user interfaces	27
User interface assignment	27
User interface identification	27
Login authentication modes	28
User roles	28
FIPS compliance	29
Logging in through the console/AUX port locally	29
Disabling authentication for console/AUX login (not supported in FIPS mode)	29
Configuring password authentication for console/AUX login (not supported in FIPS mode)	30
Configuring scheme authentication for console/AUX login	30
Configuring common console/AUX user interface settings	31
Logging in through Telnet (not supported in FIPS mode)	32
Configuring Telnet login on the device	33
Disabling authentication for Telnet login	33
Configuring password authentication for Telnet login	34
Configuring scheme authentication for Telnet login	35
Configuring common VTY user interface settings	36
Using the device to log in to a Telnet server	37
Logging in through SSH	38
Configuring SSH login on the device	38
Using the device to log in to an SSH server	39
Displaying and maintaining CLI login	39
Accessing the device through SNMP	41
Configuring SNMPv3 access	41
Configuring SNMPv1 or SNMPv2c access	42
Controlling user access	43
FIPS compliance	43
Controlling Telnet/SSH logins	43
Controlling Telnet logins (not supported in FIPS mode)	43
Controlling SSH logins	43
Configuration example	44
Network requirements	44
Configuration procedure	44
Controlling SNMP access	44
Configuration procedure	44
Configuration example	45
Network requirements	45
Configuration procedure	45
Configuring command authorization	46
Configuration procedure	46
Configuring command accounting	47
Configuration procedure	47
Configuring RBAC	49
Overview	49
Permission assignment	49
User role rules	49
Resource access policies	50
Predefined user roles	50
Assigning user roles	51
FIPS compliance	52
Configuration task list	52
Creating user roles	52
Configuring user role rules	53
Configuring feature groups	53
Changing resource access policies	54
Changing the interface policy of a user role	54
Changing the VLAN policy of a user role	55
Changing the VPN instance policy of a user role	55
Assigning user roles	55
Enabling the default user role function	55
Assigning user roles to remote AAA authentication users	56
Assigning user roles to local AAA authentication users	56
Assigning user roles to non-AAA authentication users on user interfaces	57
Configuring temporary user role authorization	57
Configuration guidelines	58
Configuring user role authentication	59
Obtaining temporary user role authorization	59
Displaying RBAC settings	59
RBAC configuration examples	60
RBAC configuration example for local AAA authentication users	60
Network requirements	60
Configuration procedure	60
Verifying the configuration	61
RBAC configuration example for RADIUS authentication users	61
Network requirements	62
Configuration procedure	62
Verifying the configuration	64
RBAC configuration example for HWTACACS authentication users	64
Network requirements	64
Configuration procedure	65
Verifying the configuration	67
Troubleshooting RBAC	68
Local users have more access permissions than intended	68
Symptom	68
Analysis	68
Solution	68
Login attempts by RADIUS users always fail	68
Symptom	68
Analysis	69
Solution	69
Configuring FTP	70
FIPS compliance	70
Using the device as an FTP server	70
Configuring basic parameters	71
Configuring authentication and authorization	71
Manually releasing FTP connections	71
Displaying and maintaining the FTP server	72
FTP server configuration example	72
Network requirements	72
Configuration procedure	72
Using the device as an FTP client	73
Establishing an FTP connection	73
Managing directories on the FTP server	74
Working with files on the FTP server	75
Switching to another user account	76
Maintaining and troubleshooting the FTP connection	76
Terminating the FTP connection	77
Displaying command help information	77
Displaying and maintaining FTP client	77
FTP client configuration example	77
Network requirements	77
Configuration procedure	78
Configuring TFTP	80
FIPS compliance	80
Configuring the device as an IPv4 TFTP client	80
Configuring the device as an IPv6 TFTP client	81
Managing the file system	82
File name formats	82
Managing files	83
Displaying file information	83
Displaying the contents of a text file	83
Renaming a file	83
Copying a file	83
Moving a file	84
Compressing/decompressing a file	84
Deleting/restoring a file	84
Deleting files from the recycle bin	84
Calculating the file digest	85
Managing directories	85
Displaying the current working directory	85
Changing the current working directory	85
Creating a directory	85
Removing a directory	86
Managing storage media	86
Repairing a storage medium	86
Formatting a storage medium	86
Setting the operation mode for files and folders	86
Managing configuration files	88
Overview	88
Configuration types	88
Startup configuration	88
Running configuration	88
Startup configuration loading process	89
Configuration file formats	90
Startup configuration file selection	90
Configuration file content organization and format	90
FIPS compliance	91
Enabling configuration encryption	91
Saving the running configuration	91
Configuring configuration rollback	92
Configuration task list	92
Configuring configuration archive parameters	92
Configuration guidelines	93
Configuration procedure	93
Enabling automatic configuration archiving	93
Manually archiving the running configuration	94
Rolling back configuration	94
Specifying a next-startup configuration file	95
Backing up the main next-startup configuration file to a TFTP server	96
Restoring the main next-startup configuration file from a TFTP server	96
Deleting a next-startup configuration file	96
Displaying and maintaining configuration files	97
Upgrading software	98
Overview	98
Software types	98
Comware image redundancy and loading procedure	98
System startup process	99
Upgrade methods	100
Software upgrade procedure summary	101
Preparing for the upgrade	101
Preloading the BootWare image to BootWare	101
Specifying the startup image file and completing the upgrade	102
Displaying and maintaining software image settings	103
Software upgrade configuration example	103
Network requirements	103
Configuration procedure	103
Managing the device	105
Configuring the device name	105
Setting the system time	105
Enabling displaying the copyright statement	106
Configuring banners	106
Banner types	106
Banner input methods	106
Configuration procedure	107
Disabling password recovery capability	108
Setting the operating mode	108
Rebooting the device	109
Configuration guidelines	109
Rebooting devices immediately at the CLI	109
Scheduling a device reboot	109
Scheduling a task	110
Configuration guidelines	110
Configuration procedure	110
Schedule configuration example	112
Network requirements	112
Scheduling procedure	112
Verifying the scheduling	113
Configuring the preferred airflow direction	115
Setting the port status detection timer	115
Setting memory usage thresholds	116
Verifying and diagnosing transceiver modules	117
Verifying transceiver modules	117
Diagnosing transceiver modules	118
Displaying and maintaining device management configuration	118
Using the emergency shell	120
Managing the file system	120
Obtaining a system image from an FTP/TFTP server	121
Configuring the management Ethernet interface	121
Checking the connectivity to a server	122
Accessing the server	122
Loading the system image	123
Rebooting the device	123
Displaying device information in emergency shell mode	123
Emergency shell usage example	124
Network requirements	124
Usage procedure	124
Using automatic configuration	127
Understanding automatic configuration	127
Overall automatic configuration process	127
Automatic-configuration parameter acquisition process	129
Configuration file acquisition process	130
Deploying and configuring servers for automatic configuration	131
DHCP server configuration guidelines	132
TFTP server configuration guidelines	132
Configuring Tcl	134
Restrictions and benefits	134
Entering Tcl configuration view from user view	134
Returning from Tcl configuration view to user view	134
Support and other resources	135
Contacting HP	135
Subscription service	135
Related information	135
Documents	135
Websites	135
Conventions	136
Command conventions	136
GUI conventions	136
Symbols	136
Network topology icons	137
Port numbering in examples	137

