You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/cumulus-linux-517/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md
+29-6Lines changed: 29 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -149,12 +149,7 @@ You can configure the following optional TACACS+ settings:
149
149
{{%notice note%}}
150
150
If a TACACS user exists and has already connected before you enable a separate home directory for that user, the user home directory already exists under `tacacs_template_user`. Therefore, when adding a local user, the user does not have permissions or ownership of the home directory.
151
151
{{%/notice%}}
152
-
<!-- - The output debugging information level through syslog(3) to use for troubleshooting. You can specify a value between 0 and 2. The default is 0. A value of 1 enables debug logging. A value of 2 increases the verbosity of some debug logs.
153
152
154
-
{{%notice note%}}
155
-
Do not leave debugging enabled on a production switch after you complete troubleshooting.
156
-
{{%/notice%}}
157
-
-->
158
153
{{< tabs "TabID111 ">}}
159
154
{{< tab "NVUE Commands ">}}
160
155
@@ -414,7 +409,7 @@ The first `adduser` command prompts for information and a password. You can skip
414
409
{{< /tabs >}}
415
410
416
411
<!-- vale off -->
417
-
## TACACS+ Per-command Authorization
412
+
## Local Per-command Authorization
418
413
419
414
TACACS+ per-command authorization lets you configure the commands that TACACS+ users at different privilege levels can run.
Whe you use server-side per-command authorization, Cumulus Linux sends every command that the TACACS+ user enters to the TACACS server for authorization before executing the command. The TACACS server is the sole authority on which commands are permitted; you don't need to configure local per-command configuration on the switch.
489
+
490
+
{{%notice note%}}
491
+
- You can use server-side per-command authorization together with specific command authorization so that Cumulus Linux authorizes certain commands locally and forwards all other commands *only* to the TACACS server.
492
+
- If the switch cannot reach any of the configured TACACS servers, the command is denied.
493
+
- The switch does not execute commands without explicit server authorization.
494
+
{{%/notice%}}
495
+
496
+
By default, server-side per-command authorization is disabled for all privilege levels.
497
+
498
+
To enable server-side per-command authorization for a TACACS privilege level, run the `nv set system aaa tacacs authorization <priority-id> all-commands enabled` command.
499
+
500
+
The following example enables server-side authorization for all commands at privilege level 15:
501
+
502
+
```
503
+
cumulus@switch:~$ nv set system aaa tacacs authorization 15 all-commands enabled
504
+
cumulus@switch:~$ nv config apply
505
+
```
506
+
507
+
To disable server-side per-command authorization for a TACACS privilege level and revert to local command authorization only, run the `nv set system aaa tacacs authorization <priority-id> all-commands disabled` command:
508
+
509
+
```
510
+
cumulus@switch:~$ nv set system aaa tacacs authorization 15 all-commands disabled
511
+
cumulus@switch:~$ nv config apply
512
+
```
513
+
491
514
## Remove the TACACS+ Client Packages
492
515
493
516
To remove all the TACACS+ client packages, use the following commands:
0 commit comments