[tac_plus] Re: authorization - solved for my purpose

Erik Neuwirth erik.neuwirth at gmx.de
Mon Sep 17 10:14:29 UTC 2007 

hi @all,

first of all:

thanks to everybody for any given advice!

this is the solution that fetches my purpose:

######
on nas:
######

aaa new-model

aaa authentication login tac_list group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 5 en5 group tacacs+ 


line vty 0 *
authorization commands 5 en5
login authentication tac_list


##########
on tac_plus
##########

    user = test {

      login = cleartext test

        service = shell { priv_level = 5 }
        cmd = enable { deny .* }
        cmd = show { permit ver deny .* }
        cmd = traceroute { permit .* }
        cmd = logout { permit .* }
        }


br

tom


> hi @all,
>
> i´m trying to do some authorization stuff, but it doesn´t work in the way i
> thought it should.
>
> if i´ve got the following entry:
>
> on tacacs+:
>
> user = test {
> login = cleartext test
> cmd = show { permit ver }
> cmd = traceroute { permit .* }
> cmd = logout { permit .* }
> }
>
> on router:
>
> aaa authentication login tac_list group tacacs+ local
> aaa authorization exec auth1 group tacacs+
>
> line vty 0 4
> access-class 2 in
> authorization exec auth1
> login authentication tac_list
> transport input ssh
>
> vty 5 =>
> are disabled
>
> the user shouldn´t be able to do a "show ip interface brief", right?
> tia
>
> cheers
> tom
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20070915/6d97786e/a
>ttachment.html _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

-- 



#######################
Skype me: erik.neuwirth

********************************************************

There´s no patch for stupidity
----------
Das Zitat hat nichts mit dem Empfänger der Mail zu tun
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/tac_plus/attachments/20070917/89ba4684/attachment.bin

More information about the tac_plus mailing list