Administrator Guide

Security Commands 872
If no authorization server is available or configured, the function is denied
unless the none method is configured in the list. If authorization is
configured on the console, this can lead to situations where the console
denies administrative access. Therefore, it is recommended that the console
authorization only be enabled with due regard to the risks involved. If none is
configured as the last method after radius or tacacs, no authorization is
performed if the RADIUS/TACACS servers are down.
The various utility commands like tftp, ping, outbound telnet also must pass
command authorization. Applying a script is treated as a single command
apply script which also must pass authorization. Startup-config commands
applied on device boot-up are not subject to the authorization process.
Refer to the Line Commands section for information on configured an
authorization method for a particular type of line access.
Example
Per command authorization example for telnet access using TACACS:
Configure the Authorization Method list.
console(config)#aaa authorization commands telnet-list tacacs
Apply the AML to an access line mode (telnet):
console(config)#line telnet
console(config-telnet)#authorization commands telnet-list
Exec authorization example for SSH using RADIUS with a fallback to the
none method:
Configure the Authorization Method list.
Method Notes
Local The local method is not supported for command authorization.
This method is equivalent to selecting the none method when
used for Exec authorization.
TACACS Selects TACACS for command or exec authorization.
None Selecting the none method authorizes all commands. This
option is valid for both command and Exec authorization.
RADIUS The radius method is valid for Exec authorization and Network
authorization. Network and Exec authorization with RADIUS
will work only if the applied authentication method is radius.