If you only want certian people to have access to certian devices or certian commands on certian devices, you are going to have to do several things. FIrst you are going to have to use TACASS+ because RADIUS does not support "SHELL COMMAND AUTHORIZATION SETS". You can set this up through the "Shared Profile Components" tab. Here you can specifiy what commands people have access to. Next you have to assign the devices to "Network Device Groups" and users to specific groups. Under the group settings, go to "TACACS+ Setting". Check the Shell(Exec) box and the Privilege level box and assign it to 15. Scroll down to the Shell Command Authorization Set area. Choose the "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option. Here you can assign a specific shell command authorization set to a specific network device group.

Then you must configure you device(s) to use this function. Your config should look something like this:

!

aaa new-model

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

!

tacacs-server host x.x.x.x key ***********

!

end