Hello,
Has anyone experienced an user access right issue on C65XX/C76XX with
authentication with TACACS+?
I just want the user grp 'operator' can do 'show', 'conf t' and
shutdown interface only.
But, I found that it still can do the following from our lab test.
conf t
router bgp XXXX
nei 10.10.1.27 remote-AS XXX
nei 10.10.1.27 version 4
We never encounered the similar problem when we applied the same TACACS
and router aaa configuration on our 75XX, 36XX & 25XX.
There are the configuration details:
On tacacs server:
-----------------
user = operator {
service = exec {
priv-lvl = 15
}
cmd = show }
permit .*
}
cmd = configure {
permit .*
}
cmd = shutdown {
permit .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = erase {
deny .*
}
}
>From C6509 with Native IOS Version 12.1(8a)E5. Pls see details as below:
Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(8a)E5, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Tue 23-Oct-01 00:34 by eaarmas
Image text-base: 0x40008980, data-base: 0x413B8000
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host XXX.XXX.XXX.XXX
tacacs-server key <removed>
Thanks for your help.
Regards,
Carmen Chow
Email address: carmen@netvigator.com
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:56 EDT