[tac_plus] Different "service = exec" parameters for different equipments
Rui Vitor Figueiras Meireles
rui-f-meireles at telecom.pt
Tue Sep 21 10:18:58 UTC 2010
Hi. I have a simple configuration question.
Is it possible to have different "service = exec" parameters for different equipments?
Have a network with several IOS and IOS-XR devices.
I have included this part
service = exec {
task = "#root-system,#cisco-support"
}
to be able to access some of them in the "Cisco-support" group (it permits some more commands).
However, using this configuration I am not able to access the others, the ones that do not have this group.
Is there any way I can use the same user and do what I want? For example, using ACLs: if it matches, use group admin1, if it doesn't, use group admin2. Or using duplicate users (2 users with the same name, but with different groups, and if the access fails on the first, it tries the second).
Thanks. Any help would be appreciated.
Rui Meireles
#####################
group = shadow {
login = file /etc/passwd
}
# Users with Full Access
group = admin {
default service = permit
member = shadow
enable = cleartext "cisco"
acl = all_acl
enableacl = all_acl
service = exec {
task = "#root-system,#cisco-support"
priv-lvl=15
idletime=10
}
}
user = rmeireles {
member = admin
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20100921/624ff2e0/attachment.html>
More information about the tac_plus
mailing list