What we have done using TACACS+ for Linux is create group profiles, and allow/restrict commands depending on profile.

group = admingroup {

cmd = enable { permit .* }

cmd = exit { permit .* }

cmd = logout { permit .* }

cmd = configure { permit .* }

cmd = debug { permit .* }

cmd = write { permit .* }

cmd = clear { permit .* }

cmd = show { permit .* }

cmd = shutdown { permit .* }

cmd = interface { permit .* }

cmd = aaa { permit .* }

cmd = traceroute { permit .* }

cmd = ping { permit .* }

cmd = no { permit .* }

cmd = ip { permit .* }

cmd = description { permit .* }

cmd = snmp-server { permit .* }

cmd = access-list { permit .* }

# Catalysts Switch specifics - IOS based

cmd = dir { permit .* }

cmd = vlan { permit .* }

cmd = switchport { permit .* }

cmd = spanning-tree { permit .* }

cmd = port { permit .* }

cmd = set { permit .* }

}

group = opsgroup {

cmd = exit { permit .* }

cmd = logout { permit .* }

cmd = show { permit .* }

cmd = traceroute { permit .* }

cmd = ping { permit .* }

cmd = configure { deny .* }

cmd = terminal { permit monitor }

cmd = debug { permit .* }

cmd = enable { deny .* }

}

On the routers also make sure level 0 commands are controlled using:

aaa authorization commands 0 default group tacacs+