[c-nsp] tac_plus and cisco ASA
Erik Witkop
ewitkop at gmail.com
Mon Mar 29 20:13:06 EDT 2010
Hi all,
I am looking to do AAA on a Cisco ASA firewall and a tac_plus server.
And my ASA config is fine. My issue is on the tac_plus.conf side. I want
to allow every possible command for a group users. But of course I don't
want to list out every single command in my tac_plus.conf file. Are we
allow to wildcard the cmd? The man files did not say. And I couldn't
find any help using the google. How are people wildcarding the cmd,
without listing every possible command?
group = network {
service = exec {
priv-lvl = 15
}
cmd = write {
permit terminal
}
cmd = configure {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}
For reference, my ASA config:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (xxxxxxx) host x.x.x.x
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
More information about the cisco-nsp
mailing list