[tac_plus] Re: tac_plus config
Tom Murch
tmurch at toniccomputers.com
Fri Aug 21 15:29:14 UTC 2009
ok so here is what i have
user tom {
login = cleartext 'tom'
enable = cleartext 'tom12'
}
acl = badmatt {
login = cleartext 'matt'
enable = cleartext 'matt12'
deny 192\.168\.0\.1 # disallow enable on this tacacs client
permit .*
}
user matt { enableacl = badmatt }
Will this work so that Tom and Matt can both enable on all things except the
192.168.0.1 that matt is acl from?
Tom
On Tue, Aug 4, 2009 at 3:21 PM, Schmidt, Daniel
<dan.schmidt at uplinkdata.com>wrote:
> Why would you want to do such a thing? The enable password should be
> linked to the account, with enable = cleartext 'badmatt' or enable =
> file /etc/passwd. He should have the same enable password, but
> different levels of access. You should be able to do this in the
> tac_plus config, but if you really want to get granular, you can use an
> after authentication script like mine on tacacs.org.
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch
> Sent: Tuesday, August 04, 2009 6:22 AM
> To: john heasley
> Cc: tac_plus at shrubbery.net
> Subject: [tac_plus] Re: tac_plus config
>
> great that worked so the only other thing I do not understand is how to
> let
> tom enable on all routers and switches when there are 5 different enable
> passwords between all the equipment?
>
> On Mon, Aug 3, 2009 at 11:46 AM, john heasley <heas at shrubbery.net>
> wrote:
>
> > Mon, Aug 03, 2009 at 10:55:32AM -0400, Tom Murch:
> > > Hello
> > >
> > > so I am trying to get this up and running correctly but I am not
> sure
> > on a
> > > few things. What I am trying to accomplish is as follows:
> > >
> > > user tom would have access to switches 1-5 and routers 1-10. Tom
> will
> > also
> > > be able to enable on all these switches and routers. The enable
> password
> > is
> > > different on some routers how do I define that?
> > >
> > > user matt would have access to switches 1-5 and routers 1-10 but
> only
> > able
> > > to enable on switches 1-5 and routers 1-4.
> >
> > user tom { }
> > acl = badmatt {
> > deny 192\.168\.0\.1 # disallow enable on this tacacs client
> > permit .*
> > }
> > user matt { enableacl = badmatt }
> >
> > > Any help would be greatly appreciated as I am a tad confused on how
> to do
> > > this or if it is even possible.
> > >
> > > Thanks in advance
> > >
> > > Tom
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL:
> >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14
> d/attachment.html<http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14%0Ad/attachment.html>
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20090804/5fb5440
> 4/attachment.html
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090821/9834383c/attachment.html
More information about the tac_plus
mailing list