[tac_plus] Deny Config Commands.

Alan McKinnon alan.mckinnon at gmail.com
Wed Jan 6 06:29:32 UTC 2016 

On 06/01/2016 04:13, Mailing Lists wrote:
> Thanx for the response guys. Maybe I'm stupid, but I can't see how I can
> deny a specific command while still allowing users to configure things, is
> anyone able to give me some pointers on how I would deny 'no router bgp'
> for exapmle.


It's fully described in man 5 tac_plus.conf

eg in a "user" stanza:


           cmd = no {
               deny router bgp
               permit .*
           }


Be very careful with this and make sure you understand what is
happening. tac_plus does not have internal knowledge of what router
commands mean (the only thing that knows that is the router OS), it has
to work with text strings and regexes. So you can get false
negatives/positives very easily if you are not careful. For example,
tac_plus has no concept that "no ..." is the inverse of "..." so you
must explicitly configure it.


When you allow some commands like this and deny others, the list of
things allowed and denied tends to get very very long


> 
> Cheers,
> Damien.
> 
> On Wed, Jan 6, 2016 at 7:15 AM, Daniel Schmidt <daniel.schmidt at wyo.gov>
> wrote:
> 
>> Yes, it can be done on those platforms with authorization.
>>
>> On Tue, Jan 5, 2016 at 11:11 AM, heasley <heas at shrubbery.net> wrote:
>>
>>> Tue, Jan 05, 2016 at 06:35:34PM +1100, Mailing Lists:
>>>> Hi All,
>>>>
>>>> Is it possible to deny users from entering certain configuration
>> commands
>>>> in TACACS?
>>>>
>>>> So for example I want my users to be able to do enable and run whatever
>>>> commands they like, but once they type 'conf t' commands are
>> restricted.
>>> If
>>>> it matters, I am specifically interested in denying 'no router'
>> commands
>>> on
>>>> IOS-XE and Brocade NetIron (CER/S/MLX) devices.
>>>
>>> on ios this is done with aaa command authorization.  no idea if brocade
>>> supports this or it can be done there.
>>> _______________________________________________
>>> tac_plus mailing list
>>> tac_plus at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>
>>
>> --
>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20160105/9db6bd5e/attachment.html
>>>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160106/350d48e5/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list