[tac_plus] raccess and tac_plus
Sena, Rich
rsena at mitre.org
Wed Dec 28 20:59:13 UTC 2011
Trying to set up a cisco terminal server and limit access to certain tty's for some admins. Behind this serer we have network devices and storage devices. I want to limit the consoles that the storage admins are permitted to connect to.
Here is what I've done... BTW I Also had an iteration where I tried to add the port numbers to the acl (permit = ^10\.83\.125\.235" "2011$) but I figured I was barking up the wrong tree...
On NAS:
aaa authorization reverse-access default group tacacs+ if-authenticated
In tac_plus.conf
user = san {
name = "SAN Admin"
member = netsup
}
group = netsup {
login = file /etc/passwd
member = supaccess
# expires = "Dec 25 2011"
}
group = supaccess {
default service = permit
service = raccess {
# limit console logins for supaccess
port#1 = dc-cons1/tty0\/0\/8
port#2 = dc-cons1/tty0\/0\/9
port#3 = dc-cons1/tty0\/0\/10
}
cmd = conf {
# allow supaccess to config MDS
permit 10\.83\.125\.191
deny .*
}
cmd = write {
# allow supaccess to write MDS
permit 10\.83\.125\.191
deny .*
}
#acl = supacl
service = exec {
priv-lvl = 15
}
}
acl = supacl {
permit = ^10\.83\.125\.235$
permit = ^10\.83\.125\.191$
deny = .*
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111228/c3fd89a0/attachment.html>
More information about the tac_plus
mailing list