[c-nsp] tacacs+ (off topic???) solved (for my purposes)
i.anfrage
i.anfrage at gmx.de
Mon Sep 17 06:11:32 EDT 2007
hi @all,
first of all:
thanks to everybody for any given advice!
this is the solution that fetches my purpose:
######
on nas:
######
aaa new-model
aaa authentication login tac_list group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 5 en5 group tacacs+
line vty 0 *
authorization commands 5 en5
login authentication tac_list
##########
on tac_plus
##########
user = test {
login = cleartext test
service = shell { priv_level = 5 }
cmd = enable { deny .* }
cmd = show { permit ver deny .* }
cmd = traceroute { permit .* }
cmd = logout { permit .* }
}
br
tom
> hi @all,
>
> i need to restrict a user to a few show commands. i also wan´t to block the
> user from changing in enable mode. is it possible to do this with tacacs+ ?
> if so, how? i´ve already found a few site, but it doesn´t work in the way i
> thought it would :-S (maybe that i´m doing it wrong (-;)
>
> any suggestions?
>
> tia
>
> br
>
> tom
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list