[tac_plus] Re: Restricting Cisco 'interface' command
Schmidt, Daniel
dan.schmidt at uplinkdata.com
Tue Oct 20 16:56:40 UTC 2009
post:
sh run | inc tacacs|aaa
-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com]
Sent: Tuesday, October 20, 2009 10:54 AM
To: Schmidt, Daniel
Cc: john heasley; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command
I have everything setup correctly on the Cisco side.
I have tried your suggestion below and was unable to prevent a user from
configuring interfaces other than Gi and Fa ports. Debugging tacacs
authorization produced no helpful information.
Further suggestions would be appreciative.
"Schmidt, Daniel"
<dan.schmidt at upli
nkdata.com>
To
"john heasley"
10/20/2009 12:26 <heas at shrubbery.net>,
PM <dterry at dollartree.com>
cc
<tac_plus at shrubbery.net>
Subject
RE: [tac_plus] Re: Restricting
Cisco 'interface' command
default service = deny
cmd = interface { permit [faFAgiGI].* }
If you're looking for a simpler configuration, look at my authentication
script on tacacs.org. However, the above should work for your purposes.
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
Sent: Tuesday, October 20, 2009 10:10 AM
To: dterry at dollartree.com
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: Restricting Cisco 'interface' command
Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com:
>
> Hello,
>
> I am trying to restrict the usage of the 'interface' command
within
> Cisco gear. I would like the users to have access to issue "interface
Gi.*"
> or "interface Fa.*". I do not want them to have the ability to issue
> "interface Te.*". The configuration that I have in place now for this
is:
>
> cmd = interface {
> permit ".*Gi.*"
> permit ".*Fa.*"
> deny .*
> }
>
> Should this work? If not, where's my error?
make sure authorization is configured on the device, else enable tacacs
authorization debugging to find-out why its not matching.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list