[c-nsp] tacacs+ restrictions

Peter Rathlev peter at rathlev.dk
Sat Dec 12 10:59:16 EST 2009 

On Sat, 2009-12-12 at 15:15 +0100, Arne Larsen wrote:
> Hi all.
> 
> I know it's a bit of topic, but anyway.
> I'm trying to get tacacs+ to restrict access and commands for users.
> I can't seem to get it right. Whatever I do, I ether get no
> configurations commands rejected or all get rejected.
> I would like to make a user that only can change vlan tag under
> interfaces configuration This is what I tried to configure..
> 
[...]
> 
> Have anyone of you tried to do something similar, any input would be
> appreciated very much.
> Or does someone know where I can seek help.

We have an "operator" group with limited access to some datacenter
switches, configured like this:

acl = access-sw-only {
        permit = ^10\.77\.24[456]\.
}

group = operator {
        default service = deny
        login = PAM
        service = exec {
                priv-lvl = 15
        }
        #### Exec level commands ####
        cmd = show {
                permit "."
        }
        cmd = exit {
                permit "<cr>$"
        }
        cmd = quit {
                permit "<cr>$"
        }
        cmd = write {
                permit "terminal <cr>$"
                permit "memory <cr>$"
        }
        #### Configure commands ####
        cmd = configure {
                permit "^terminal <cr>$"
        }
        #--- Allow the exec level commands from configure mode ---#
        cmd = do {
                permit "^show .*"
        }
        #--- Allow entering interfaces ---#
        cmd = interface {
                #--- Disallow configuring uplinks ---#
                deny "^GigabitEthernet [12]/0/2[34] <cr>$"
                #--- Allow configuring physical interfaces ---#
                permit "^(Gigabit|Fast)Ethernet.*"
        }
        #--- Allow a range of specific interface conf commands ---#
        cmd = switchport {
                permit "^access vlan [128][0-9][0-9] <cr>$"
                permit "^mode access <cr>$"
        }
        cmd = description {
                permit "."
        }
        cmd = shutdown {
                permit "^$"
                permit "^<cr>$"
        }
        cmd = spanning-tree {
                permit "^portfast <cr>$"
                permit "^bpduguard enable <cr>$"
        }
        cmd = mls {
                permit "^qos cos 3 <cr>$"
                permit "^qos cos override <cr>$"
        }
        #--- Allow creation and naming of VLANs 100-299 + 800-899 ---#
        cmd = vlan {
                permit "^[128][0-9][0-9] <cr>$"
        }
        cmd = name {
                permit "."
        }
        #--- Allow unshutting interfaces, and clearing descriptions ---#
        cmd = no {
                permit "^shutdown <cr>$"
                permit "^description .*"
        }
        acl = access-sw-only
}

You can enable debugging for the tac_plus daemon to see exactly what the
device asks to have accepted/rejected.

-- 
Peter

More information about the cisco-nsp mailing list