Configuring server-side rules for TACACS+ command authorization

To perform TACACS+ command authorization, you must configure a TACACS+ server with user rules to accept or reject commands.

The following example shows a rule configuration for a user named tacuser. In this configuration, a reject message is returned for the show vrf command and an accept message is returned for all other show commands. 
user = tacuser {  
              default service = permit  
              chap = cleartext "password"  
              service = exec {  
                brcd-role = admin  
              }  
              cmd = show {  
               deny vrf  
                   permit .*  
              }  
 }
9036684-01 Rev AA