Cisco Systems ME3400G2CSA Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

7-16

Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide

78-17058-01

Chapter7 Configuring Switch-Based Authentication

Controlling Switch Access with TACACS+

To disable AAA, use the no aaa new-model global configuration command. To disable AAA

authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global

configuration command. To either disable TACACS+ authentication for logins or to return to the default

value, use the no login authentication {default | list-name} line configuration command.

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the

switch uses information retrieved from the user’s profile, which is located either in the local user

database or on the security server, to configure the user’s session. The user is gra nte d acce ss to a

requested service only if the information in the user profile allows it.

You can use the aaa authorization global configuration command with the tacacs+ keyword to set

parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec tacacs+ local command sets these authorization parameters:

•Use TACACS+ for privileged EX EC acc ess au thorization if authentication was performed by using

TACACS+.

•Use the local database if authentication was not performed by using TACACS+.

Note Authorization is bypassed for authenticated users who log in thro ugh th e CLI even if aut hori zat ion ha s

been configured.

Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for

privileged EXEC access and network services:

Step5 login authentication {default |

list-name}Apply the authentication list to a line or set of lines.

•If you specify default, use the default list created with the aaa

authentication login command.

•For list-name, specify the list created with the aaa authentication

Step6 end Return to privileged EXEC mode.

Step7 show running-config Verify your entries.

Step8 copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 aaa authorization network tacacs+ Configure the switch for user TACACS+ authorization for all

network-related service requests.

Step3 aaa authorization exec tacacs+ Configure the switch for user TACACS+ authorization if the user has

privileged EXEC access.

The exec keyword might return user profile information (such as

autocommand information).

Step4 end Return to privileged EXEC mode.