[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
Configuring command authorization
By default, commands are available for a user depending only on that user's user roles. When the
authentication mode is scheme, you can configure the command authorization function to further control
access to commands.
After you enable command authorization, a command is available for a user only if the user has the
commensurate user role and is authorized to use the command by the AAA scheme.
This section provides the procedure for configuring command authorization. To make the command
authorization function take effect, you must configure a command authorization method in ISP domain
view. For more information, see Security Configuration Guide.
Configuration procedure
To configure command authorization:
Step
1.
Enter system view.
2.
Enter
view.
3.
Enable
authentication.
4.
Enable
authorization.
Configuration example
Network requirements
Configure the device in
commands that are authorized by the HWTACACS server or, when the HWTACACS server is not
available, the device itself.
Command
system-view
user-interface { first-number1
user
interface
[ last-number1 ] | { aux | console
| vty } first-number2
[ last-number2 ] }
scheme
authentication-mode scheme
command
command authorization
Figure 27
so a user can use Host A to log in to the device and execute only
60
Remarks
N/A
N/A
By default, the authentication mode is none
for the console user interface and
password for the AUX user interface.
By default, command authorization is
disabled, and the commands available for
a user only depend on the user role.