没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
2页
Within TACACS+, command and login authorizations are dependent on the use of privilege level assignments. Privilege level assignments for users and/or AXOS system interfaces (console, CLI, craft, ) the user is using, are used to determine what privilege level a user shell starts at. Privilege level assignments for commands determine the privilege level a command is executable at, provided that the user has the authorization credentials. That means, If a command is assigned to a privilege level higher then that of the user the command will not be accessible.
资源推荐
资源详情
资源评论
1.
1.
2.
3.
4.
5.
2.
1.
2.
3.
4.
TACACS+ Authorization
Within TACACS+, command and login authorizations are dependent on the use of privilege level assignments. Privilege level assignments for
users and/or AXOS system interfaces (console, CLI, craft, ) the user is using, are used to determine what privilege level a user shell starts at.
Privilege level assignments for commands determine the privilege level a command is executable at, provided that the user has the authorization
credentials. That means, If a command is assigned to a privilege level higher then that of the user the command will not be accessible.
AXOS supports two kinds of TACACS+ authorization:
When the user is authenticated, TACACS+ determines a user’s role.
A user logs into the AXOS system
The user is authenticated.
The AXOS system consults the TACACS+ server to determine the role of the user.
The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the role of the user.
The user is granted the privileges associated with the role.
Command authorization consults a TACACS+ server to get authorization for configuration commands entered by the user.
A user previously authenticated by a TACACS+ server enters a command on the AXOS system.
The AXOS system looks at its configuration to see if the command is at a privilege level that requires TACACS+ command
authorization
If the command belongs to a privilege level that requires authorization, the AXOS system consults the TACACS+ server to see if
the user is authorized to use the command.
If the user is authorized to use the command, the command is executed.
The authorization REQUEST message contains a fixed set of fields that indicate how the user was authenticated or processed and a variable set
of arguments that describe the services and options for which authorization is requested. The authorization request has the following key
parameters
authen_method - indicates the authentication method used by the client. A subset of the values are:
TAC_PLUS_AUTHEN_METH_LINE - terminal line
TAC_PLUS_AUTHEN_METH_ENABLE- the enable command that authenticates to grant new privileges
TAC_PLUS_AUTHEN_METH_LOCAL - local user database
TAC_PLUS_AUTHEN_METH_TACACSPLUS - TACACS+ itself
priv_lvl - same usage as in authentication request. the privilege level
authen_type - same usage as in authentication request. the type of authentication that was performed
authen_service - same usage as in authentication request
AVPs: Some of the common AVPs are - see TACACS+ spec for a full set
service - the primary service "slip", "ppp", "shell", "tty-server", "connection", "system" and "firewall". This attribute MUST always be
included.
protocol - the protocol - "lcp", "ip", "ipx", "atalk", "vines", "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", "http", "deccp",
"osicp" and "unknown"
cmd - the command name if service is shell
cmd-arg - an argument to the command if they exist. Multiple can be specified. They are expected to be in order.
acl - a number representing a conneciton access list
inacl - idenifier for an input access list
outacl - identifier for an output access list
The RESPONSE contains a variable set of response arguments (attribute-value pairs) that can restrict or modify the clients actions. This involves
the passing of AttributeValue pairs (AV pairs) from the TACACS+ server to the AXOS system. These AV pairs are configured on a per-user or
per-group basis on theTACACS+ server.
The arguments in both a REQUEST and a RESPONSE can be specified as either mandatory or optional. An optional argument is one that may
or may not be used, modified or even understood by the recipient. A mandatory argument MUST be both understood and used. This allows for
extending the attribute list while providing secure backwards compatibility.
The following illustrates the authorization process that occurs immediately following authentication.
资源评论
土豆娘
- 粉丝: 1
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 基于51单片机的自动浇花设计论文
- 客服机器人需要的数据集,包括order、ware、user,测试集和开发集
- 用0到9生成十位数的所有排列组合(java代码).docx
- 模仿魔慢相机的人脸监测选择ios组件
- STM32F103C8T6模拟IIC控制4针0.96寸OLED显示屏已测
- Chromeextent_paly.zip
- 【2023年全国职业技能大赛“信息安全与评估”赛项】任务4-Linux内存取证WP+靶场环境
- 基于51单片机数字电压表的设计(PCB+原理图+仿真+论文+代码)
- open62541在window10 VS2019编译完成的源码
- 新闻文章自动新闻采集系统-webapps.rar
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功