[c-nsp] tac_plus and cisco ASA

Erik Witkop ewitkop at gmail.com
Mon Mar 29 20:13:06 EDT 2010


Hi all,

I am looking to do AAA on a Cisco ASA firewall and a tac_plus server.  
And my ASA config is fine. My issue is on the tac_plus.conf side. I want 
to allow every possible command for a group users. But of course I don't 
want to list out every single command in my tac_plus.conf file. Are we 
allow to wildcard the cmd?  The man files did not say. And I couldn't 
find any help using the google. How are people wildcarding the cmd, 
without listing every possible command?


group = network {
    service = exec {
       priv-lvl = 15
    }
        cmd = write  {
          permit terminal
    }
        cmd = configure {
          permit .*
    }
        cmd = show {
       permit .*
    }
        cmd = exit {
       permit .*
    }   
}

For reference, my ASA config:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (xxxxxxx) host x.x.x.x
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+


More information about the cisco-nsp mailing list