Enabling authorization for commands
Syntax
aaa authorization commands <radius|local|tacacs|auto|none>
no aaa authorization commands <radius|local|tacacs|auto|none>
aaa authorization commands access-level <manager|all>
no aaa authorization commands access-level <manager|all>
Configure command authorization. For each command issued by the user, an authorization request is sent to the server. Command authorization can be applied to all commands or only manager-level commands:
Parameters
- aaa
Configure the switch Authentication, Authorization, and Accounting features.
- commands
Configure command authorization.
- local
Authorize commands using local groups. Locally authenticated clients goes through local authorization. No authentication is performed for RADIUS/TACACS+ authenticate clients.
- radius
Authorize commands using RADIUS. Locally authenticated clients go through local authorization. RADIUS authenticated clients go through RADIUS authorization. No authorization is performed for TACACS+ authenticated clients.
- none
Do not require authorization for command access.
- tacacs
Authorize commands using TACACS+. TACACS+ authenticated clients go through TACACS+ authorization. No authorization is performed for RADIUS/locally authenticated users.
- auto
Authorize commands with the same protocol used for authentication. Uses the same method as Authentication and Authorization. For example local/radius/tacacs authenticated clients will go through local/radius/tacacs authorization respectively.
- access-level
Configure command authorization level.
- manager
Allow authorization only for manager level commands.
- all
Allow authorization for all commands. This is the default option.