[c-nsp] tacacs+ restrictions
Erik Witkop
ewitkop at gmail.com
Sat Dec 12 10:52:08 EST 2009
I think your problem is that 'configure' is not a priv 1 level command.
Debug tacacs will show you what is happening. Change the user to priv 15
and see what you get.
On Dec 12, 2009 9:24 AM, "Arne Larsen / Region Nordjylland" <arla at rn.dk>
wrote:
Hi all.
I know it's a bit of topic, but anyway.
I'm trying to get tacacs+ to restrict access and commands for users.
I can't seem to get it right. Whatever I do, I ether get no configurations
commands rejected or all get rejected.
I would like to make a user that only can change vlan tag under interfaces
configuration This is what I tried to configure..
user = at {
default service = deny
login = cleartext "gt"
enable = cleartext "go"
name = "testing"
service = exec {
priv-lvl = 1
idletime = 10
}
cmd = show {
permit .*
}
cmd = configure {
permit terminal.interface
permit interface.vlan*
deny .*
}
}
Have anyone of you tried to do something similar, any input would be
appreciated very much.
Or does someone know where I can seek help.
/Arne
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list