[tac_plus] Re: Problem With tac_plus

[john heasley]

Mon, Jan 22, 2007 at 01:44:24PM -0500, Jason Gardiner:
> Hello,
> 
> I've run across a problem and I'm about to tear out my hair.  I have
> tac_plus setup for Ciscos, but it seems that every command issued after
> "config t" is allowed, even when explicitly denied.  Here is the config
> 
> user = xxxxx {
>     default service = deny
>     name = "xxxxxx"
>     login = des xxxxxx
>     ms-chap = cleartext yyyyyyy
>     service=exec { priv-lvl = 15 }
>         cmd = load-interval { deny .* }
>         cmd = show { permit "arp|config" }
>         cmd = write { permit "terminal" }
>         cmd = terminal { permit "length .*" }
>         cmd = configure { permit .* }
>         cmd = arp { permit ".*" }
>         cmd = ip { permit "route .* 255.255.255.255 .*" }
>         cmd = interface { deny .* }
>         cmd = no { deny "ip address" }
> }
> 
> 
> As it stands, the user can perform a 'show arp,' but a 'show clock'
> returns with a "Command authorization failed" as expected.
> 
> However, if the user does a 'config t,' then he can still perform an
> 'interface loopback 112' even though it should be denied AFAICT.
> 
> Any insight that you can offer into this would be greatly appreciated.
> 

never tried config-mode command authorization.  try authorization debugging
with -d 8.  perhaps there something is prepended to the command in config
mode or, for the interface xx question, there is no authorization for moving
among config 'levels".