RE: [nsp] creating tacacs user groups

From: Basil Dolmatov (dol@east.ru)
Date: Thu Sep 21 2000 - 03:52:52 EDT


It is quite clear from included documentation...

One thing should be mentioned:
Nested groups are supported, but when recursing along group chain
parameters are not added, they are _substituted_, at the _service_ level.
I.e. if you have:
 group = a
  {
 service = ppp protocol = ip {
            addr = 192.168.1.1
        }
  member = b
  }
 group = b
 {
 service = ppp protocol = ip {
            inacl = 120
        }
 maxsess = 5

 user = qq
 {
...
 service = ppp protocol ip {
        route = 192.168.0.0 255.255.0.0
}
member = a
}

then you will end for user "qq" with maxsess = 5 inherited from group "b",
but
_without_ "addr" and "inacl" attrubutes, because they will be killed by
"service ppp" clause in user definition

Looking in tacacs+ code shows that it is incapable of wise inheritance of
properties from group chains
without code redesign. Unfortunately... :(

--------------------------------------------------------
Basil (Vasily) Dolmatov, CCIE #5347, CCNP-Security, CCDA
LightCom Corp. http://www.lightcom.ru

> -----Original Message-----
> From: Cliff Judge [mailto:cliff@broccoli.cidera.com]
> Sent: Thursday, September 21, 2000 3:16 AM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] creating tacacs user groups
>
>
>
> Does anyone have any URLs for information regarding configuring
> TACACS? Specifically, I am trying to set up a couple of different
> permission groups such that certain users only have access to, say, the
> vty's on 2511.
>
> -%
> Cliff Judge Network Engineer
> 301-598-0500 x2866 Cidera, Inc
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:17 EDT