[c-nsp] Looking for tac-plus.conf with privilege separation
Marcus Stoegbauer
marcus at grmpf.org
Fri Nov 9 08:48:17 EST 2007
Anton Smith wrote:
> Does anybody have any 'template' tac-plus.conf files with privilege
> levels setup?
>
> Hopefully something with different allowed actions for different levels..
For most of the interesting commands you need level 15 anyways, so here's
a group that is only allowed to do certain commands but where users get
privlvl 15:
group = limited_access {
default service = deny
service = exec {
priv-lvl = 15
}
cmd = show {
permit "bgp ipv4 .*"
permit "bgp ipv6 .*"
permit "clock"
permit "env.*"
permit "int.*"
permit "inventory.*"
permit "ip .*"
permit "ipv6 .*"
permit "running-config.*"
permit "ver.*"
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
}
On the cisco device you need:
aaa authorization commands 15 default group tacacs+ if-authenticated
Negative side effects of this setup: If your TACACS server is unreachable
logged in users have full level 15 privileges.
Marcus
More information about the cisco-nsp
mailing list