Match case Limit results 1 per page

User role name

Permissions

level-

(

= 0 to 15)

•

level-0

—Has access to the commands of

ping

quit

ssh2

super

system-view

telnet

, and

tracert

. Level-0 access rights are configurable.

•

level-1

—Has access to the

display

commands (except

display

history-command all

) of all features and resources in the system, in addition

to all access rights of the user role level-0. Level-1 access rights are

configurable.

•

level-2 to level-8, and level-10 to level-14

—Have no access rights by default.

Access rights are configurable.

•

level-9

—Has access to all features and resources except RBAC (debugging

commands excluded), local users, file management, device management,

and the

display history-command all

command. Level-9 access rights are

configurable.

•

level-15

—Has the same access rights as the role network-admin.

security-audit

Security log manager. The user role has access to security log files:

•

It has access to the commands for displaying and maintaining security log

files, for example, the

dir

display security-logfile summary

, and

commands.

•

It has access to the commands for managing security log files and security log

file system, for example, the

info-center security-logfile directory

mkdir

, and

security-logfile save

commands.

For more information about security log management, see

Network

Management and Monitoring

. For more information about file system

management, see "

Managing the file system

IMPORTANT:

Only the security-audit user role has access to security log files. Other user roles

do not have the access right even if you have configured the user roles to have

the access permission.

Assigning user roles

You assign access rights to users by assigning at least one user role. The users can use the collection of

commands and resources accessible to any user role assigned to them. For example, user role A denies

access to the

qos apply policy

command and permits access to only interface Ten-GigabitEthernet

1/1/5, and user role B permits access to the

qos apply policy

command and all interfaces. With these

two user roles, you can access any interface to use the

qos apply policy

command.

Depending on the authentication method, user role assignment has the following methods:

•

AAA authorization

—If scheme authentication is used, the AAA module handles user role

assignment.

{

If the user passes local authorization, the device assigns the user roles specified in the local user

account.

{

If the user passes remote authorization, the remote AAA server assigns the user roles specified

on the server to the user. The AAA server can be a RADIUS or HWTACACS server.

•

None-AAA authorization

—If the user uses password authentication or no authentication, the device

assigns user roles specified on the user interface. This method also applies to SSH clients that use

publickey or password-publickey authentication. User roles assigned to these SSH clients are

specified in their respective local device management user accounts.