[c-nsp] Cisco & Tacacs+

DAVID Sébastien sdavid at ecritel.net
Tue Dec 11 02:55:56 EST 2007 

 

Hi,

 

I'm trying to set up my network with a tacacs server based on debian for authentification.

Everything works correctly but I meet difficulties to limit the commands in configure mode

I looked for some documentation but I do not find example.

 

Here my tac_plus.conf : 

 

# Define User enable

 

user = $enable$ {

        login = cleartext "cisco"

        }

 

# Define User Group

 

group = network {

        # Team Network

        default service = permit

        login = cleartext "cisco"

        }

 

group = support {

        # Support Team

        default service = deny

        login = cleartext "cisco"

#       expires = "Dec 6 2007"

        }

 

group = install {

        # Install team

        default service = deny

        login = cleartext "cisco"

 

        cmd = show {

                permit ip

                permit run

                permit interfaces

                }

 

        cmd = configure {

                permit terminal

 

                }

 

        cmd = write {

                permit memory

                }

        }

 

# Define Users

 

user = seb {

        name = " Compte Seb "

        member = network

        }

 

user = support1 {

        name = " Compte support 1 "

        member = support

        cmd = show {

                permit version

                permit interfaces

                deny .*

                }

        cmd = telnet {

                permit 192\.168\.0\.[0-9]

                deny .*

                }

        }

 

user = install1 {

        name = " Compte install 1"

        member = install

        }

 

 

 

Thank you for your help

Best regards,

 

 

Sébastien DAVID
Service réseaux

Ecritel
site de Clichy : 7-9, rue Petit
92582 Clichy Cedex
Tél: 01.73.02.50.76
Fax: 01.47.56.04.48 
Email: kourif at ecritel.net
Site web: www.ecritel.fr <blocked::http://www.ecritel.fr/> 

This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internetcan not guarantee the integrity of this message. ECRITEL (and its subsidiaries) shall (will) not therefore be liable for the message if modified. 
---------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, ECRITEL (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie

More information about the cisco-nsp mailing list