RADIUS and TACACS+ authorization and accounting - accounting commands

Information

Both RADIUS and TACACS+ provide the capability to limit access to commands through command authorization, as well as collect accounting data for management sessions, command usage, and system events. This allows for more fine-grained control of management user permissions, and monitoring of user sessions for unexpected or malicious activity.

Command authorization can use locally defined authorization groups, RADIUS, or TACACS+, and can be enabled for all commands or limited to manager-level commands.

Solution

To configure command authorization for all commands using the same protocol used for authentication:

switch(config)# aaa authorization commands access-level all
switch(config)# aaa authorization commands auto

Accounting data that can be sent to an external server include command usage, exec session start and stop, network usage, and system events. The following commands enable exec session start-stop accounting and command accounting with interim updates, using TACACS+ as the selected protocol:

switch(config)# aaa accounting exec start-stop tacacs
switch(config)# aaa accounting commands interim-update tacacs

To use RADIUS instead:

switch(config)# aaa accounting exec start-stop radius
switch(config)# aaa accounting commands interim-update radius

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: ArubaOS

Control ID: ce8e658f0e671b6ac8f3b8d1d188e989759463b5765093f8c22de38b5289f1a3