Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TACACS Server Configuration

Status
Not open for further replies.

bizzaro

Technical User
Jul 24, 2002
105
US
Does anybody know how to configure tacacs to restrict some exec commands. In the example below, I want to prevent such commands as ip routing from being entered. With this configuration, I am still able to enter the command ip routing.




group = test {
default service = permit

cmd = configure {
permit .*
}
cmd = ip {
permit default-gateway
deny .*
}

# Default access to enable mode
service = exec {
priv-lvl = 15
}
}
 
can you try creating a user that is not in a group like i have it above?
 
also, you should be able to tail the log and see what is going on as well
 
The new config does not allow the user into config mode. I tried to permit config and it does not work.
 
I meant the config from the router...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Here is my lab switch

3750-LAB-1#sho run
Building configuration...

Current configuration : 5311 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3750-LAB-1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/Nbv$SdwGy9p/DfAgShstMzUk41
!
username xxxxx privilege 15 secret 5 $1$Dw8v$4Yb8ymEfVPrhGxweClSve/
username cisco privilege 15 password 0 cisco
aaa new-model
!
!
aaa authentication login default group tacacs+ local-case enable
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time DST recurring
switch 1 provision ws-c3750-48ts
switch 2 provision ws-c3750-48ts
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name foo.com
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
!
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
!
interface FastEthernet1/0/46
!
interface FastEthernet1/0/47
!
interface FastEthernet1/0/48
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface FastEthernet2/0/1
!
interface FastEthernet2/0/2
!
interface FastEthernet2/0/3
!
interface FastEthernet2/0/4
!
interface FastEthernet2/0/5
!
interface FastEthernet2/0/6
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
!
interface FastEthernet2/0/25
!
interface FastEthernet2/0/26
!
interface FastEthernet2/0/27
!
interface FastEthernet2/0/28
!
interface FastEthernet2/0/29
!
interface FastEthernet2/0/30
!
interface FastEthernet2/0/31
!
interface FastEthernet2/0/32
!
interface FastEthernet2/0/33
!
interface FastEthernet2/0/34
!
interface FastEthernet2/0/35
!
interface FastEthernet2/0/36
!
interface FastEthernet2/0/37
!
interface FastEthernet2/0/38
!
interface FastEthernet2/0/39
!
interface FastEthernet2/0/40
!
interface FastEthernet2/0/41
!
interface FastEthernet2/0/42
!
interface FastEthernet2/0/43
!
interface FastEthernet2/0/44
!
interface FastEthernet2/0/45
!
interface FastEthernet2/0/46
!
interface FastEthernet2/0/47
!
interface FastEthernet2/0/48
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
ip address x.x.x.x 255.255.255.0
!
ip default-gateway x.x.x.1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip http server
ip http secure-server
!
tacacs-server host x.x.x.x port 4950
tacacs-server directed-request
tacacs-server key 7 0756741E435D180E1D035F5555217E75
!
control-plane
!
!
line con 0
line vty 5 15
!
end
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top