Hi All,<br><br>I'm trying to create two groups in my tac_plus server. One is the admin. The other one has limited rights. So I want to limit this group to priv-level 1 and only can issue show ip and show interface command. Also I configured the authorization in the switch. Here is my configuration in tac_plus.conf. My tac_plus just allow the user to do everything without limiting anything.<br>
<br>/etc/tac_plus.conf:<br><br>accounting file = /var/log/tacacs/acctfile<br>key = "keyfortac"<br><br>user = $enab15$ {<br> login = cleartext "enablepass"<br>}<br><br>group = admin {<br> default service = permit<br>
service = exec {<br> priv-lvl = 15<br> }<br>}<br><br>group = limited {<br> default service = deny<br> service = exec {<br> priv-lvl = 1<br> }<br> cmd = show {<br> permit ip<br> permit interface<br>
}<br>}<br><br>user = test {<br> member = limited<br> login = PAM<br>}<br><br>The switch configuration:<br>aaa new-model<br>aaa authentication login default group tacacs+ enable<br>aaa authentication enable default group tacacs+ enable<br>
<br>aaa authorization exec default group tacacs+ if-authenticated<br>aaa authorization commands 1 default group tacacs+ if-authenticated<br>aaa authorization commands 15 default group tacacs+ if-authenticated<br><br>aaa accounting exec default start-stop group tacacs+<br>
aaa accounting commands 1 default start-stop group tacacs+<br>aaa accounting commands 15 default start-stop group tacacs+<br><br><br>I think these configurations are correct, but it just doesn't work. Am I wrong somewhere? Suppose the "cmd" should deny all the show commands except the ones specified. Please help.<br>
<br>Thanks a lot.<br><br>Lou<br><br><br>