[tac_plus] deny a particular command and allow all others

Mon Apr 8 22:38:18 UTC 2019

Hello;

Thank you for your reply, I want to provide more details for the issues I'm facing, any suggestion will be wellcome.

Someone accidentally removed the existing Allowed VLANs on trunk while adding new Vlan, he forgets to type "switchport trunk allowed vlan add X" but type "switchport trunk allowed vlan X".

How can I prevent this using tac_plus
My goal is to deny "switchport trunk allowed vlan X" and permit "switchport trunk allowed vlan add X", "switchport trunk allowed vlan none", "switchport trunk allowed vlan all" and all any others configuration commands.

Ours cisco equipments are already integrated to tac_plus and work fine, below is the current extract tac_plus configuration file with user test belongs to networkadmin, is there someone who can point me how to modify below file in order to achieve my goal

root at lab:~# more /etc/tacacs+/tac_plus.conf

....
....
accounting file = /var/log/tac_plus.acct

group = networkadmin {
                default service = permit
                #enable = cleartext "test"
        enable = nopassword
                service = exec {
                        priv-lvl = 15
                        idletime = 10
                        optional shell:roles="\"network-admin vdc-admin\""

}

user = test {
        login = PAM
        member = networkadmin
}

...
...

root at lab:~# 

The second problem, is between my switch and tacacs server, there is NAT, so on tacacs all requests come with same IP, in this situation no way to know which request or logs come to which network equipement, is there the way to configure aaa on cisco equipment so that the for example the hostname or management IP of the cisco equipment can be include into accounting file send to tac_plus server.

Best regards;

De : heasley <heas at shrubbery.net>
À : sambill at netcourrier.com
Sujet : Re: [tac_plus] deny a particular command and allow all others
Date : 04/04/2019 16:43:23 Europe/Paris
Copie à : tac_plus at shrubbery.net

Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill at netcourrier.com:
> Hello;
> 
> We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others.
> 
> how can I set tac_plus config file to achieve this ?

there are three ways, depending upon the equipment.
1) use cmd authorization in tac_plus, like the user fred in the example config,
assuming the device supports command authorization
2) use an external authorization script, like do_auth which comes with tac_plus,
assuming the device supports command authorization
3) create roles (or whatever the jargon the vendor uses) on the equipment
and assign users to those roles via tacacs AVPs

i suppose, a variation of 3,
4) create roles (or whatever the jargon the vendor uses)
and assign users to those roles on the equipment and just do authentication
via tacacs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20190409/1cc6e8c1/attachment.html>