[c-nsp] tacacs+ (off topic???) solved (for my purposes)

i.anfrage i.anfrage at gmx.de
Mon Sep 17 06:11:32 EDT 2007


hi @all,

first of all:

thanks to everybody for any given advice!

this is the solution that fetches my purpose:

######
on nas:
######

aaa new-model

aaa authentication login tac_list group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 5 en5 group tacacs+ 


line vty 0 *
authorization commands 5 en5
login authentication tac_list


##########
on tac_plus
##########

    user = test {

      login = cleartext test

        service = shell { priv_level = 5 }
        cmd = enable { deny .* }
        cmd = show { permit ver deny .* }
        cmd = traceroute { permit .* }
        cmd = logout { permit .* }
        }


br

tom

> hi @all,
>
> i need to restrict a user to a few show commands. i also wan´t to block the
> user from changing in enable mode. is it possible to do this with tacacs+ ?
> if so, how? i´ve already found a few site, but it doesn´t work in the way i
> thought it would  :-S (maybe that i´m doing it wrong (-;)
>
> any suggestions?
>
> tia
>
> br
>
> tom
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list