Command Authorization and Logging
© Copyright Lenovo 2017
When TACACS+ Command Authorization is enabled, ENOS configuration
commands are sent to the TACACS+ server for authorization. Use the following
command to enable TACACS+ Command Authorization:
CN 4093(config)# tacacs-server command-authorization
When TACACS+ Command Logging is enabled, ENOS configuration commands
are logged on the TACACS+ server. Use the following command to enable
TACACS+ Command Logging:
CN 4093(config)# tacacs-server command-logging
The following examples illustrate the format of Enterprise NOS commands sent to
the TACACS+ server:
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if
accounting request, cmd=/cfg/l3/if, cmd-arg=1
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if/ena
accounting request, cmd=/cfg/l3/if/ena
authorization request, cmd=cfgtree, cmd-arg=/cfg/l3/if/addr
accounting request, cmd=/cfg/l3/if/addr, cmd-arg=10.90.90.91
authorization request, cmd=apply
accounting request, cmd=apply
The following rules apply to TACACS+ command authorization and logging:
Only commands from a Console, Telnet, or SSH connection are sent for authori‐
zation and logging. SNMP, BBI, or file‐copy commands (for example, TFTP or
sync) are not sent.
Only leaf‐level commands are sent for authorization and logging. For example:
CN 4093(config)#
is not sent, but the following command is sent:
CN 4093(config)# tacacs-server command-logging
The full path of each command is sent for authorization and logging. For
example:
CN 4093(config)# tacacs-server command-logging
Command arguments are not sent for authorization.
Only executed commands are logged.
Invalid commands are checked by Enterprise NOS and are not sent for authori‐
zation or logging.
Chapter 5: Authentication & Authorization Protocols
107