Enabling command authorization

Before you enable command authorization, you must configure at least one TACACS+ server by using the tacacs-server command. In addition, any TACACS+ server configured for TACACS+ authorization must be configured with user rules (to accept or reject commands).

Perform the following steps to enable TACACS+ command authorization.

  1. From privileged EXEC mode, enter global configuration mode.
    device# configure terminal
    Entering configuration mode terminal
  2. Enable command authorization.
    device(config)# aaa authorization command tacacs+ local 
    This example enables TACACS+ authorization, specifying the local option. In the event that the TACACS+ server is unreachable or responds with an error, device-level authorization is performed when the local option is specified.
    Note

    Note

    Supported commands fail when aaa authorization command is configured without specifying the local option and when the configured TACACS+ servers are not reachable. To recover from this, the "admin" user (only) is allowed to either disable command authorization by using the aaa authorization command none command or enable aaa authorization command command, specifying the local option.
  3. Return to privileged EXEC mode.
    device(config)# exit
  4. Verify the configuration.
    device(config)# show running-config aaa authorization
    
    aaa authorization tacacs+ local
    
The following example show how to enable and verify TACACS+ command authorization, specifying device-level authorization when the TACACS+ server is unreachable or responds with an error.
device# configure terminal
Entering configuration mode terminal
device(config)# aaa authorization command tacacs+ local
device(config)# exit
device(config)# show running-config aaa authorization
aaa authorization tacacs+ local