authorization-cmd

Function

The authorization-cmd command configures command-line-based authorization for a user of a specified level.

The undo authorization-cmd command restores the default setting.

By default, command-line-based local authorization is used for all users and user groups at the levels 0 to 15.

Format

authorization-cmd [ privilege-level ] mode1 [ mode2 ]

undo authorization-cmd [ privilege-level ]

Parameters

Parameter	Description	Value
privilege-level	Specifies the use level.	The value ranges from 0 to 15.
mode1	Specifies the authorization mode of Uses command line.	The value is an enumerated type and can be: hwtacacs: Uses command line authorization provided by HWTACACS. local: Uses command line authorization on the local device. Local authorization can serve as a backup option. If command line authorization fails due to server problems (for example, the server is Down or unreachable, or the response from the server times out), local authorization is performed.
mode2	Specifies the authorization mode of Uses command line.	The value is an enumerated type and can be: hwtacacs: Uses command line authorization provided by HWTACACS. local: Uses command line authorization on the local device. Local authorization can serve as a backup option. If command line authorization fails due to server problems (for example, the server is Down or unreachable, or the response from the server times out), local authorization is performed.

Parameter

Description

Value

privilege-level

Specifies the use level.

The value ranges from 0 to 15.

mode1

Specifies the authorization mode of Uses command line.

The value is an enumerated type and can be:

hwtacacs: Uses command line authorization provided by HWTACACS.
local: Uses command line authorization on the local device. Local authorization can serve as a backup option. If command line authorization fails due to server problems (for example, the server is Down or unreachable, or the response from the server times out), local authorization is performed.

mode2

Specifies the authorization mode of Uses command line.

The value is an enumerated type and can be:

hwtacacs: Uses command line authorization provided by HWTACACS.
local: Uses command line authorization on the local device. Local authorization can serve as a backup option. If command line authorization fails due to server problems (for example, the server is Down or unreachable, or the response from the server times out), local authorization is performed.

Views

Authorization scheme view

Default Level

3: Management level

Task Name and Operations

Task Name	Operations
aaa	write

Usage Guidelines

Usage Scenario

When a user logs on to the device through Telnet or SSH, you can set the command line authorization mode to HWTACACS for the user if the user needs to be authorized with command lines. In this manner, each input command needs to pass through HWTACACS authorization. The command can be run only after the command authorization is passed. Otherwise, the HWTACACS server displays messages to inform the user that the command authorization fails and the command cannot be run.

Prerequisites

Before using this command, you must create an authorization scheme and enter the authorization scheme view.

Procedure

If local is configured, and the HWTACACS server does not respond, command-line-based authorization is performed on the local device.

Implementation Procedure

If local is configured, and the HWTACACS server does not respond, command-line-based authorization is performed on the local device.

Follow-up Procedure

If command-line-based authorization is enabled, you must configure the HWTACACS server template and apply the template in the view of the domain to which the user belongs.

Precautions

When you configure command-line-based authorization, note the following items:

If the HWTACACS server is Down, unreachable, or does not respond in time, the command authorization fails, and no user can execute such command.
You can configure command-line-based authorization for users only when HWTACACS is adopted.
When entering a command that contains keywords and parameters, you must adopt the command format in configuration files. Otherwise, the HWTACACS authorization fails.
Command-line-based authorization is not associated with any authorization mode.

When the command-privilege level rearrange command is not run in the system view, to perform command line authentication for users with the authentication level ranging from 3 to 15, you need to:

Use the corresponding level of command line authentication configuration for V800R007C00SPC100 and earlier versions- Use the level 3 command line authentication configuration for versions later than V800R007C00SPC100.Therefore, when the current version is upgraded from V800R007C00SPC100 or earlier versions, use the level 3 command line authentication configuration to perform authentication.When the command-privilege level rearrange command is run, you can use the corresponding level of command line authentication configuration to perform authentication for users with the authentication level ranging from 3 to 15. For example, to perform HWTACACS authentication for level 4 user configuration, if the command-privilege level rearrange command is not run, the configuration should be authorization-cmd 3 hwtacacs; if the command-privilege level rearrange command is run, the configuration should be authorization-cmd 4 hwtacacs.

Example

# Configure command-line-based authorization for level-2 users.

<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authorization-scheme scheme1
[*HUAWEI-aaa-author-scheme1] authorization-cmd 2 hwtacacs