[c-nsp] TACACS+ question

Dario dario.donsion at soporte.rediris.es
Wed Oct 25 12:32:01 EDT 2006


Hi,

If you need an user just to apply only a few commands at enable mode you need to define it 
in TACACS+:

----------------------------------------------------
user = $enab2$ {
        login = cleartext XXXXXX
        }

group = Users {
        cmd = clear {
                permit "counters"
                deny ".*"
        }
        cmd = show {
                permit "version"
                permit "diag"
                permit "hardware"
                deny ".*"
        }
        cmd = enable {
                permit ".*"
        }
}

user = USER {
        login = des XXXXXX
        name = "User"
        member = Users
        }
----------------------------------------------------
And configure the Cisco router:

aaa authentication login TELNET group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 2 default group tacacs+ none
...
privilege exec level 2 show
privilege exec level 2 clear counters
privilege exec level 2 clear
...

Regards,

	Dario D.
	NOC RedIRIS

El Miércoles, 25 de Octubre de 2006 17:42, Pete Templin escribió:
> I'm trying to streamline my TACACS configurations and start properly 
> restricting users to a subset of commands.  Is it possible to have users 
> either have a designated privilege level upon login, or have them use 
> their own password to "enable" themselves?
> 
> If anyone has a tacplus config file with a few examples of command 
> authorization groups they'd be willing to share (sanitized as desired, 
> of course), I'd really appreciate it.
> 
> Thanks!
> 
> Pete Templin
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



More information about the cisco-nsp mailing list