Filter
Top Products
3-21
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands
To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the
switch uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.
To set parameters that restrict a user’s network access to privileged EXEC mode, use the aaa
authorization global configuration command with the tacacs+ keyword.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
• Use the local database if authentication was not performed by using TACACS+.
Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
To specify TACACS+ authorization for privileged EXEC access and network services, perform this
task, beginning in privileged EXEC mode:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.
Starting TACACS+ Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network
resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to
the TACACS+ security server in the form of accounting records. Each accounting record contains
accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed
for network management, client billing, or auditing.
Command Purpose
Step 1
configure terminal
Enters global configuration mode.
Step 2
aaa authorization network tacacs+
Configures the switch for user TACACS+ authorization for all
network-related service requests.
Step 3
aaa authorization exec tacacs+
Configures the switch for user TACACS+ authorization if the user has
privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Step 4
end
Returns to privileged EXEC mode.
Step 5
show running-config
Verifies your entries.
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.