aaa authorization command

Enables AAA command authorization.

Syntax

aaa authorization command { none | tacacs+ [ local ] }

no aaa authorization command

Command Default

By default, AAA command authorization is disabled.

Parameters

none: Disables command authorization.
tacacs+: Specifies using TACACS+ servers for command authorization.
local: Specifies using local authorization when the TACACS+ server is not active.

Modes

Global configuration mode.

Usage Guidelines

You can only enable command authorization when at least one TACACS+ server host is configured. When a TACACS+ server is not configured and you attempt to enable command authorization, the following error message is displayed and added to syslog.

% Error: No active TACACS server configuration exists to support the mode.

Similarly, when command authorization is enabled and there is only one TACACS+ server configured, you cannot remove the TACACS+ server (using the no tacacs-server command).

When, based on TACACS+ server configuration, the TACACS+ server rejects a command authorization request, the following error message is displayed and added to syslog.

Aborted: permission denied

With the current version of confd, custom RPC REST queries do not work when the aaa authorization command tacacs+ local form of the command is configured.

The no aaa authorization command command disables command authorization.

Examples

The following example shows how to enable AAA command authorization on a TACACS+ server and specify using local authorization if the TACACS+ server is not active.

device# configure terminal
device(config)# aaa authorization command tacacs+ local

The following example shows how to disable AAA command authorization.

device(config)# no aaa authorization command