13authorized commands. For more information about command authorization, see FundamentalsConfiguration Guide.• Command accounting—When command authorization is disabled, command accounting enablesthe accounting server to record all valid commands executed on the device. When commandauthorization is enabled, command accounting enables the accounting server to record allauthorized commands. For more information about command accounting, see FundamentalsConfiguration Guide.• User role authentication—Authenticates each user who wants to obtain a temporary user rolewithout logging out or getting disconnected. For more information about temporary user roleauthorization, see Fundamentals Configuration Guide.AAA for MPLS L3VPNsIn an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deployAAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs. Forexample, in the network shown in Figure 9, you can deploy the AAA across VPNs feature, so that themulti-VPN-instance CE (MCE) at the left side of the MPLS backbone serves as a NAS and transparentlydelivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 forcentralized authentication. Authentication packets of private users in different VPNs do not affect eachother.Figure 9 Network diagramProtocols and standardsThe following protocols and standards are related to AAA, RADIUS, HWTACACS, and LDAP:• RFC 2865, Remote Authentication Dial In User Service (RADIUS)• RFC 2866, RADIUS Accounting• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support• RFC 2868, RADIUS Attributes for Tunnel Protocol Support• RFC 2869, RADIUS Extensions• RFC 1492, An Access Control Protocol, Sometimes Called TACACS• RFC 1777, Lightweight Directory Access Protocol• RFC 2251, Lightweight Directory Access Protocol (v3)