[tac_plus] Different "service = exec" parameters for different equipments

Rui Vitor Figueiras Meireles rui-f-meireles at telecom.pt
Fri Sep 10 17:29:06 UTC 2010


Hi. I have a simple configuration question.
Is it possible to have different "service = exec" parameters for different equipments?

Have a network with several IOS and IOS-XR devices.
I have included this part
        service = exec {
                task = "#root-system,#cisco-support"
        }
to be able to access some of them in the "Cisco-support" group (it permits some more commands).
However, using this configuration I am not able to access the others, the ones that do not have this group.

Is there any way I can use the same user and do what I want? For example, using ACLs: if it matches, use group admin1, if it doesn't, use group admin2. Or using duplicate users (2 users with the same name, but with different groups, and if the access fails on the first, it tries the second).

Thanks. Any help would be appreciated.


Rui Meireles

#####################
group = shadow {
        login = file /etc/passwd
}

# Users with Full Access
group = admin {
        default service = permit
        member = shadow
        enable = cleartext "cisco"
        acl = all_acl
        enableacl = all_acl
        service = exec {
                task = "#root-system,#cisco-support"
                priv-lvl=15
                idletime=10
        }
}

user = rmeireles {
        member = admin
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20100910/afef564d/attachment.html>


More information about the tac_plus mailing list