#####################
#1) create user role with only necessary restrictions
#####################
[HPE]role name switchbackup
[HPE-role-switchbackup]rule 1 permit command display current-configuration
[HPE-role-switchbackup]rule 2 permit command display saved-configuration
[HPE-role-switchbackup]rule 3 permit command screen-length disable


#####################
#2) review your created role, by using the following command:
#####################
[HPE]display role name switchbackup
Role: switchbackup
Description:
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit command display current-configuration
2 permit command display saved-configuration
3 permit command screen-length disable
R:Read W:Write X:Execute


#####################
#3) create the user and assign the user-role switchbackup to it
#####################
[HPE]local-user backup
[HPE-luser-manage-backup]password simple StrongPassword
[HPE-luser-manage-backup]authorization-attribute user-role switchbackup
[HPE-luser-manage-backup]no authorization-attribute user-role network-operator
[HPE-luser-manage-backup]service-type ssh


#####################
#4) review the created user, make sure that there are no other assigned roles than switchbackup
#####################
[HPE]display local-user user-name backup class manage
Total 1 local users matched.

Device management user backup:
State: Active
Service type: SSH
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: switchbackup
Password control configurations:
Password complexity: username checking


#####################
#5) run a ssh login test, maybe you need to change the password once
#####################
login as: backup
backup@192.168.99.10's password:
First login or password reset. For security reason, you need to change your password.
Old password:



#########################################################
# tested with following switch configuration
#########################################################
#
version 7.1.070, Release 3507
#
sysname HPE
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
#
interface GigabitEthernet1/0/29
#
interface GigabitEthernet1/0/30
#
interface GigabitEthernet1/0/31
#
interface GigabitEthernet1/0/32
#
interface GigabitEthernet1/0/33
#
interface GigabitEthernet1/0/34
#
interface GigabitEthernet1/0/35
#
interface GigabitEthernet1/0/36
#
interface GigabitEthernet1/0/37
#
interface GigabitEthernet1/0/38
#
interface GigabitEthernet1/0/39
#
interface GigabitEthernet1/0/40
#
interface GigabitEthernet1/0/41
#
interface GigabitEthernet1/0/42
#
interface GigabitEthernet1/0/43
#
interface GigabitEthernet1/0/44
#
interface GigabitEthernet1/0/45
#
interface GigabitEthernet1/0/46
#
interface GigabitEthernet1/0/47
#
interface GigabitEthernet1/0/48
#
interface Ten-GigabitEthernet1/0/49
#
interface Ten-GigabitEthernet1/0/50
#
interface Ten-GigabitEthernet1/0/51
#
interface Ten-GigabitEthernet1/0/52
#
scheduler logfile size 16
#
line class aux
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
password-control enable
undo password-control aging enable
undo password-control length enable
undo password-control composition enable
undo password-control history enable
password-control login-attempt 3 exceed unlock
password-control update-interval 0
password-control login idle-time 0
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
role name switchbackup
rule 1 permit command display current-configuration
rule 2 permit command display saved-configuration
rule 3 permit command screen-length disable

#
user-group system
#
local-user admin class manage
service-type ssh terminal
authorization-attribute user-role network-admin
#
local-user backup class manage
service-type ssh
authorization-attribute user-role switchbackup


#
return


computer2know :: thank you for your visit :: have a nice day :: © 2024