Authentication, Authorization and Accounting (AAA) may be configured to use Cisco ACS server, which supports two protocols: Cisco proprietary TACACS+ and open standard RADIUS. The first one is more suitable for granular CLI commands authorization control, the second one provides better accounting. TACACS+ encrypts the entire messages between a network switch and ACS, RADIUS - only passwords. ACS does not have to have a local user database. It may use existing one such as Active Directory, for example.
config# aaa new-model config# aaa authentication login <auth_name> group tacacs+ local config# aaa authorization exec <author_name> group tacacs+ local config# username <user> priviledge 15 secret <password> config# tacacs-server host <ip> key <password> config# line vty 0 4 config-line# login authentication <auth_name> config-line# authorization exec <author_name> config-line# end # debug tacacs # debug aaa authentication # debug aaa authorization # test aaa group tacacs+ <user> <password> legacy