Before you enable command authorization,
you must configure at least one TACACS+ server by using the tacacs-server command. In
addition, any TACACS+ server configured for TACACS+ authorization must be configured
with user rules (to accept or reject commands).
Perform the following steps to enable TACACS+
command authorization.
-
From privileged EXEC mode,
enter global configuration mode.
device# configure terminal
Entering configuration mode terminal
-
Enable command authorization.
device(config)# aaa authorization command tacacs+ local
This example enables TACACS+ authorization,
specifying the
local
option. In the event that the TACACS+ server is unreachable or responds with an
error, device-level authorization is performed when the
local
option is specified.
Note
Supported commands fail when
aaa authorization
command is configured without specifying the
local
option and when the configured TACACS+ servers are not reachable. To recover
from this, the "admin" user (only) is allowed to either disable command
authorization by using the
aaa authorization command
none command or enable
aaa authorization
command command, specifying the
local
option.
-
Return to privileged EXEC
mode.
-
Verify the configuration.
device(config)# show running-config aaa authorization
aaa authorization tacacs+ local
Example
The following example show how to enable
and verify TACACS+ command authorization, specifying device-level authorization when the
TACACS+ server is unreachable or responds with an
error.
device# configure terminal
Entering configuration mode terminal
device(config)# aaa authorization command tacacs+ local
device(config)# exit
device(config)# show running-config aaa authorization
aaa authorization tacacs+ local
