[tac_plus] Tacacs+ scenario: can I permit user to configure only for one interface and deny others
heasley
heas at shrubbery.net
Wed Mar 13 06:41:14 UTC 2013
Mon, Mar 11, 2013 at 08:09:32PM +0500, asad:
> Hey,
>
> I wants to allow certain user A to only able to access interface for
> configuration. E.g
>
> GigabitEthernet 0/0
>
> and at the same time block all others from accessing the same interface.
>
> Kindly can you provide the configuration for the setup?
>
> Right now I'm using
> default service = deny
>
> cmd = interface { permit [faFAgiGI].* }
afaik, the device will normalize the command - ie: it will expand abbreviations and send a single case, iirc. i do not recall how it deals with sub-level cmd
authorization, but this should be enough info for you to experiment.
authorization debugging (-d) output will probably be helpful.
More information about the tac_plus
mailing list