Table of Contents
Advertisement
5.4
TACACS+ Configuration Example with Command
Restrictions
For security reasons, we may wish to restrict users from using certain commands or restricting users from
using specific configurable items such as VLAN ranges allowed.
You can enable TACACS+ command authorization for all level or you can select a specific level by
adding the following ACLI command to the configuration used from the prevision example:
VSPswitch:1(config)#tacacs authorization level ?
<1-6>
User privilege level
all
Enable tacacs+ command authorization for all privilege-levels
none
Disable tacacs+ command authorization for all levels
For this configuration example, we will use the same setup as the previous example with the addition of
enabling command authorization for levels 3 to 6. Assuming we wish to create a two user accounts with
that will allow the following:
Read-write-all User
o
No command restriction
Read-write user with the following rules
o
Enable configuration mode
o
Ability to show all parameters
o
Restrict the user to configure create and delete VLAN range 2000 to 2299
o
Restrict the user to add port members only within the VLAN range from 2000 to 2299
March 2015
Avaya Inc. – External Distribution
avaya.com
65
- Quick Links:
- Table 2: Default User Names and...
Hide quick links:
Advertisement
Table of Contents
