Command Authorization and Logging
© Copyright Lenovo 2018
When TACACS+ Command Authorization is enabled, ENOS configuration
commands are sent to the TACACS+ server for authorization. Use the following
command to enable TACACS+ Command Authorization:
NE2552E(config)# tacacs-server command-authorization
When TACACS+ Command Logging is enabled, ENOS configuration commands
are logged on the TACACS+ server. Use the following command to enable
TACACS+ Command Logging:
NE2552E(config)# tacacs-server command-logging
The following examples illustrate the format of Lenovo ENOS commands sent to
the TACACS+ server:
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if
accounting request, cmd=/cfg/l3/if, cmd-arg=1
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if/ena
accounting request, cmd=/cfg/l3/if/ena
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if/addr
accounting request, cmd=/cfg/l3/if/addr, cmd-arg=10.90.90.91
authorization request, cmd=apply
accounting request, cmd=apply
The following rules apply to TACACS+ command authorization and logging:
Only commands from a Console, Telnet, or SSH connection are sent for authori‐
zation and logging. SNMP, BBI, or file‐copy commands (for example, TFTP or
sync) are not sent.
Only leaf‐level commands are sent for authorization and logging. For example:
NE2552E(config)#
is not sent, but the following command is sent:
NE2552E(config)# tacacs-server command-logging
The full path of each command is sent for authorization and logging. For
example:
NE2552E(config)# tacacs-server command-logging
Command arguments are not sent for authorization.
Only executed commands are logged.
Invalid commands are checked by Lenovo ENOS and are not sent for authoriza‐
tion or logging.
Chapter 5: Authentication & Authorization Protocols
107