[c-nsp] TACACS+ question

Wed Oct 25 12:38:28 EDT 2006

On Wed, 25 Oct 2006, Pete Templin wrote:

> I'm trying to streamline my TACACS configurations and start properly 
> restricting users to a subset of commands.  Is it possible to have users 
> either have a designated privilege level upon login, or have them use 
> their own password to "enable" themselves?
> 
> If anyone has a tacplus config file with a few examples of command 
> authorization groups they'd be willing to share (sanitized as desired, 
> of course), I'd really appreciate it.
> 

Something like this, perhaps?

user = bob {
        service = exec {
                priv-lvl=15
        }
        cmd = show {
                permit run
                permit diag
                permit version
                deny .*
        }
}

- billn