Some commands allowed, TACACS+ configured wrong? - Page 2

lifeforce4 · ‎07-03-2008

I have a test switch and TACACS+ server to try setting up TACACS+ before putting it in to production. We have 3 persons on our network team and want to make it easier to manage device access if one of us leaves. Also to have a limited account for the person that would be filling the open position for a trial period. My issue is mainly with the config file for the server I think. Also I am not 100% sure on a few AAA commands which I have read about and applied to the switch.

The "test" user can only do show ip or so I thought. It denies all other "show" commands but for some reason "show run" still will work. If any one could give me some tips on my configuration that would be greatly appreciated.

Thank you,

Kyle

##### TACACS+ Configured #####

user = test {

member = limited

login = des "encrypted password"

enable = des "encrypted password"

name = "tester"

}

user = admin {

config omitted

}

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

deny .*

}

lifeforce4 · ‎07-08-2008

It has to be with the IOS version because here is the config for tacacs and my testing results for loging on the swith with both accounts.

Thanks,

Kyle

### start tac_plus.conf ###

key = testkey

accounting file = /var/log/tac_plus.acct

default authentication = file /etc/passwd

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~,

# Users Accounts |

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~'

user = test {

member = limited

login = cleartext "logtest"

enable = cleartext "entest"

name = "tester"

}

user = $test$ {

member = limited

login = cleartext "logtest"

enable = cleartext "entest"

name = "tester"

}

user = admin {

member = admin

login = cleartext "logadmin"

enable = cleartext "enadmin"

name = "admin"

}

user = $admin$ {

member = admin

login = cleartext "logadmin"

enable = cleartext "enadmin"

name = "admin"

}

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~,

# Group Accounts |

#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~'

group = admin {

default service = permit

}

group = limited {

default service = deny

cmd = show {

permit "ip .*"

permit "debugging .*"

deny "run*"

deny .*

}

cmd = debug {

permit .*

}

cmd = exit {

permit .*

}

cmd = enable {

permit .*

}

### end tac_plus.conf ###

### start test account login ###

User Access Verification

Username: test

Password:

testSW>en

Password:

testSW#show vlan bri

Command authorization failed.

testSW#show run

Building configuration...

Current configuration : 9108 bytes

!

! Last configuration change at 09:49:51 EST Mon Jul 7 2008 by admin

! NVRAM config last updated at 09:55:19 EST Thu Jun 12 2008 by admin

!

version 12.2

!

output omitted

### end test account login ###

### start admin account login ###

User Access Verification

Username: admin

Password:

testSW>en

Password:

testSW#conf t

Enter configuration commands, one per line. End with CNTL/Z.

testSW(config)#end

testSW#

### end admin account login ###