Configuring command authorization with TACACS+
Use this procedure to enable TACACS+ authorization for a particular privilege level. Use this option to limit the use of certain commands to certain users.
If command authorization fails, the following log message displays: Command <command> not authorized for user <username>.
By default, command authorization is disabled on the switch. The default for the command authorization level is none.
Before you begin
You must have access to and you must configure a TACACS+ server before the TACACS+ features on your switch are available. You must verify that the switch can reach the TACACS+ server and that you configure TACACS+ properly before you enable command authorization. If a user is TACACS+ authenticated and command authorization is enabled for that level, then if the switch cannot reach the TACACS+ server, the switch does not allow you to issue any command that has privilege level command authorization enabled. If the switch cannot reach the TACACS+ server, you can only issue logout and exit commands.
To use TACACS+ authorization, you must enable TACACS+ authentication.
About this task
Login authorization: Login authorization happens immediately after authentication when the user logs on to the device, authorization provides the user access level. You cannot configure login authorization.
Command authorization: When you configure command authorization for a particular level, all commands that you issue are sent to the TACACS+ server for authorization. You need to configure command authorization globally and at individual access levels.
Procedure
Example
Switch:1>enable Switch:1#configure terminal Switch:1(config)#tacacs authorization enable Switch:1(config)#tacacs authorization level 6
Variable Definitions
The following table defines parameters for the tacacs authorization command.
Variable |
Value |
---|---|
level <1–6> |
Enables command authorization for a specific privilege level. The default for the command authorization level is none. |
level all |
Enables command authorization for all privilege levels. The default for the command authorization level is none. |
level none |
Disables command authorization for all privilege levels. The default for the command authorization level is none. |