[tac_plus] question

Mike Keselman mkeselman at m5net.com
Thu Aug 18 19:22:06 UTC 2011


John,

Thanks you for the reply. The following is configured on my router, can you
tell me if anything is incorrect

aaa group server tacacs+ tacServers
 server 10.10.10.10
!
aaa authentication banner ^CCUnauthorized Access Prohibited^C
aaa authentication fail-message ^CCFailed login. Try again.^C
aaa authentication login default group tacServers enable
aaa authorization console
aaa authorization exec default group tacServers if-authenticated
aaa authorization exec console group tacServers if-authenticated
aaa accounting exec default start-stop group tacServers
aaa accounting commands 1 default start-stop group tacServers
aaa accounting commands 2 default start-stop group tacServers
aaa accounting commands 5 default start-stop group tacServers
aaa accounting commands 15 default start-stop group tacServers


On Thu, Aug 18, 2011 at 3:09 PM, john heasley <heas at shrubbery.net> wrote:

> Thu, Aug 18, 2011 at 12:22:42PM -0400, Mike Keselman:
> > Hi,
> >
> > I am running tacacs+ version tacacs+-F4.0.4.19-1 in my envelopment. I am
> > having issues configuring Cisco commands with in the daemon. Currently my
> > cisco gear has privilege 5 permission configured for a subset of
> commands. I
> > have to move those commands to a central place as opposed to having them
> on
> > each device.  Any help would be appreciated.
> >
> > Sample of what is configured is below
> >
> >
> > group = test {
> >         # description: test group
> >         default service = deny
> >         service = exec {
> >                 priv-lvl = 5
> >                 }
> > }
> >
> > user = tactest {
> >         login = cleartext tac
> >
> >         member = test
> >
> >         cmd = configure { permit terminal }
> >         cmd = show {
> >                permit .* }
> > }
>
> i dont know if those commands will work with level 5.
>
> but suspect your problem is the authorization configuration on the router.
>
> eg:
> # group = RO {
> #         service = exec {
> #                 priv-lvl=15
> #         }
> #         cmd = show {
> #                 permit run
> #                 permit version
> #                 permit install
> #                 permit env
> #                 permit gsr
> #                 permit boot
> #                 permit bootvar
> #                 permit flash
> #                 permit controllers
> #                 permit controllers
> #                 permit diagbus
> #                 permit diag
> #                 permit c7200
> #                 deny .*
> #         }
> #         cmd = write {
> #                 permit term
> #                 deny .*
> #         }
> #         cmd = dir {
> #                 permit /all
> #                 deny .*
> #         }
> # }
>
>


-- 

*Mike Keselman*

**M5 Networks, Inc.

Phone: (646)747-1632

www.m5net.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20110818/673fab8e/attachment.html>


More information about the tac_plus mailing list