Configure authorization on tac_plus (Tacacs+)

ratha chum — Thu, 30 Apr 2020 02:32:39 GMT

group = netsupport {
default service = deny
acl = default
service = exec {
priv-lvl = 0
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
permit Ethernet.*
permit FastEthernet.*
permit GigabitEthernet.*
}
cmd = switchport {
permit "access vlan.*"
permit "voice vlan.*"
permit "trunk allowed vlan.*"
}
cmd = description {
permit .*
}

cmd = no {
permit shutdown
}
}

above are permission I want to assign to support team to change configure on switch.

The problem is that when I allow them to use configure terminal command.

cmd = configure {
permit .*
}

Then they can do any thing on interface such as shutdwon interface, change mode on interface etc... and bellow permission is not effect.

cmd = switchport {
permit "access vlan.*"
permit "voice vlan.*"
permit "trunk allowed vlan.*"
}

as I want then can change VLAN only. I don't want to change port mode to access or trunk or shutdown vlan.

any help will be appreciate.

Thanks and regards,

Ratha

Re: Configure authorization on tac_plus (Tacacs+)

Francesco Molino — Thu, 30 Apr 2020 02:55:48 GMT

Hi

Can you try changing the service level to 15 instead of 0?

topic Re: Configure authorization on tac_plus (Tacacs+) in Switching

Configure authorization on tac_plus (Tacacs+)

Re: Configure authorization on tac_plus (Tacacs+)