Users Guide
308 Authentication, Authorization, and Accounting
TACACS+ Authorization Example—Per-command Authorization
An alternative method for command authorization is to use the TACACS+
feature of per-command authorization. With this feature, every time the user
enters a command, a request is sent to the TACACS+ server to ask if the user
is permitted to execute that command. Exec authorization does not need to
be configured to use per-command authorization.
Apply the following configuration to use TACACS+ to authorize commands:
1
Creates a command authorization method list called “taccmd” that
includes the method tacacs.
console#config
console(config)#aaa authorization commands “taccmd” tacacs
• Assigns the taccmd command authorization method list to be used for
users accessing the switch via Telnet.
console(config)#line telnet
console(config-telnet)#authorization commands taccmd
console(config-telnet)#exit
The TACACS+ server must be configured with the commands that the user
is allowed to execute. If the server is configured for command authorization
as “None”, then no commands will be authorized. If both administrative
profiles and per-command authorization are configured for a user, any
command must be permitted by both the administrative profiles and by per-
command authorization.
TACACS Authorization—Privilege Level
Dell EMC Networking TACACS supports setting the maximum user
privilege level in the TACACS authorization response. Configure the
TACACS server to send priv-lvl=X, where X is either 1 (Non-privileged
mode), or 15 (Privileged Exec mode).