[c-nsp] tac_plus and cisco ASA

Yuri Bank yuribank at gmail.com
Mon Mar 29 20:58:05 EDT 2010


group = somegroup {
default service = permit
login = file /etc/passwd # or PAM, or other method.
enable = cleartext "cisco" # you obviously can leave this out.
}


This will allow all commands.


On Mon, Mar 29, 2010 at 5:13 PM, Erik Witkop <ewitkop at gmail.com> wrote:

> Hi all,
>
> I am looking to do AAA on a Cisco ASA firewall and a tac_plus server.  And
> my ASA config is fine. My issue is on the tac_plus.conf side. I want to
> allow every possible command for a group users. But of course I don't want
> to list out every single command in my tac_plus.conf file. Are we allow to
> wildcard the cmd?  The man files did not say. And I couldn't find any help
> using the google. How are people wildcarding the cmd, without listing every
> possible command?
>
>
> group = network {
>   service = exec {
>      priv-lvl = 15
>   }
>       cmd = write  {
>         permit terminal
>   }
>       cmd = configure {
>         permit .*
>   }
>       cmd = show {
>      permit .*
>   }
>       cmd = exit {
>      permit .*
>   }   }
>
> For reference, my ASA config:
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (xxxxxxx) host x.x.x.x
> aaa authentication ssh console TACACS+ LOCAL
> aaa authentication enable console TACACS+ LOCAL
> aaa authorization command TACACS+ LOCAL
> aaa accounting command TACACS+
> aaa accounting enable console TACACS+
> aaa accounting ssh console TACACS+
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list