Skip to main content

TACACS+ Settings

Turn on device administration and set the org‑wide defaults that apply when no policy says otherwise.

Configure

  1. Go to Network → RADIUS / NAC → Device Admin (TACACS+) → Settings.
  2. Set the switches:
    • Enable TACACS+ device administration — the master on/off.
    • Per‑command authorization (RBAC) — check each command a user runs against their allowed Command Set. Off = authenticate login only, don't gate individual commands.
    • Log every authorized command (audit trail) — record every command to Command Audit.
  3. Set the defaults:
    • Default shell privilege (0–15) — the level granted when no policy overrides (default 1; 15 = enable/privileged).
    • Unmatched command actionPermit or Deny a command that no rule matches. (Deny is stricter; Permit is more forgiving during rollout.)
    • MFA mode — require a second factor on device login (enforced by the agent daemon where supported).
  4. Save settings.
tip

Roll out with Unmatched command = Permit and audit on so nothing is blocked while you learn what commands staff actually run. Once your Command Sets cover the real usage, flip it to Deny to lock down.