[c-nsp] TACACS+ F4.0.4.8 and cmd statement
Marcus Stoegbauer
marcus at grmpf.org
Fri Jun 22 08:53:19 EDT 2007
Yevgeniy Voloshin wrote:
>
> I have some problem with configuration cmd statements on TACACS+ F4.0.4.8(http://www.freshports.org/net/tac_plus4/):
> /usr/local/bin/tac_plus -v
> tac_plus version F4.0.4.8
>
> I read users_guide and configure tac_plus.conf like in example.
> And want this:
> cmd = ping { permit .* }
> cmd = telnet { permit .* }
> cmd = dir { permit .* }
> cmd = ANY { deny .* }
>
> I use service = shell or service = exec, but nothing happen like I want.
> Can someone provide me real example with working cmd statement?
Here a setup we have in production use. Make sure to alter priv-lvl if you
don't need 15 (for dir, you need it)
user = looky {
member = guest_ops
}
group = guest_ops {
login = file /etc/mysekritpasswords
member = limited_access
}
group = limited_access {
default service = deny
service = exec {
priv-lvl = 15
}
cmd = show {
permit "bgp ipv4 .*"
permit "bgp ipv6 .*"
permit "clock"
permit "env.*"
permit "int.*"
permit "inventory.*"
permit "ip .*"
permit "ipv6 .*"
permit "running-config.*"
permit "ver.*"
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
}
Marcus
More information about the cisco-nsp
mailing list