[tac_plus] Re: tac_plus config

john heasley heas at shrubbery.net
Fri Aug 21 18:07:02 UTC 2009 

Fri, Aug 21, 2009 at 01:24:19PM -0400, Tom Murch:
> your correct so what did i do wrong or how do i fix this ?
> 
you can use priv-lvl to autoenable them and just limit where they
login.  otherwise, you contact the mfg and make them fix their software.

> user = tom {
>          login = cleartext tom
>          enable = cleartext tom12
> }
> 
> user = matt {
>        enableacl = badmatt
>        login = cleartext matt
>        enable = cleartext matt12
> }
> 
> acl = badmatt {
>        deny = 192\.168\.0\.1     # disallow enable on this tacacs client
>        permit = .*
> }
> 
> 
> On Fri, Aug 21, 2009 at 12:58 PM, john heasley <heas at shrubbery.net> wrote:
> 
> > Fri, Aug 21, 2009 at 12:55:22PM -0400, Tom Murch:
> > > so it works great except the enable password is not working on a per user
> > > basis is there something i need to change to make that work?
> >
> > put it in the user {} area.  if that is not working, you will have to run
> > with debugging and i suspect you'll find that the device isnt passing the
> > username with the enable authorization request but rahter $enable$.
> >
> > > On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch <tmurch at toniccomputers.com
> > >wrote:
> > >
> > > > yeah thats a miss type on part. Let me go try this out.
> > > >
> > > > On Fri, Aug 21, 2009 at 12:09 PM, john heasley <heas at shrubbery.net>
> > wrote:
> > > >
> > > >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch:
> > > >> > ok so here is what i have
> > > >> >
> > > >> > user tom {
> > > >> >          login = cleartext 'tom'
> > > >> >          enable = cleartext 'tom12'
> > > >> > }
> > > >> >
> > > >> > acl = badmatt {
> > > >> >        login = cleartext 'matt'
> > > >> >        enable = cleartext 'matt12'
> > > >> >        deny 192\.168\.0\.1     # disallow enable on this tacacs
> > client
> > > >> >        permit .*
> > > >> > }
> > > >> > user matt { enableacl = badmatt }
> > > >> >
> > > >> > Will this work so that Tom and Matt can both enable on all things
> > except
> > > >> the
> > > >> > 192.168.0.1 that matt is acl from?
> > > >>
> > > >> yes, but login and enable are not valid in acl {}.
> > > >>
> > > >
> > > >
> >

More information about the tac_plus mailing list