[tac_plus] tacplus assistance
heasley
heas at shrubbery.net
Fri Jun 8 18:10:16 UTC 2012
Fri, Jun 08, 2012 at 11:28:34AM -0500, Mullett, Cynthia:
> I downloaded and installed tacacs+=F4.0.4.25
>
> with a successful ./configure and make install however, I do not know
> where to find the tac_plus.conf. I ran a find from / and didn't see it.
> it's not in /etc. is it something I have to make or is there a file
> somewhere? any help will be appreciated.
it is something that you create. i've attached a sample.
-------------- next part --------------
key = "your key here"
# logging destinatio
logging = daemon
# destination of accounting data
#accounting syslog;
# OR
accounting file = /var/log/tac.acct
# authentication for users not appearing elsewhere via
# the file /etc/passwd
default authentication = file /etc/passwd
acl = dial_only {
# All access routers are in 192.168/16. However, except for
# 192.168.0.1 all backbone routers are in 198.168.0/24.
# Deny access to the backbone routers.
permit = ^192\.168\.0\.1$
deny = ^192\.168\.0\.
permit = ^192\.168\.
}
group = no_backbone {
# permit an exec to start and permit all commands and
# services by default
default service = permit
service = exec {
# When an exec is started, its connection access list
# will be 4. "acl" is quoted because it is a keyword.
# It also has an autocmd
"acl" = 4
autocmd = "telnet duffhost"
}
# group will only be allowed to login on NASes
acl = dial_only
}
group = admin {
# group members who don't have their own login password will be
# looked up in /etc/passwd
login = file /etc/passwd
# login = (cleartext <string> | des <des string> | PAM | skey | nopassword)
# group members who have no expiry date set will use this one
expires = "Jan 1 1997"
# deny access to backbone routers
acl = dial_only
}
user = DEFAULT {
default service = permit
service = ppp protocol = ip {
addr-pool=foobar
}
}
user = homer {
default service = permit
login = PAM
enable = cleartext myenablepwd
enable = des mEX027bHtzTlQ
enable = file /etc/passwd
member = no_backbone
}
user = fred {
login = des mEX027bHtzTlQ
name = "Fred Flintstone"
member = admin
enable = nopassword
expires = "May 23 2005"
arap = cleartext "Fred's arap secret"
chap = cleartext "Fred's chap secret"
service = exec {
# When Fred starts an exec, his connection access
# list is 5
"acl" = 5
# We require this autocmd to be done at startup
autocmd = "telnet foo"
}
# All commands except show system are denied for Fred
cmd = show {
# Fred can run the following show command
permit system
deny .*
}
service = ppp protocol = ip {
# Fred can run ip over ppp only if he uses one
# of the following mandatory addresses. If he
# supplies no address, the first one here will
# be mandated
addr=131.108.12.11
addr=131.108.12.12
addr=131.108.12.13
addr=131.108.12.14
# Fred's mandatory input access list number is 101
inacl=101
# We will suggest an output access list of 102, but the NAS may
# choose to ignore or override it
optional outacl=102
}
service = slip {
# Fred can run slip. When he does, he will have to use
# these mandatory access lists
inacl=101
outacl=102
}
}
user = wilma {
# Wilma has no password of her own, but she's a group member so
# she'll use the group password if there is one. Same for her
# password expiry date
member = admin
}
More information about the tac_plus
mailing list