[c-nsp] Re: Cisco TACACS+ filter

Kanagaraj Krishna kanagaraj at aims.com.my
Fri Feb 3 05:08:32 EST 2006


How do you deny "sh run" on the tacacs server without using privilege commands. I even tried the statement "deny run" under "cmd=show", but it doesn't seem to work. This are my config:

on Cisco
---------
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+ local


On Tacacs+ server
-------------------
group = testing {
enable = cleartext "test"
          cmd = show {
          deny run
          permit ver
          permit ip
          permit interface
          }
}

Regards,
Kanagaraj Krishna


More information about the cisco-nsp mailing list