DELL N3000 User Manual

Configuring Authentication, Authorization, and Accounting

string at the beginning of a line, the period (.) matches any single 

character, and the asterisk (*) repeats the previous match zero or more 

times.

• To assign this profile to a user, configure the TACACS+ server so that it 

sends the following “roles” attribute for the user:

shell:roles=aaa

If it is desired to also permit the user access to network-operator 

commands (basically, all the command in User EXEC mode), then the 

“roles” attribute would be configured as follows:

shell:roles=aaa,network-operator

An alternative method for command authorization is to use the TACACS+ 

feature of per-command authorization. With this feature, every time the user 

enters a command, a request is sent to the TACACS+ server to ask if the user 

is permitted to execute that command. Exec authorization does not need to 

be configured to use per-command authorization.
Apply the following configuration to use TACACS+ to authorize commands:

aaa authorization commands “taccmd” tacacs

line telnet

authorization commands taccmd

exit

The following describes each line in the above configuration:

• The aaa authorization commands “taccmd” tacacs command creates a 

command authorization method list called taccmd that includes the 

method tacacs.

• The authorization commands taccmd command assigns the taccmd 

command authorization method list to be used for users accessing the 

switch via Telnet.

The TACACS+ server must be configured with the commands that the user 

is allowed to execute. If the server is configured for command authorization 

as “None”, then no commands will be authorized. If both administrative