230 Configuring Authentication, Authorization, and Accounting
string at the beginning of a line, the period (.) matches any single
character, and the asterisk (*) repeats the previous match zero or more
times.
• To assign this profile to a user, configure the TACACS+ server so that it
sends the following “roles” attribute for the user:
shell:roles=aaa
If it is desired to also permit the user access to network-operator
commands (basically, all the command in User EXEC mode), then the
“roles” attribute would be configured as follows:
shell:roles=aaa,network-operator
TACACS+ Authorization Example—Per-command Authorization
An alternative method for command authorization is to use the TACACS+
feature of per-command authorization. With this feature, every time the user
enters a command, a request is sent to the TACACS+ server to ask if the user
is permitted to execute that command. Exec authorization does not need to
be configured to use per-command authorization.
Apply the following configuration to use TACACS+ to authorize commands:
aaa authorization commands “taccmd” tacacs
line telnet
authorization commands taccmd
exit
The following describes each line in the above configuration:
•The
aaa authorization commands “taccmd” tacacs
command creates a
command authorization method list called taccmd that includes the
method tacacs.
•The
authorization commands taccmd
command assigns the taccmd
command authorization method list to be used for users accessing the
switch via Telnet.
The TACACS+ server must be configured with the commands that the user
is allowed to execute. If the server is configured for command authorization
as “None”, then no commands will be authorized. If both administrative