It is quite clear from included documentation...
One thing should be mentioned:
Nested groups are supported, but when recursing along group chain
parameters are not added, they are _substituted_, at the _service_ level.
I.e. if you have:
group = a
{
service = ppp protocol = ip {
addr = 192.168.1.1
}
member = b
}
group = b
{
service = ppp protocol = ip {
inacl = 120
}
maxsess = 5
user = qq
{
...
service = ppp protocol ip {
route = 192.168.0.0 255.255.0.0
}
member = a
}
then you will end for user "qq" with maxsess = 5 inherited from group "b",
but
_without_ "addr" and "inacl" attrubutes, because they will be killed by
"service ppp" clause in user definition
Looking in tacacs+ code shows that it is incapable of wise inheritance of
properties from group chains
without code redesign. Unfortunately... :(
--------------------------------------------------------
Basil (Vasily) Dolmatov, CCIE #5347, CCNP-Security, CCDA
LightCom Corp. http://www.lightcom.ru
> -----Original Message-----
> From: Cliff Judge [mailto:cliff@broccoli.cidera.com]
> Sent: Thursday, September 21, 2000 3:16 AM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] creating tacacs user groups
>
>
>
> Does anyone have any URLs for information regarding configuring
> TACACS? Specifically, I am trying to set up a couple of different
> permission groups such that certain users only have access to, say, the
> vty's on 2511.
>
> -%
> Cliff Judge Network Engineer
> 301-598-0500 x2866 Cidera, Inc
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:17 EDT