[c-nsp] tacacs+ restrictions
Livio Zanol Puppim
livio.zanol.puppim at gmail.com
Mon Dec 14 10:05:58 EST 2009
Have you added "aaa authorization config-commands" to the configuration at
the router?
2009/12/12 Peter Rathlev <peter at rathlev.dk>
> On Sat, 2009-12-12 at 15:15 +0100, Arne Larsen wrote:
> > Hi all.
> >
> > I know it's a bit of topic, but anyway.
> > I'm trying to get tacacs+ to restrict access and commands for users.
> > I can't seem to get it right. Whatever I do, I ether get no
> > configurations commands rejected or all get rejected.
> > I would like to make a user that only can change vlan tag under
> > interfaces configuration This is what I tried to configure..
> >
> [...]
> >
> > Have anyone of you tried to do something similar, any input would be
> > appreciated very much.
> > Or does someone know where I can seek help.
>
> We have an "operator" group with limited access to some datacenter
> switches, configured like this:
>
> acl = access-sw-only {
> permit = ^10\.77\.24[456]\.
> }
>
> group = operator {
> default service = deny
> login = PAM
> service = exec {
> priv-lvl = 15
> }
> #### Exec level commands ####
> cmd = show {
> permit "."
> }
> cmd = exit {
> permit "<cr>$"
> }
> cmd = quit {
> permit "<cr>$"
> }
> cmd = write {
> permit "terminal <cr>$"
> permit "memory <cr>$"
> }
> #### Configure commands ####
> cmd = configure {
> permit "^terminal <cr>$"
> }
> #--- Allow the exec level commands from configure mode ---#
> cmd = do {
> permit "^show .*"
> }
> #--- Allow entering interfaces ---#
> cmd = interface {
> #--- Disallow configuring uplinks ---#
> deny "^GigabitEthernet [12]/0/2[34] <cr>$"
> #--- Allow configuring physical interfaces ---#
> permit "^(Gigabit|Fast)Ethernet.*"
> }
> #--- Allow a range of specific interface conf commands ---#
> cmd = switchport {
> permit "^access vlan [128][0-9][0-9] <cr>$"
> permit "^mode access <cr>$"
> }
> cmd = description {
> permit "."
> }
> cmd = shutdown {
> permit "^$"
> permit "^<cr>$"
> }
> cmd = spanning-tree {
> permit "^portfast <cr>$"
> permit "^bpduguard enable <cr>$"
> }
> cmd = mls {
> permit "^qos cos 3 <cr>$"
> permit "^qos cos override <cr>$"
> }
> #--- Allow creation and naming of VLANs 100-299 + 800-899 ---#
> cmd = vlan {
> permit "^[128][0-9][0-9] <cr>$"
> }
> cmd = name {
> permit "."
> }
> #--- Allow unshutting interfaces, and clearing descriptions ---#
> cmd = no {
> permit "^shutdown <cr>$"
> permit "^description .*"
> }
> acl = access-sw-only
> }
>
> You can enable debugging for the tac_plus daemon to see exactly what the
> device asks to have accepted/rejected.
>
> --
> Peter
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
[]'s
Lívio Zanol Puppim
More information about the cisco-nsp
mailing list