Chapter 4 Configuring the CSS as a Client of a TACACS+ Server
Sending Full CSS Commands to the TACACS+ Server
In releases prior to 7.30.1.05, if you transitioned from one CLI mode to another (for example, from config mode to service mode), and a service already existed regardless of whether TACACS+ authorization was enabled for configuration or nonconfiguration commands, the CSS did not perform authorization on the command. If you were creating a service and authorization for configuration commands was enabled, then the TACACS+ server was queried if you were authorized to perform the command. In software version 7.30.1.05 and later, on a mode transition in an existing service, the CSS sends a command authorization request to the TACACS+ server if nonconfiguration commands are enabled.
Use the
#(config) tacacs-server authorize config
Use the
#(config) tacacs-server authorize non-config
Use the no form of these commands to disable authorization. For example, to disable authorization for commands that affect the running configuration, enter:
#(config) no tacacs-server authorize config
To disable authorization for commands that do not affect the running configuration, enter:
#(config) no tacacs-server authorize non-config
Sending Full CSS Commands to the TACACS+ Server
CSS users can send the commands in their abbreviated syntax to the TACACS+ server. By default, the CSS sends the full syntax of the command, even though you enter the command in its abbreviated form. By expanding the syntax, the CSS minimizes TACACS+ authorization command failures resulting from their abbreviations.
Use the no form of the command to disable the CSS from sending the full command and instead to send the command as entered by the user. For example, enter:
#(config) no tacacs-server send-full-command
| Cisco Content Services Switch Security Configuration Guide |
|
