[c-nsp] Re: Cisco TACACS+ filter

[Christopher J. Pilkington]

On Fri, Feb 03, 2006 at 06:08:32PM +0800, Kanagaraj Krishna wrote:
> How do you deny "sh run" on the tacacs server without using privilege commands. I even tried the statement "deny run" under "cmd=show", but it doesn't seem to work. This are my config:
> 
> on Cisco
> ---------
> aaa authorization config-commands
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 1 default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ local
> aaa authorization network default group tacacs+ local
> 
> 
> On Tacacs+ server
> -------------------
> group = testing {
> enable = cleartext "test"
>           cmd = show {
>           deny run
>           permit ver
>           permit ip
>           permit interface
>           }
> }

You could try:

group = managers {
  default service = deny
  cmd = show {
    permit ver.*
    permit ip.*
    permit int.*
  }
}

-- 
Christopher J. Pilkington
"mixed-group charlie juliet papa at zero x-ray one dot november echo tango"

Victorious warriors win first and then go to war, while defeated
warriors go to war first and then seek to win.
		-- Sun-tzu 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20060203/0f823f8d/attachment-0001.bin