Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Ratgeber Für Administratoren

Authorization determines if a user is authorized to perform certain activities, including user 

EXEC command authorization and privileged EXEC command authorization.

TACACS+ servers support command authorization. The RADIUS protocol does not support 
command authorization but you can use a vendor-specific attribute (VSA) with attribute value 
(AV) pair 26 to download a list of commands that are permitted or denied for a user. This list 
of commands is downloaded from the RADIUS server. When a user executes a command, 
the command is validated against the downloaded command list for the user. Any change in a 
user command authorization access list takes effect after a user has logged on and logged in 
again.

The vendor-specific attribute netgear-cmdAuth is defined as follows:

VENDOR     netgear    4526 

ATTRIBUTE  netgear-cmdAuth       1       string   netgear

Specify the command in the following format.

netgear-cmdAuth = "deny:spanning-tree;interface *",

The maximum length of the command string in the vendor attribute 
cannot be longer than 64 bytes. RADIUS- based command 
authorization supports a maximum of 50 commands.

You can use both a TACACS+ server and a RADIUS server for 
command authorization. If the first method of command authorization 
returns an error, the second method is used for command 
authorization.