[tac_plus] Re: Issues about limiting the commands to be execed in switch

Fri Nov 27 21:38:55 UTC 2009

Tue, Nov 24, 2009 at 03:04:02PM -0600, Hailu Meng:
> Hi All,
> 
> I'm trying to create two groups in my tac_plus server. One is the admin. The
> other one has limited rights. So I want to limit this group to priv-level 1
> and only can issue show ip and show interface command. Also I configured the
> authorization in the switch. Here is my configuration in tac_plus.conf. My
> tac_plus just allow the user to do everything without limiting anything.
> 
> /etc/tac_plus.conf:
> 
> accounting file = /var/log/tacacs/acctfile
> key = "keyfortac"
> 
> user = $enab15$ {
>   login = cleartext "enablepass"
> }
> 
> group = admin {
>   default service = permit
>   service = exec {
>     priv-lvl = 15
>   }
> }
> 
> group = limited {
>   default service = deny
>   service = exec {
>         priv-lvl = 1
>   }
>   cmd = show {
>         permit ip
>         permit interface
>   }
> }
> 
> user = test {
>         member = limited
>         login = PAM
> }
> 
> The switch configuration:
> aaa new-model
> aaa authentication login default group tacacs+ enable
> aaa authentication enable default group tacacs+ enable
> 
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> 
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> 
> 
> I think these configurations are correct, but it just doesn't work. Am I
> wrong somewhere? Suppose the "cmd" should deny all the show commands except
> the ones specified. Please help.

"it doesnt work" isnt much to go on.  what doesnt work?

here's an example of a working config with command authorization:
default authorization = permit
acl = limitacl {
        deny = ^198\.58\.[45]\.
        permit = .*
} 
user = limited {
        login = nopassword
        acl = limitacl
        service = exec {
                priv-lvl=1
        }
        cmd = "ping" {
                permit .*
        } 
        cmd = "show" {
                deny tcp.*
                deny regex.*\\[0-9]
                deny "ip bgp version .*"
                deny "ip bgp ipv4 unicast version .*"
                deny "ip bgp ipv4 multicast version .*"
                permit .*
        }
        cmd = "traceroute" {
                permit .*
        }
        cmd = "terminal" {
                permit "length .*"
        }
}

there is a debug option for authorization; see tac_plus(8).