Merge branch 'stage'

rachel-netq · rachel-netq · commit 39bea21b5865 · 2026-02-23T17:11:10.000-05:00
diff --git a/content/cumulus-linux-517/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-517/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md
@@ -149,12 +149,7 @@ You can configure the following optional TACACS+ settings:
   {{%notice note%}}
 If a TACACS user exists and has already connected before you enable a separate home directory for that user, the user home directory already exists under `tacacs_template_user`. Therefore, when adding a local user, the user does not have permissions or ownership of the home directory.
 {{%/notice%}}
-<!-- - The output debugging information level through syslog(3) to use for troubleshooting. You can specify a value between 0 and 2. The default is 0. A value of 1 enables debug logging. A value of 2 increases the verbosity of some debug logs.
 
-  {{%notice note%}}
-  Do not leave debugging enabled on a production switch after you complete troubleshooting.
-  {{%/notice%}}
--->
 {{< tabs "TabID111 ">}}
 {{< tab "NVUE Commands ">}}
 
@@ -414,7 +409,7 @@ The first `adduser` command prompts for information and a password. You can skip
 {{< /tabs >}}
 
 <!-- vale off -->
-## TACACS+ Per-command Authorization
+## Local Per-command Authorization
 
 TACACS+ per-command authorization lets you configure the commands that TACACS+ users at different privilege levels can run.
 <!-- vale on -->
@@ -488,6 +483,34 @@ cumulus@switch:~$ sudo rm ~tacacs0/bin/*
 {{< /tab >}}
 {{< /tabs >}}
 
+## Server-side Per-command Authorization
+
+Whe you use server-side per-command authorization, Cumulus Linux sends every command that the TACACS+ user enters to the TACACS server for authorization before executing the command. The TACACS server is the sole authority on which commands are permitted; you don't need to configure local per-command configuration on the switch.
+
+{{%notice note%}}
+- You can use server-side per-command authorization together with specific command authorization so that Cumulus Linux authorizes certain commands locally and forwards all other commands *only* to the TACACS server.
+- If the switch cannot reach any of the configured TACACS servers, the command is denied.
+- The switch does not execute commands without explicit server authorization.
+{{%/notice%}}
+
+By default, server-side per-command authorization is disabled for all privilege levels.
+
+To enable server-side per-command authorization for a TACACS privilege level, run the `nv set system aaa tacacs authorization <priority-id> all-commands enabled` command.
+
+The following example enables server-side authorization for all commands at privilege level 15:
+
+```
+cumulus@switch:~$ nv set system aaa tacacs authorization 15 all-commands enabled
+cumulus@switch:~$ nv config apply
+```
+
+To disable server-side per-command authorization for a TACACS privilege level and revert to local command authorization only, run the `nv set system aaa tacacs authorization <priority-id> all-commands disabled` command:
+
+```
+cumulus@switch:~$ nv set system aaa tacacs authorization 15 all-commands disabled
+cumulus@switch:~$ nv config apply
+```
+
 ## Remove the TACACS+ Client Packages
 
 To remove all the TACACS+ client packages, use the following commands:
diff --git a/content/cumulus-linux-517/Whats-New/_index.md b/content/cumulus-linux-517/Whats-New/_index.md
@@ -14,6 +14,7 @@ Cumulus Linux 5.17 contains new features and improvements, and provides bug fixe
 
 ### New Features and Enhancements
 
+- {{<link url="TACACS/#server-side-per-command-authorization" text="TACACS+ Server-side Per-command Authorization">}}
 - Headroom Size based on the average packet size
 - Dynamic ECN (Beta)
 - Instant Retransmission System (Beta)
@@ -31,7 +32,6 @@ Cumulus Linux 5.17 contains new features and improvements, and provides bug fixe
 - BER monitoring | GSHUT and port down due to error disabled
 - Security - Support "sudo" validation when TACACS server is connected to the default VRF 
 - Telemetry - amBER Link Down Information (gNMI & OTEL)
-- Support For TACACS Per Command Authorization on TACACS Server Instead of Locally 
 - Integrate logs in tc_log to the syslog​, and update log level
 - NV config verify (User can verify a config before apply
 - High frequency telemetry - Nsight Integration - Phase 2 (Binary format) 
diff --git a/content/cumulus-netq-51/Whats-New/rn.md b/content/cumulus-netq-51/Whats-New/rn.md
@@ -38,4 +38,3 @@ pdfhidden: True
 | <a name="4637749"></a> [4637749](#4637749) <a name="4637749"></a> <br /> | When the master node is down,  the <code>netq show status</code> command might report an incorrect status. | 5.0.0 | |
 | <a name="4573427"></a> [4573427](#4573427) <a name="4573427"></a> <br /> | The link health view utilization chart might display incorrect values for the top 5 links when multiple links share the same value. | 5.0.0 | |
 | <a name="4527529"></a> [4527529](#4527529) <a name="4527529"></a> <br /> | When there is a high volume of concurrent API requests to NetQ, some requests may fail. | 4.15.0-5.0.0 | |
-
