[tac_plus] Issues about limiting the commands to be execed in switch

[Hailu Meng]

Hi All,

I'm trying to create two groups in my tac_plus server. One is the admin. The
other one has limited rights. So I want to limit this group to priv-level 1
and only can issue show ip and show interface command. Also I configured the
authorization in the switch. Here is my configuration in tac_plus.conf. My
tac_plus just allow the user to do everything without limiting anything.

/etc/tac_plus.conf:

accounting file = /var/log/tacacs/acctfile
key = "keyfortac"

user = $enab15$ {
  login = cleartext "enablepass"
}

group = admin {
  default service = permit
  service = exec {
    priv-lvl = 15
  }
}

group = limited {
  default service = deny
  service = exec {
        priv-lvl = 1
  }
  cmd = show {
        permit ip
        permit interface
  }
}

user = test {
        member = limited
        login = PAM
}

The switch configuration:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


I think these configurations are correct, but it just doesn't work. Am I
wrong somewhere? Suppose the "cmd" should deny all the show commands except
the ones specified. Please help.

Thanks a lot.

Lou
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/5ea8b189/attachment.html