<p dir="ltr">Make use of do_auth.py and after - authorization. It makes life much easier and provides much more granular control.</p>
<p dir="ltr">John Fraizer<br>
--Sent from my Android phone.<br>
Please excuse any typos.</p>
<div class="gmail_quote">On Jan 5, 2016 10:31 PM, "Alan McKinnon" <<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 06/01/2016 04:13, Mailing Lists wrote:<br>
> Thanx for the response guys. Maybe I'm stupid, but I can't see how I can<br>
> deny a specific command while still allowing users to configure things, is<br>
> anyone able to give me some pointers on how I would deny 'no router bgp'<br>
> for exapmle.<br>
<br>
<br>
It's fully described in man 5 tac_plus.conf<br>
<br>
eg in a "user" stanza:<br>
<br>
<br>
cmd = no {<br>
deny router bgp<br>
permit .*<br>
}<br>
<br>
<br>
Be very careful with this and make sure you understand what is<br>
happening. tac_plus does not have internal knowledge of what router<br>
commands mean (the only thing that knows that is the router OS), it has<br>
to work with text strings and regexes. So you can get false<br>
negatives/positives very easily if you are not careful. For example,<br>
tac_plus has no concept that "no ..." is the inverse of "..." so you<br>
must explicitly configure it.<br>
<br>
<br>
When you allow some commands like this and deny others, the list of<br>
things allowed and denied tends to get very very long<br>
<br>
<br>
><br>
> Cheers,<br>
> Damien.<br>
><br>
> On Wed, Jan 6, 2016 at 7:15 AM, Daniel Schmidt <<a href="mailto:daniel.schmidt@wyo.gov">daniel.schmidt@wyo.gov</a>><br>
> wrote:<br>
><br>
>> Yes, it can be done on those platforms with authorization.<br>
>><br>
>> On Tue, Jan 5, 2016 at 11:11 AM, heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> wrote:<br>
>><br>
>>> Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists:<br>
>>>> Hi All,<br>
>>>><br>
>>>> Is it possible to deny users from entering certain configuration<br>
>> commands<br>
>>>> in TACACS?<br>
>>>><br>
>>>> So for example I want my users to be able to do enable and run whatever<br>
>>>> commands they like, but once they type 'conf t' commands are<br>
>> restricted.<br>
>>> If<br>
>>>> it matters, I am specifically interested in denying 'no router'<br>
>> commands<br>
>>> on<br>
>>>> IOS-XE and Brocade NetIron (CER/S/MLX) devices.<br>
>>><br>
>>> on ios this is done with aaa command authorization. no idea if brocade<br>
>>> supports this or it can be done there.<br>
>>> _______________________________________________<br>
>>> tac_plus mailing list<br>
>>> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
>>> <a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
>>><br>
>><br>
>> --<br>
>><br>
>> E-Mail to and from me, in connection with the transaction<br>
>> of public business, is subject to the Wyoming Public Records<br>
>> Act and may be disclosed to third parties.<br>
>> -------------- next part --------------<br>
>> An HTML attachment was scrubbed...<br>
>> URL: <<br>
>> <a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html</a><br>
>>><br>
>> _______________________________________________<br>
>> tac_plus mailing list<br>
>> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
>> <a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
>><br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20160106/350d48e5/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20160106/350d48e5/attachment.html</a>><br>
> _______________________________________________<br>
> tac_plus mailing list<br>
> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> <a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
><br>
<br>
<br>
--<br>
Alan McKinnon<br>
<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</blockquote></div>