Command Authorization
Authorization determines if a user is authorized to perform certain activities such as entering
specific EXEC commands.
TACACS+ servers support command authorization. The RADIUS protocol does not support
command authorization but you can use a vendor-specific attribute (VSA) with attribute value
(AV) pair 26 to download a list of commands that are permitted or denied for a user. This list
of commands is downloaded from the RADIUS server. When a user executes a command,
the command is validated against the downloaded command list for the user. Any change in
a user command authorization access list takes effect after a user has logged on and logged
in again.
The vendor-specific attribute netgear-cmdAuth is defined as follows:
VENDOR
netgear
ATTRIBUTE
netgear-cmdAuth
Specify the command in the following format.
netgear-cmdAuth = "deny:spanning-tree;interface *",
Note:
The maximum length of the command string in the vendor attribute
cannot be longer than 64 bytes. RADIUS-based command
authorization supports a maximum of 50 commands.
Note:
You can use both a TACACS+ server and a RADIUS server for
command authorization. If the first method of command authorization
returns an error, the second method is used for command
authorization.
CLI Example 1: Configure Command Authorization by a
TACACS+ Server
The following example shows how to use the CLI to configure command authorization by a
TACACS+ server for a Telnet user and allow the user to access specific commands only.
1.
Change the authentication mode for Telnet users to TACACS.
(Netgear Switch)(Config)#aaa authentication login "networkList" tacacs
Managed Switches
4526
1
string
Security Management
353
netgear