When authorization is configured for a line mode, the user manager sends information about an entered command to the AAA server. The AAA server validates the received command, and responds with either a PASS or FAIL response. If approved, the command is executed. Otherwise, the command is denied and an error message is shown to the user. The various utility commands like tftp, and ping, and outbound telnet should also pass command authorization. Applying the script is treated as a single command apply script, which also goes through authorization. Startup-config commands applied on device boot-up are not an object of the authorization process.
The per-command authorization usage scenario is this:
- Configure Authorization Method List aaa authorization commands listname tacacs radius none
- Apply AML to an Access Line Mode (console, telnet, SSH) authorization commands listname
- Commands entered by the user will go through command authorization via TACACS+ or RADIUS server and will be accepted or denied.
