Tacacs+ Authorization Example-Per-Command Authorization - Dell Networking 7048 Configuration Manual

string at the beginning of a line, the period (.) matches any single
character, and the asterisk (*) repeats the previous match zero or more
times.
• To assign this profile to a user, configure the TACACS+ server so that it
sends the following "roles" attribute for the user:
shell:roles=aaa
If it is desired to also permit the user access to network-operator
commands (basically, all the command in User EXEC mode), then the
"roles" attribute would be configured as follows:
shell:roles=aaa,network-operator
TACACS+ Authorization Example—Per-command Authorization
An alternative method for command authorization is to use the TACACS+
feature of per-command authorization. With this feature, every time the user
enters a command, a request is sent to the TACACS+ server to ask if the user
is permitted to execute that command. Exec authorization does not need to
be configured to use per-command authorization.
Apply the following configuration to use TACACS+ to authorize commands:
aaa authorization commands "taccmd" tacacs
line telnet
authorization commands taccmd
exit
The following describes each line in the above configuration:
• The aaa authorization commands "taccmd" tacacs
command creates a command authorization method list called taccmd
that includes the method tacacs.
• The authorization commands taccmd command assigns the
taccmd command authorization method list to be used for users accessing
the switch via telnet.
The TACACS+ server must be configured with the commands that the user
is allowed to execute. If the server is configured for command authorization
as "None", then no commands will be authorized. If both administrative
188
Configuring Authentication, Authorization, and Accounting