Configuring Authentication, Authorization, and Accounting 227Authorization ExamplesAuthorization allows the administrator to control which services a user isallowed to access. Some of the things that can be controlled withauthorization include the user's initial privilege level and which commandsthe user is allowed to execute. When authorization fails, the user is deniedaccess to the switch, even though the user has passed authentication.The following examples assume that the configuration used in the previousexamples has already been applied.Local Authorization Example—Direct Login to Privileged EXEC ModeApply the following configuration to use the local user database forauthorization, such that a user can enter privileged EXEC mode directly:aaa authorization exec “locex” localline telnetauthorization exec locexexitWith the users that were previously configured, the guest user will still loginto user EXEC mode, since the guest user only has privilege level 1 (thedefault). The admin user will be able to login directly to privileged EXECmode since his privilege level was configured as 15.TACACS+ Authorization Example—Direct Login to Privileged EXECModeApply the following configuration to use TACACS+ for authorization, suchthat a user can enter privileged EXEC mode directly:aaa authorization exec “tacex” tacacsline telnetauthorization exec tacexexitConfigure the TACACS+ server so that the shell service is enabled and thepriv-lvl attribute is sent when user authorization is performed. For example:shell:priv-lvl=15The following describes each line in the above configuration: