Here is a sample of AAA configuration for switches and routers:
1) AAA Authentication
Here is a sample config for AAA authentication including banner and TACACS+ server.
enable secret CISCO
!
aaa new-model
aaa authentication password-prompt "Password:"
aaa authentication username-prompt "Username:"
aaa authentication login CONSOLE local
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
!
username ADMIN password 0 CISCO
tacacs-server host 1.1.1.1
tacacs-server directed-request
tacacs-server key CISCO
!
line con 0
login authentication CONSOLE
line vty 0 4
password CISCO
login authentication VTY
2) AAA authorization
Here is a aaa authorization to access exec using TACACS+
aaa new-model
aaa authorization console
aaa authorization exec default none
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization exec VTY group tacacs+ if-authenticated
line con 0
authorization exec CONSOLE
line vty 0 4
authorization exec VTY
3) AAA command authorization
Here is config sample so users with privillage 7 could access only following commnands:
privilege exec level 7 configure terminal
privilege exec level 7 debug ip rip
privilege exec level 7 undebug all
privilege exec level 7 show running-config
privilege configure level 7 interface
privilege interface level 7 shutdown
privilege interface level 7 no shutdown
privilege interface all level 7 ip