[c-nsp] tac_plus and cisco ASA
Yuri Bank
yuribank at gmail.com
Mon Mar 29 20:58:05 EDT 2010
group = somegroup {
default service = permit
login = file /etc/passwd # or PAM, or other method.
enable = cleartext "cisco" # you obviously can leave this out.
}
This will allow all commands.
On Mon, Mar 29, 2010 at 5:13 PM, Erik Witkop <ewitkop at gmail.com> wrote:
> Hi all,
>
> I am looking to do AAA on a Cisco ASA firewall and a tac_plus server. And
> my ASA config is fine. My issue is on the tac_plus.conf side. I want to
> allow every possible command for a group users. But of course I don't want
> to list out every single command in my tac_plus.conf file. Are we allow to
> wildcard the cmd? The man files did not say. And I couldn't find any help
> using the google. How are people wildcarding the cmd, without listing every
> possible command?
>
>
> group = network {
> service = exec {
> priv-lvl = 15
> }
> cmd = write {
> permit terminal
> }
> cmd = configure {
> permit .*
> }
> cmd = show {
> permit .*
> }
> cmd = exit {
> permit .*
> } }
>
> For reference, my ASA config:
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (xxxxxxx) host x.x.x.x
> aaa authentication ssh console TACACS+ LOCAL
> aaa authentication enable console TACACS+ LOCAL
> aaa authorization command TACACS+ LOCAL
> aaa accounting command TACACS+
> aaa accounting enable console TACACS+
> aaa accounting ssh console TACACS+
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list