[tac_plus] Re: Restricting Cisco 'interface' command

john heasley heas at shrubbery.net
Tue Oct 20 17:13:38 UTC 2009


Tue, Oct 20, 2009 at 01:04:11PM -0400, dterry at dollartree.com:
> aaa new-model
> aaa authentication login default group tacacs+ local enable
> aaa authentication enable default group tacacs+ enable none
> aaa authentication ppp default if-needed group radius local
> aaa authorization exec default group tacacs+ local none
> aaa authorization commands 0 default group tacacs+ local none
> aaa authorization commands 1 default group tacacs+ local none
> aaa authorization commands 15 default group tacacs+ local none
> aaa authorization network default group tacacs+ local none

looks right.  if it is connecting to the tacacs daemon for authorization,
then you need to look closer at the debug output.  the answer is in there.


More information about the tac_plus mailing list