[c-nsp] TACACS+ question
Dario
dario.donsion at soporte.rediris.es
Wed Oct 25 12:32:01 EDT 2006
Hi,
If you need an user just to apply only a few commands at enable mode you need to define it
in TACACS+:
----------------------------------------------------
user = $enab2$ {
login = cleartext XXXXXX
}
group = Users {
cmd = clear {
permit "counters"
deny ".*"
}
cmd = show {
permit "version"
permit "diag"
permit "hardware"
deny ".*"
}
cmd = enable {
permit ".*"
}
}
user = USER {
login = des XXXXXX
name = "User"
member = Users
}
----------------------------------------------------
And configure the Cisco router:
aaa authentication login TELNET group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 2 default group tacacs+ none
...
privilege exec level 2 show
privilege exec level 2 clear counters
privilege exec level 2 clear
...
Regards,
Dario D.
NOC RedIRIS
El Miércoles, 25 de Octubre de 2006 17:42, Pete Templin escribió:
> I'm trying to streamline my TACACS configurations and start properly
> restricting users to a subset of commands. Is it possible to have users
> either have a designated privilege level upon login, or have them use
> their own password to "enable" themselves?
>
> If anyone has a tacplus config file with a few examples of command
> authorization groups they'd be willing to share (sanitized as desired,
> of course), I'd really appreciate it.
>
> Thanks!
>
> Pete Templin
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list