Configuring command authorization with TACACS+

Use this procedure to enable TACACS+ authorization for a particular privilege level. Use this option to limit the use of certain commands to certain users.

If command authorization fails, the following log message displays: Command <command> not authorized for user <username>.

By default, command authorization is disabled on the switch. The default for the command authorization level is none.

Before you begin

  • You must have access to and you must configure a TACACS+ server before the TACACS+ features on your switch are available. You must verify that the switch can reach the TACACS+ server and that you configure TACACS+ properly before you enable command authorization. If a user is TACACS+ authenticated and command authorization is enabled for that level, then if the switch cannot reach the TACACS+ server, the switch does not allow you to issue any command that has privilege level command authorization enabled. If the switch cannot reach the TACACS+ server, you can only issue logout and exit commands.

  • To use TACACS+ authorization, you must enable TACACS+ authentication.

About this task

Two kinds of authorization requests exist:
  1. Login authorization: Login authorization happens immediately after authentication when the user logs on to the device, authorization provides the user access level. You cannot configure login authorization.

  2. Command authorization: When you configure command authorization for a particular level, all commands that you issue are sent to the TACACS+ server for authorization. You need to configure command authorization globally and at individual access levels.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable TACACS+ authorization:

    tacacs authorization enable

  3. Configure TACACS+ privilege level for TACACS+ command authorization:

    tacacs authorization level <1–6>

    tacacs authorization level all

    tacacs authorization level none

  4. Optional: Disable TACACS+ authorization:

    tacacs authorization disable

    default tacacs authorization

Example

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs authorization enable
Switch:1(config)#tacacs authorization level 6

Variable Definitions

The following table defines parameters for the tacacs authorization command.

Variable

Value

level <1–6>

Enables command authorization for a specific privilege level. The default for the command authorization level is none.

level all

Enables command authorization for all privilege levels. The default for the command authorization level is none.

level none

Disables command authorization for all privilege levels. The default for the command authorization level is none.