RBAC configuration example for local AAA authentication users
Network requirements
As shown in Figure 15, the switch performs local AAA authentication for the Telnet user at 192.168.1.58. The user account for the Telnet user is user1@bbb and is assigned the user role role1.
Configure role1 to have the following permissions:
Can execute the read commands of any feature.
Cannot configure any VLANs except VLANs 10 to 20.
Figure 15: Network diagram
Configuration procedure
# Assign an IP address to VLAN-interface 2, the interface connected to the Telnet user.
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit
# Enable Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit
# Enable local authentication and authorization for the ISP domain bbb.
[Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login local [Switch-isp-bbb] quit
# Create the user role role1.
[Switch] role name role1
# Configure rule 1 to permit the user role to access read commands of all features.
[Switch-role-role1] rule 1 permit read feature
# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.
[Switch-role-role1] rule 2 permit command system-view ; vlan *
# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.
[Switch-role-role1] vlan policy deny [Switch-role-role1-vlanpolicy] permit vlan 10 to 20 [Switch-role-role1-vlanpolicy] quit [Switch-role-role1] quit
# Create a device management user named user1 and enter local user view.
[Switch] local-user user1 class manage New local user added.
# Set a plaintext password aabbcc for the user.
[Switch-luser-manage-user1] password simple aabbcc
# Set the service type to Telnet.
[Switch-luser-manage-user1] service-type telnet
# Assign role1 to the user.
[Switch-luser-manage-user1] authorization-attribute user-role role1
# Remove the default user role network-operator from the user. This operation ensures that the user has only the permissions of role1.
[Switch-luser-manage-user1] undo authorization-attribute user-role network-operator [Switch-luser-manage-user1] quit
Verifying the configuration
# Telnet to the switch, and enter the username and password to access the switch. (Details not shown.)
# Verify that you can create VLANs 10 to 20. This example uses VLAN 10.
<Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit
# Verify that you cannot create any VLANs other than VLANs 10 to 20. This example uses VLAN 30.
[Switch] vlan 30 Permission denied.
# Verify that you can use all read commands of any feature. This example uses display clock.
[Switch] display clock 09:31:56 UTC Tues 01/01/2013 [Switch] quit
# Verify that you cannot use the write or execute commands of any feature.
<Switch> debugging role all Permission denied. <Switch> ping 192.168.1.58 Permission denied.