Enabling authorization for commands

Syntax

aaa authorization commands <radius|local|tacacs|auto|none>
no aaa authorization commands <radius|local|tacacs|auto|none>
aaa authorization commands access-level <manager|all>
no aaa authorization commands access-level <manager|all>

Configure command authorization. For each command issued by the user, an authorization request is sent to the server. Command authorization can be applied to all commands or only manager-level commands:

Parameters

aaa

Configure the switch Authentication, Authorization, and Accounting features.

commands

Configure command authorization.

local

Authorize commands using local groups. Locally authenticated clients goes through local authorization. No authentication is performed for RADIUS/TACACS+ authenticate clients.

radius

Authorize commands using RADIUS. Locally authenticated clients go through local authorization. RADIUS authenticated clients go through RADIUS authorization. No authorization is performed for TACACS+ authenticated clients.

none

Do not require authorization for command access.

tacacs

Authorize commands using TACACS+. TACACS+ authenticated clients go through TACACS+ authorization. No authorization is performed for RADIUS/locally authenticated users.

auto

Authorize commands with the same protocol used for authentication. Uses the same method as Authentication and Authorization. For example local/radius/tacacs authenticated clients will go through local/radius/tacacs authorization respectively.

access-level

Configure command authorization level.

manager

Allow authorization only for manager level commands.

all

Allow authorization for all commands. This is the default option.