[tac_plus] Re: Privilege Level / Configuration Changes

JCharlton at DataPointInc.com JCharlton at DataPointInc.com
Tue Nov 13 16:23:01 UTC 2007 

John,

We had spoke a few weeks back, the suggestion you made to my question in
the email below did not seem to work.

I may be using the wrong command on my Cisco gear, can you verify if
this is the command I need to work in conjuction with the TACACS+ server
commands you provided.

aaa authorization exec default group tacacs+

I am trying to be able to use TACACS+, but not have to type in the
enable password when logging in, for some users, not all.

Thanks. 

Jason Charlton, CCNA
DataPoint Inc.
410-209-6770
noc at datapointinc.com


-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Monday, October 22, 2007 4:12 PM
To: Jason Charlton
Cc: heas at shrubbery.net; tac_plus at shrubbery.net
Subject: Re: [tac_plus] Privilege Level / Configuration Changes

the device must also be configured for authorizatoin.

Mon, Oct 22, 2007 at 03:49:17PM -0400, JCharlton at DataPointInc.com:
> Thank You, The restarting command works great, but I still can't login
> and have a user be in enable mode without having to type the enable
> password.
> 
> 
> The statement for this user looks like:
> 
> user = jcharlton {
>         login = des *****
>         member = staff
> }
> 
> 
> With the commands you provided me, my file looks like this, but not
> acting as I thought it would.
> 
> user = jcharlton {
>         login = des sK7fnk8/W5Cvc
>         member = staff
> 		service = exec {
> 			priv-lvl=15
> 	}
> 
> }
> 
> 
> Thanks for any further help.
> 
> 
> 
> 
> 
> Jason Charlton, CCNA
> DataPoint Inc.
> 410-209-6770
> noc at datapointinc.com
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Monday, October 22, 2007 3:23 PM
> To: Jason Charlton
> Cc: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Privilege Level / Configuration Changes
> 
> Mon, Oct 22, 2007 at 03:15:29PM -0400, JCharlton at DataPointInc.com:
> > Hello,
> > 
> >  
> > 
> > I have 2 questions.  First one is, I am using tacacs+-F4.0.4.10, on
> > CentOS 5.  I am trying to make it so on a per user basis, when they
> > authenticate to our Cisco gear, they go into enable mode instead of
> > starting in user mode, like you are able to do when you configure
> > usernames with privilege 15 on a Cisco router or switch.
> 
> user = name {
>         service = exec {
>                 priv-lvl=15
>         }
> }
> 
> > Another thing is that I am trying to make a script or make it so
that
> if
> > you change the configuration file, that you do not have to restart
the
> > box to make the change go though, because unfortunately that is the
> only
> > way I have found to make it apply the configuration changes in the
> conf
> > file, and I still have to do tac_plus -C /(file) after restart.
> 
> kill -1 `cat /var/run/tac_plus.pid`

More information about the tac_plus mailing list