Enabling authorization to control access to CLI commands

To control access to the CLI commands, enter this command at the CLI.


[no] aaa authorization [<commands> <radius> <none>]

Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.


The NAS requests authorization information from the RADIUS server. Authorization rights are assigned by user or group.


The NAS does not request authorization information.

To enable the RADIUS protocol as the authorization method:

switch(config)# aaa authorization commands radius

When the NAS sends the RADIUS server a valid user name and password, the RADIUS server sends an Access-Accept packet that contains two attributes the command list and the command exception flag. When an authenticated user enters a command on the switch, the switch examines the list of commands delivered in the RADIUS Access-Accept packet as well as the command exception flag, which indicates whether the user has permission to execute the commands in the list. See Configuring commands authorization on a RADIUS server.

After the Access-Accept packet is delivered, the command list resides on the switch. Any changes to the user's command list on the RADIUS server are not seen until the user is authenticated again.