[tac_plus] What part of tac_plus daemon configuration does "aaa authorization exec default group tacacs+" command in Cisco IOS TACACS+ client check?
John Fraizer
john at op-sec.us
Thu Apr 16 16:47:59 UTC 2015
The service = exec stanza tells Tac_Plus to do (everything you have in that
stanza) whenever the device requests authorization for "exec".
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Thu, Apr 16, 2015 at 3:38 AM, Martin T <m4rtntns at gmail.com> wrote:
> Krux,
>
> I think it is bit more than just the privilege level. Looks like it is
> the whole "service = exec" configuration snippet which specifies for
> example "autocmd" or "idletime" besides "priv-lvl".
>
>
> regards,
> Martin
>
> On 4/14/15, Krux <krux at thcnet.net> wrote:
> > Authorization exec is used to tell the Cisco device to use the privilege
> > level specified by the TACACS+ server when logging in. For example
> privilege
> > level 15. This means you don't have to issue the enable command. It is
> also
> > required if you want to use features like the scp server to push
> firmware to
> > your device, since the scp server requires that your exec level be 15 on
> > login.
> > perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
> >
> > On April 13, 2015 1:54:37 AM PDT, Martin T <m4rtntns at gmail.com> wrote:
> >>Hi,
> >>
> >>in Cisco IOS TACACS+ client there is a command "aaa authorization exec
> >>default group tacacs+". Am I correct that all this command does is to
> >>force TACACS+ client to take account the "service = exec"
> >>configuration snippet in tac_plus daemon configuration file? For
> >>example:
> >>
> >>service = exec {
> >> priv-lvl = 15
> >> autocmd = "show version"
> >>}
> >>
> >>
> >>thanks,
> >>Martin
> >>_______________________________________________
> >>tac_plus mailing list
> >>tac_plus at shrubbery.net
> >>http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
> >
> >
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150416/4948a814/attachment.html>
More information about the tac_plus
mailing list