Cisco Systems DOC-7814982 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

7-16

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Controlling Switch Access with TACACS+

To disable AAA, use the no aaa new-model global co nfigurati on comm a nd. To disable AA A

authentication, use the no aaa authentica tion l og in {default | list-name} method1 [method2...] globa l

conf iguratio n comman d. To either disable TA CACS+ au thentic ation for logins or to retur n to the defaul t

value, use th e no login authe ntication {default | list-name} l ine configurati on comma nd.

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the

switch uses informat ion retri eved from the use r’s profile, which is located either in the local user

database or on the security server, to configure the user’s session. The u ser is granted access to a

requested service only if the information in the user profile allows it.

Yo u can use the a aa authori zation g loba l c onfigurati on com ma nd with the tacacs+ keyword to set

parameters that restrict a user’s network access to privileged EXEC mode.

The aaa a uthorization exec tacacs+ local command sets these authorization parameters:

•Use TACACS+ for pr ivile ged EX EC acc ess au th oriza tio n if au then tic atio n w as pe rfo rmed by using

TACACS+.

•Use the local database if authentication was not performed by using TACACS+.

Note Au thor izat ion i s bypasse d fo r au the ntic ate d u ser s who l og in thro ugh the CLI even if auth ori zat ion has

been c onfigu red.

Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for

privileged EXEC access and network services:

To disable a uthor iza tio n, u se th e no aaa authorization {network | exec} method1 global configuration

comm an d.

Command Purpose

Step 1 configure terminal Enter globa l configurati on mode.

Step 2 aaa authori zation network tacacs + Configure the switch for user TACACS+ authorization for all

network-re lated s er vice r eque sts.

Step 3 aaa aut hori zat ion e xe c ta ca cs+ Conf igure the swi tch for u ser TA CA CS+ author ization to determi ne if th e

user has privileged EXEC access.

The exec keyword mig ht r etur n user p rofile inf orm ation (s uc h as

autocommand information).

Step 4 end Return to privileged EXEC mode.

Step 5 show running-config Veri fy your e ntrie s.

Step 6 copy running-config startup-config (Optiona l) Save your entries in the co nfigurati on file.