Configuring Command Accounting - HP 10500 Series Configuration Manual
Hide thumbs
Also See for 10500 Series:
- Security configuration manual (596 pages) ,
- Configuration manual (512 pages) ,
- Specifications (42 pages)
Table of Contents
Advertisement
<Device> system-view
[Device] telnet server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
# Enable command authorization for the user lines.
[Device-line-vty0-63] command authorization
[Device-line-vty0-63] quit
# Configure an HWTACACS scheme that does the following:
Uses the HWTACACS server at 192.168.2.20:49 for authentication and authorization. In this
•
example, the HWTACACS server provides authentication and authorization services at port 49.
Uses the shared key expert.
•
Removes domain names from usernames sent to the HWTACACS server.
•
[Device] hwtacacs scheme tac
[Device-hwtacacs-tac] primary authentication 192.168.2.20 49
[Device-hwtacacs-tac] primary authorization 192.168.2.20 49
[Device-hwtacacs-tac] key authentication expert
[Device-hwtacacs-tac] key authorization expert
[Device-hwtacacs-tac] server-type standard
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-predefined domain system to use the HWTACACS scheme tac for login user
authentication and command authorization and to use local authentication and local authorization as
the backup method.
[Device] domain system
[Device-isp-system] authentication login hwtacacs-scheme tac local
[Device-isp-system] authorization command hwtacacs-scheme tac local
[Device-isp-system] quit
# Create local user monitor, set the password to 123, assign the Telnet service, and set the default user
role to level- 1 .
[Device] local-user monitor
[Device-luser-admin] password cipher 123
[Device-luser-admin] service-type telnet
[Device-luser-admin] authorization-attribute user-role level-1
Configuring command accounting
Command accounting allows the HWTACACS server to record all executed commands that are
supported by the device, regardless of the command execution result. This function helps control and
monitor user behavior on the device.
When command accounting is disabled, the accounting server does not record the commands executed
by users. If command accounting is enabled but command authorization is not, every executed
command is recorded on the HWTACACS server. If both command accounting and command
authorization are enabled, only authorized commands that are executed are recorded on the
HWTACACS server.
48
- Quick Links:
- Using the Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
