[c-nsp] Cisco & Tacacs+

[Oliver Boehmer (oboehmer)]

DAVID Sébastien <mailto:sdavid at ecritel.net> wrote on Wednesday, December 12, 2007 8:29 PM:

> Yes i have enable aaa command :
> 
> aaa new-model
> aaa authentication login telnet group tacacs+ enable
> aaa authentication login console group tacacs+ enable
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ if-authenticated none
> aaa authorization commands 1 default group tacacs+ none
> aaa authorization commands 15 default group tacacs+ none
> aaa accounting exec default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> 
> My user can enter in configure mode and have access to all command.
> I'd like to restrict to configure an interface in example to set
> speed , duplex ....  

Ok. So with the above config, I'd assume you will send author requests to the T+ server, as you should be able to see in "deb aaa author" or in the t+ log. If you then add appropriate 

   cmd = interface {
           permit .*
   }
   cmd = speed {
           permit .*
   }

and so on, you should be able to do it. I've never done something like this, but I assume this will work..

	oli

> Thanks
> -----Message d'origine-----
> De : Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
> Envoyé : mercredi 12 décembre 2007 12:27
> À : DAVID Sébastien; cisco-nsp at puck.nether.net
> Objet : RE: [c-nsp] Cisco & Tacacs+
> 
> DAVID Sébastien <> wrote on Tuesday, December 11, 2007 8:56 AM:
> 
>> Hi,
>> 
>> 
>> 
>> I'm trying to set up my network with a tacacs server based on debian
>> for authentification. 
>> 
>> Everything works correctly but I meet difficulties to limit the
>> commands in configure mode
> 
> How does your aaa config look like? Did you enable "aaa authorization
> commands 15 ..." and "aaa authorization config-commands"? You can
> check debug via "debug aaa author" to see what's happening..  
> 
> 	oli