[tac_plus] Re: tac_plus config
john heasley
heas at shrubbery.net
Fri Aug 21 16:58:14 UTC 2009
Fri, Aug 21, 2009 at 12:55:22PM -0400, Tom Murch:
> so it works great except the enable password is not working on a per user
> basis is there something i need to change to make that work?
put it in the user {} area. if that is not working, you will have to run
with debugging and i suspect you'll find that the device isnt passing the
username with the enable authorization request but rahter $enable$.
> On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch <tmurch at toniccomputers.com>wrote:
>
> > yeah thats a miss type on part. Let me go try this out.
> >
> > On Fri, Aug 21, 2009 at 12:09 PM, john heasley <heas at shrubbery.net> wrote:
> >
> >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch:
> >> > ok so here is what i have
> >> >
> >> > user tom {
> >> > login = cleartext 'tom'
> >> > enable = cleartext 'tom12'
> >> > }
> >> >
> >> > acl = badmatt {
> >> > login = cleartext 'matt'
> >> > enable = cleartext 'matt12'
> >> > deny 192\.168\.0\.1 # disallow enable on this tacacs client
> >> > permit .*
> >> > }
> >> > user matt { enableacl = badmatt }
> >> >
> >> > Will this work so that Tom and Matt can both enable on all things except
> >> the
> >> > 192.168.0.1 that matt is acl from?
> >>
> >> yes, but login and enable are not valid in acl {}.
> >>
> >
> >
More information about the tac_plus
mailing list