[tac_plus] Privilege level on hp,3com,h3c switches

Wed Nov 3 22:30:40 UTC 2010

This is a H3C switch (model 3600-EI). H3C was acquired by hp when it bought 3com. I think that H3C was a Huawey and 3com mix, but not sure. 

I have a local user with admin privileges, but the problem is that this switch can only do authorization against tacacs server or none, but not both. 
I  configure it without authorization and when I loging against tacacs it gives me no privileges.

The tac_plus works perfectly, because If I configure authorization and authentication against tacacs server it gives me all privileges. The problem is that If the tacacs server goes down I can't login because it doesn't authorize the local user.

I'll try to ask H3C support.

Thanks to all
----- Mensaje original -----
De: "john heasley" <heas at shrubbery.net>
Para: aojea at retegal.es
CC: "john heasley" <heas at shrubbery.net>, "tac plus" <tac_plus at shrubbery.net>
Enviados: Miércoles, 3 de Noviembre 2010 16:37:29
Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches

Wed, Nov 03, 2010 at 08:50:43AM +0100, Antonio Ojea:
>
> Thanks for your help, I have a problem with authorization.
>
> If I configure the switch to do authorization with the tacacs server,
> I can
> log in with admin privileges. However, if the switch can't reach the
> tacacs server I can't login because it hasn't an option to do local
> authorization.

think you want something like the following to have a local login with
privs. hp has never made management of their devices particularly easy.

password manager <removed>
password operator <removed>

> If I configure the switch to do only authentication with the tacacs
> server I
> log in with the lowest privileges due to I don't do authorization.
>
>
>
>
> -----Mensaje original-----
> De: john heasley [mailto:heas at shrubbery.net]
> Enviado el: mi?rcoles, 03 de noviembre de 2010 3:19
> Para: Antonio Ojea
> CC: tac_plus at shrubbery.net
> Asunto: Re: [tac_plus] Privilege level on hp,3com,h3c switches
>
> Tue, Nov 02, 2010 at 10:32:44PM +0100, Antonio Ojea:
> > Hi,
> >
> > I have several (HP, 3com, h3) switches h3600 and routers MSR-20.
> >
> > I can configure the routers and the switches to authenticate against
> > the
> tac_plus server, but the problem is with the user privilege level.I
> have configured the next statemens, and when I log in a router I have
> all privileges, but in the switches I have the lowest privileges.
> >
> > default service = permit
> > service = exec {
> > priv-lvl = 15
> > }
> >
> > I think that this is a H3C issue, but can I configure the tac_plus
> > server
> to get all privileges when I log in the switch?
> > Is it possible to run a script to change the level automatically?
> >
> if i understand what you want, try clogin from rancid;
> www.shrubbery.net/rancid/
>
> else, the switches might use a different AVP for setting the priv
> level or might not be configured to perform authorization.