Netgear M4300-24X24F (XSM4348S) - Stackable Managed Switch with 48x10G including 24x10GBASE-T and 24xSFP+ Layer 3 Guia Do Administrador

Authorization determines if a user is authorized to perform certain activities such as entering 

specific EXEC commands.

TACACS+ servers support command authorization. The RADIUS protocol does not support 
command authorization but you can use a vendor-specific attribute (VSA) with attribute value 
(AV) pair 26 to download a list of commands that are permitted or denied for a user. This list 
of commands is downloaded from the RADIUS server. When a user executes a command, 
the command is validated against the downloaded command list for the user. Any change in 
a user command authorization access list takes effect after a user has logged on and logged 
in again.

The vendor-specific attribute netgear-cmdAuth is defined as follows:

VENDOR     netgear    4526 

ATTRIBUTE  netgear-cmdAuth       1       string   netgear

Specify the command in the following format.

netgear-cmdAuth = "deny:spanning-tree;interface *",

The maximum length of the command string in the vendor attribute 
cannot be longer than 64 bytes. RADIUS-based command 
authorization supports a maximum of 50 commands.

You can use both a TACACS+ server and a RADIUS server for 
command authorization. If the first method of command authorization 
returns an error, the second method is used for command 
authorization.

The following example shows how to use the CLI to configure command authorization by a 
TACACS+ server for a Telnet user and allow the user to access specific commands only.

Change the authentication mode for Telnet users to TACACS.

(Netgear Switch)(Config)#aaa authentication login "networkList" tacacs