Information
Both RADIUS and TACACS+ provide the capability to limit access to commands through command authorization, as well as collect accounting data for management sessions, command usage, and system events. This allows for more fine-grained control of management user permissions, and monitoring of user sessions for unexpected or malicious activity.
Command authorization can use locally defined authorization groups, RADIUS, or TACACS+, and can be enabled for all commands or limited to manager-level commands.
Solution
To configure command authorization for all commands using the same protocol used for authentication:
switch(config)# aaa authorization commands access-level all
switch(config)# aaa authorization commands auto
Accounting data that can be sent to an external server include command usage, exec session start and stop, network usage, and system events. The following commands enable exec session start-stop accounting and command accounting with interim updates, using TACACS+ as the selected protocol:
switch(config)# aaa accounting exec start-stop tacacs
switch(config)# aaa accounting commands interim-update tacacs
To use RADIUS instead:
switch(config)# aaa accounting exec start-stop radius
switch(config)# aaa accounting commands interim-update radius