[tac_plus] Re: Restricting Cisco 'interface' command
dterry at dollartree.com
dterry at dollartree.com
Tue Oct 20 17:04:11 UTC 2009
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable none
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa authorization network default group tacacs+ local none
aaa accounting delay-start
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip tacacs source-interface Loopback0
tacacs-server host <host>
no tacacs-server directed-request
tacacs-server key 7 <key>
"Schmidt, Daniel"
<dan.schmidt at upli
nkdata.com> To
<dterry at dollartree.com>
10/20/2009 01:01 cc
PM "john heasley"
<heas at shrubbery.net>,
<tac_plus at shrubbery.net>
Subject
RE: [tac_plus] Re: Restricting
Cisco 'interface' command
post:
sh run | inc tacacs|aaa
-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com]
Sent: Tuesday, October 20, 2009 10:54 AM
To: Schmidt, Daniel
Cc: john heasley; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command
I have everything setup correctly on the Cisco side.
I have tried your suggestion below and was unable to prevent a user from
configuring interfaces other than Gi and Fa ports. Debugging tacacs
authorization produced no helpful information.
Further suggestions would be appreciative.
"Schmidt, Daniel"
<dan.schmidt at upli
nkdata.com>
To
"john heasley"
10/20/2009 12:26 <heas at shrubbery.net>,
PM <dterry at dollartree.com>
cc
<tac_plus at shrubbery.net>
Subject
RE: [tac_plus] Re: Restricting
Cisco 'interface' command
default service = deny
cmd = interface { permit [faFAgiGI].* }
If you're looking for a simpler configuration, look at my authentication
script on tacacs.org. However, the above should work for your purposes.
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
Sent: Tuesday, October 20, 2009 10:10 AM
To: dterry at dollartree.com
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: Restricting Cisco 'interface' command
Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com:
>
> Hello,
>
> I am trying to restrict the usage of the 'interface' command
within
> Cisco gear. I would like the users to have access to issue "interface
Gi.*"
> or "interface Fa.*". I do not want them to have the ability to issue
> "interface Te.*". The configuration that I have in place now for this
is:
>
> cmd = interface {
> permit ".*Gi.*"
> permit ".*Fa.*"
> deny .*
> }
>
> Should this work? If not, where's my error?
make sure authorization is configured on the device, else enable tacacs
authorization debugging to find-out why its not matching.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
More information about the tac_plus
mailing list