[c-nsp] Freeware TACACS

omar parihuana omar.parihuana at gmail.com
Tue Jul 4 22:18:39 EDT 2006


Hi list,

I installed Free Tacacs (tac_plus version F4.0.4.8) on
Linux/Slackware. Currently the AAA is working fine, I have two groups:
Admin group with full rights and other y with limited privileges
(Users Group). However, I need that some users with fullrights can
configure only a group of routers and the over remain routers they
will have restrictions (like normal users' group) How can I do that?

In Cisco I saw the follow example con Cisco Secure:

group Boston_Admins{
 service=shell {
  allow "10.28.17.1" ".*" ".*"
  allow bostonswitch ".*" ".*"
  allow "^bostonrtr[0-9]+" ".*" ".*"
  set priv-lvl=15
  default cmd=permit
 }
 service=shell {
  allow "^NYrouter[0-9]+" ".*" ".*"
  set priv-lvl=1
  default cmd=deny
 }
}

Is possible the previous configuration with Free Tacacs+??

I copy my router's configuration

aaa new-model
aaa authentication fail-message ^CCCAuthentication Fails, Please try again^C
aaa authentication login default group tacacs+ line
aaa authentication login console group tacacs+ line
aaa authentication login virtual_terminal group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


My users belong to Users Group and Admin Group in Freeware Tacascs
I've configured:

group = admin {
        expires = "Dec 31 2006"
}

group = operadores {
cmd = show {
        permit ver
        permit ip
        permit run
        permit interface
        permit logging
        permit arp
        permit process
        permit access-list
        permit clock
        permit route-map
        }
cmd = traceroute {
        permit .*
        }
cmd = logout {
        permit .*
        }
cmd = ping {
        permit .*
        }
cmd = clear {
        permit .*
        }
}


 user = omarp {
        default service = permit
        login = file /etc/passwd
        member = admin
        }

user = eduardor {
        login = file /etc/passwd
        member = operadores
}


Thanks in advanced...

-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!


More information about the cisco-nsp mailing list