Command Authorization And Logging - Lenovo CN4093 Application Manual

Command Authorization and Logging

© Copyright Lenovo 2015
When TACACS+ Command Authorization is enabled
(CN 4093(config)# tacacs-server command-authorization), Lenovo
N/OS configuration commands are sent to the TACACS+ server for authorization.
When TACACS+ Command Logging is enabled
(CN 4093(config)# tacacs-server command-logging), Lenovo N/OS
configuration commands are logged on the TACACS+ server.
The following examples illustrate the format of Lenovo N/OS commands sent to
the TACACS+ server:
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if
accounting request, cmd=/cfg/l3/if, cmd-arg=1
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if/ena
accounting request, cmd=/cfg/l3/if/ena
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if/addr
accounting request, cmd=/cfg/l3/if/addr, cmd-arg=10.90.90.91
authorization request, cmd=apply
accounting request, cmd=apply
The following rules apply to TACACS+ command authorization and logging:
 Only commands from a Console, Telnet, or SSH connection are sent for authori-
zation and logging. SNMP, BBI, or file-copy commands (for example, TFTP or
sync) are not sent.
Only leaf-level commands are sent for authorization and logging. For example,

CN 4093(config)# is not sent, but
CN 4093(config)# tacacs-server command-logging is sent.
 The full path of each command is sent for authorization and logging. For
example: CN 4093(config)# tacacs-server command-logging
 Command arguments are not sent for authorization.
Only executed commands are logged.

 Invalid commands are checked by Lenovo N/OS, and are not sent for authoriza-
tion or logging.
 Authorization is performed on each leaf-level command separately. If the user
issues multiple commands at once, each command is sent separately as a full
path.
Only the following global commands are sent for authorization and logging:

diff
ping
revert
telnet
traceroute
Chapter 5: Authentication & Authorization Protocols
91