[nsp] C65XX/76XX authentication problem

From: carmen@netvigator.com
Date: Fri May 10 2002 - 16:03:44 EDT


Hello,

Has anyone experienced an user access right issue on C65XX/C76XX with
authentication with TACACS+?

I just want the user grp 'operator' can do 'show', 'conf t' and
shutdown interface only.

But, I found that it still can do the following from our lab test.
conf t
router bgp XXXX
nei 10.10.1.27 remote-AS XXX
nei 10.10.1.27 version 4

We never encounered the similar problem when we applied the same TACACS
and router aaa configuration on our 75XX, 36XX & 25XX.

There are the configuration details:

On tacacs server:
-----------------
user = operator {
        service = exec {
        priv-lvl = 15
        }
        cmd = show }
        permit .*
        }
        cmd = configure {
        permit .*
        }
        cmd = shutdown {
        permit .*
        }
        cmd = reload {
        deny .*
        }
        cmd = write {
        deny .*
        }
        cmd = copy {
        deny .*
        }
        cmd = erase {
        deny .*
        }
}

>From C6509 with Native IOS Version 12.1(8a)E5. Pls see details as below:

Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(8a)E5, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Tue 23-Oct-01 00:34 by eaarmas
Image text-base: 0x40008980, data-base: 0x413B8000

aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host XXX.XXX.XXX.XXX
tacacs-server key <removed>

Thanks for your help.

Regards,

Carmen Chow
Email address: carmen@netvigator.com



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:56 EDT