[tac_plus] Re: tac_plus config
john heasley
heas at shrubbery.net
Fri Aug 21 18:07:02 UTC 2009
Fri, Aug 21, 2009 at 01:24:19PM -0400, Tom Murch:
> your correct so what did i do wrong or how do i fix this ?
>
you can use priv-lvl to autoenable them and just limit where they
login. otherwise, you contact the mfg and make them fix their software.
> user = tom {
> login = cleartext tom
> enable = cleartext tom12
> }
>
> user = matt {
> enableacl = badmatt
> login = cleartext matt
> enable = cleartext matt12
> }
>
> acl = badmatt {
> deny = 192\.168\.0\.1 # disallow enable on this tacacs client
> permit = .*
> }
>
>
> On Fri, Aug 21, 2009 at 12:58 PM, john heasley <heas at shrubbery.net> wrote:
>
> > Fri, Aug 21, 2009 at 12:55:22PM -0400, Tom Murch:
> > > so it works great except the enable password is not working on a per user
> > > basis is there something i need to change to make that work?
> >
> > put it in the user {} area. if that is not working, you will have to run
> > with debugging and i suspect you'll find that the device isnt passing the
> > username with the enable authorization request but rahter $enable$.
> >
> > > On Fri, Aug 21, 2009 at 12:52 PM, Tom Murch <tmurch at toniccomputers.com
> > >wrote:
> > >
> > > > yeah thats a miss type on part. Let me go try this out.
> > > >
> > > > On Fri, Aug 21, 2009 at 12:09 PM, john heasley <heas at shrubbery.net>
> > wrote:
> > > >
> > > >> Fri, Aug 21, 2009 at 11:29:14AM -0400, Tom Murch:
> > > >> > ok so here is what i have
> > > >> >
> > > >> > user tom {
> > > >> > login = cleartext 'tom'
> > > >> > enable = cleartext 'tom12'
> > > >> > }
> > > >> >
> > > >> > acl = badmatt {
> > > >> > login = cleartext 'matt'
> > > >> > enable = cleartext 'matt12'
> > > >> > deny 192\.168\.0\.1 # disallow enable on this tacacs
> > client
> > > >> > permit .*
> > > >> > }
> > > >> > user matt { enableacl = badmatt }
> > > >> >
> > > >> > Will this work so that Tom and Matt can both enable on all things
> > except
> > > >> the
> > > >> > 192.168.0.1 that matt is acl from?
> > > >>
> > > >> yes, but login and enable are not valid in acl {}.
> > > >>
> > > >
> > > >
> >
More information about the tac_plus
mailing list