It may not be exactly what you are looking for, but you can do privilege level authorization with RADIUS.
aaa new-model aaa authentication login myradius group radius local aaa authorization exec my-authradius group radius if-authenticated radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard
line vty 0 4 password 7 23459287234 authorization exec my-authradius login authentication myradius
In your radius config, define return list attributes that sets a user's privilege level:
Service-Type: NAS-Prompt Cisco-AVPAIR: shell:priv-lvl=15
If a user logs in via telnet, they will automatically be put into privilege level 15 (enable mode). You can set the priv level for individual users or groups of users. Then you can tune the privilege level required for certain commands using the privilege command.