TACACS+ Settings
Turn on device administration and set the org‑wide defaults that apply when no policy says otherwise.
Configure
- Go to Network → RADIUS / NAC → Device Admin (TACACS+) → Settings.
- Set the switches:
- Enable TACACS+ device administration — the master on/off.
- Per‑command authorization (RBAC) — check each command a user runs against their allowed Command Set. Off = authenticate login only, don't gate individual commands.
- Log every authorized command (audit trail) — record every command to Command Audit.
- Set the defaults:
- Default shell privilege (0–15) — the level granted when no policy overrides (default
1;15= enable/privileged). - Unmatched command action — Permit or Deny a command that no rule matches. (Deny is stricter; Permit is more forgiving during rollout.)
- MFA mode — require a second factor on device login (enforced by the agent daemon where supported).
- Default shell privilege (0–15) — the level granted when no policy overrides (default
- Save settings.
tip
Roll out with Unmatched command = Permit and audit on so nothing is blocked while you learn what commands staff actually run. Once your Command Sets cover the real usage, flip it to Deny to lock down.