[tac_plus] question
john heasley
heas at shrubbery.net
Thu Aug 18 19:09:34 UTC 2011
Thu, Aug 18, 2011 at 12:22:42PM -0400, Mike Keselman:
> Hi,
>
> I am running tacacs+ version tacacs+-F4.0.4.19-1 in my envelopment. I am
> having issues configuring Cisco commands with in the daemon. Currently my
> cisco gear has privilege 5 permission configured for a subset of commands. I
> have to move those commands to a central place as opposed to having them on
> each device. Any help would be appreciated.
>
> Sample of what is configured is below
>
>
> group = test {
> # description: test group
> default service = deny
> service = exec {
> priv-lvl = 5
> }
> }
>
> user = tactest {
> login = cleartext tac
>
> member = test
>
> cmd = configure { permit terminal }
> cmd = show {
> permit .* }
> }
i dont know if those commands will work with level 5.
but suspect your problem is the authorization configuration on the router.
eg:
# group = RO {
# service = exec {
# priv-lvl=15
# }
# cmd = show {
# permit run
# permit version
# permit install
# permit env
# permit gsr
# permit boot
# permit bootvar
# permit flash
# permit controllers
# permit controllers
# permit diagbus
# permit diag
# permit c7200
# deny .*
# }
# cmd = write {
# permit term
# deny .*
# }
# cmd = dir {
# permit /all
# deny .*
# }
# }
More information about the tac_plus
mailing list