Roles are configured on the GigaVUE H Series node itself. Roles consist of a set of ports and permission levels specifying what a user with the role assigned can do on the port.
The assignment of roles to users can be performed using any of the following techniques:
|Use Local Role Assignments|
|Use AAA Server Role Assignments|
|Use Combination of Local and AAA Role Assignments|
In this model, an externally authenticated user is granted the roles assigned to the account on the GigaVUE node itself. This can take place either by a matching account name (the same account name is specified both in the AAA server and the GigaVUE H Series node), or by using the local-only option to map all externally authenticated users to a specific account on the GigaVUE node.
In this model, you configure the GigaVUE node to accept roles passed from the AAA server. Then, you set up a local-user-name attribute for the account in the AAA server to pass a reserved account name (operator) and one or more roles to the GigaVUE node. In this case, the roles are fully assigned in the AAA server and there are no matching accounts on the GigaVUE node.
In this model, you configure the GigaVUE node to accept roles passed from the AAA server. Then, you set up a local-user-name attribute for the account in the AAA server that maps it to an existing local user account on the GigaVUE node. The local-user-name attribute can optional include additional roles to be assigned to the user in addition to those already assigned to the targeted local user account.
For example, in the following figure, the gmota account does not exist on the GigaVUE node. It has a local-user-name attribute that specifies the account should be mapped to the local user account mcain. The Security role is already locally assigned to mcain; the IT role comes from the AAA server with the role-IT argument.
Refer to Configure Roles in External Authentication Servers for instructions on how to set up users with local-user-name attributes in RADIUS, TACACS+, and LDAP AAA servers.