07-03-2008 06:19 AM - edited 03-10-2019 03:57 PM
I have a test switch and TACACS+ server to try setting up TACACS+ before putting it in to production. We have 3 persons on our network team and want to make it easier to manage device access if one of us leaves. Also to have a limited account for the person that would be filling the open position for a trial period. My issue is mainly with the config file for the server I think. Also I am not 100% sure on a few AAA commands which I have read about and applied to the switch.
The "test" user can only do show ip or so I thought. It denies all other "show" commands but for some reason "show run" still will work. If any one could give me some tips on my configuration that would be greatly appreciated.
Thank you,
Kyle
##### TACACS+ Configured #####
user = test {
member = limited
login = des "encrypted password"
enable = des "encrypted password"
name = "tester"
}
user = admin {
config omitted
}
group = admin {
default service = permit
}
group = limited {
default service = deny
cmd = show {
permit "ip .*"
deny .*
}
}
07-08-2008 05:51 AM
It has to be with the IOS version because here is the config for tacacs and my testing results for loging on the swith with both accounts.
Thanks,
Kyle
### start tac_plus.conf ###
key = testkey
accounting file = /var/log/tac_plus.acct
default authentication = file /etc/passwd
#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~,
# Users Accounts |
#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~'
user = test {
member = limited
login = cleartext "logtest"
enable = cleartext "entest"
name = "tester"
}
user = $test$ {
member = limited
login = cleartext "logtest"
enable = cleartext "entest"
name = "tester"
}
user = admin {
member = admin
login = cleartext "logadmin"
enable = cleartext "enadmin"
name = "admin"
}
user = $admin$ {
member = admin
login = cleartext "logadmin"
enable = cleartext "enadmin"
name = "admin"
}
#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~,
# Group Accounts |
#~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~'
group = admin {
default service = permit
}
group = limited {
default service = deny
cmd = show {
permit "ip .*"
permit "debugging .*"
deny "run*"
deny .*
}
cmd = debug {
permit .*
}
cmd = exit {
permit .*
}
cmd = enable {
permit .*
}
}
### end tac_plus.conf ###
### start test account login ###
User Access Verification
Username: test
Password:
testSW>en
Password:
testSW#show vlan bri
Command authorization failed.
testSW#show run
Building configuration...
Current configuration : 9108 bytes
!
! Last configuration change at 09:49:51 EST Mon Jul 7 2008 by admin
! NVRAM config last updated at 09:55:19 EST Thu Jun 12 2008 by admin
!
version 12.2
!
output omitted
### end test account login ###
### start admin account login ###
User Access Verification
Username: admin
Password:
testSW>en
Password:
testSW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
testSW(config)#end
testSW#
### end admin account login ###
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide