5-13
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 5 Configuring the Management Interface and Security
Configuring the Available Interfaces
The SCE platform will eventually receive one of the following responses from the server:
•
ACCEPT – The user is authenticated and service may begin.
•
REJECT – The user has failed to authenticate. The user may be denied further access, or will be
prompted to retry the login sequence depending on the server.
•
ERROR – An error occurred at some time during authentication. This can be either at the server or
in the network connection between the server and the SCE platform. If an ERROR response is
received, the SCE platform will try to use an alternative method or server for authenticating the user.
•
CONTINUE – The user is prompted for additional authentication information.
If the server is unavailable, the next authentication method is attempted, as explained in
General AAA
Fallback and Recovery Mechanism, page 5-14
.
Accounting
The accounting supports the following functionality:
•
Each executed command (the command must be a valid one) will be logged using the
accounting mechanism (including login and exit commands).
•
The command is logged both before and after it is successfully executed.
•
Each accounting message contains the following:
–
User name
–
Current time
–
Action performed
–
Command privilege level
accounting is in addition to normal local accounting using the SCE platform dbg log.
Privilege Level Authorization
After a successful login the user is granted a default privilege level of 0, giving the user the ability to
execute a limited number of commands. Changing privilege level is done by executing the "enable"
command. This command initiates the privilege level authorization mechanism.
Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command
authentication request. When a user requests an authorization for a specified privilege level, by using the
"enable" command, the SCE platform sends an authentication request to the server specifying
the requested privilege level. The SCE platform grants the requested privilege level only after the
server does the following:
•
Authenticates the "
enable
" command password
•
Verifies that the user has sufficient privileges to enter the requested privilege level.
Once the user privilege level has been determined, the user is granted access to a specified set of
commands according to the level granted.