[tac_plus] deny a particular command and allow all others
heasley
heas at shrubbery.net
Thu Apr 4 14:43:23 UTC 2019
Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com:
> Hello;
>
> We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others.
>
> how can I set tac_plus config file to achieve this ?
there are three ways, depending upon the equipment.
1) use cmd authorization in tac_plus, like the user fred in the example config,
assuming the device supports command authorization
2) use an external authorization script, like do_auth which comes with tac_plus,
assuming the device supports command authorization
3) create roles (or whatever the jargon the vendor uses) on the equipment
and assign users to those roles via tacacs AVPs
i suppose, a variation of 3,
4) create roles (or whatever the jargon the vendor uses)
and assign users to those roles on the equipment and just do authentication
via tacacs
More information about the tac_plus
mailing list