http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Accounting-with-Cisco-switch/td-p/173028
Switch(config)# tacacs-server host 172.16.16.200 key aruba123 (Note that in some versions of IOS the key must be entered on a separate line of config: tacacs-server key aruba123)
Next we setup AAA authentication:
Switch(config)# aaa authentication default group tacacs+ local
Switch(config)# aaa authentication enable default group tacacs+ enable
This tells the switch that, for login attempts, to first look at TACACS, if that is unreachable, use the local database. When a user types "enable" to gain privileged mode access to first check TACACS and if that is unreachable, use the locally stored enable password or secret.
Now we setup AAA authorization for commands:
Switch(config)# aaa authorization commands 0 default group tacacs+ none
Switch(config)# aaa authorization commands 1 default group tacacs+ none
Switch(config)# aaa authorization commands 15 default group tacacs+ none
This sends all commands entered at the privilege level 0, 1 and 15 to the configured TACACS server(CPPM) for authorization and failing that, it disallows the command.
Levels 0, 1 and 15 map to the following:
- level 0—Includes the disable, enable, exit, help, and logout commands
- level 1—Includes all user-level commands at the router> prompt
- level 15—Includes all enable-level commands at the router# prompt
Lastly, if you want to audit Cisco config commands:
Switch(config)# aaa authorization config-commands
This instructs the switch to run all config level commands through tacacs for authorization.
Be a good little Cisco admin:
Switch(config)# exit
Switch# write mem