|
TACACS PLUS SERVER RUNNING ON
LINUX
Configurations below should work with all
CISCO ROUTER
aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ aaa accounting network default start-stop tacacs+ aaa accounting connection default start-stop tacacs+ aaa accounting system default start-stop tacacs+ tacacs-server host 172.16.0.1 tacacs-server key bdsltd enable secret spicegirls For Local Authentication aaa authentication login default tacacs+ local username bill password ben
LINUX
/etc/tacacs/tac_plus.cfg
key = bdsltd # Use /etc/shadow file to do authentication default authentication = file /etc/shadow # Where is the accounting records to go accounting file = /var/log/tac_acc.log # Profile for enable access, username is $enab15$. Used to be $enable$ user = $enab15$ { login = cleartext "spicegirls" } # Profiles for user accounts user = bill { default service = permit login = file /etc/shadow } user = idiot { login = cleartext ohno cmd = show { permit "interface*" permit "ip interface*" } cmd = ping { permit .* } cmd = traceroute { permit .* } } # Profile for script altering config on router user = script { login = cleartext passwd cmd = configure { permit "terminal" } cmd = interface { permit "Dialer 1" } cmd = description { permit .* } cmd = dialer { permit "string" permit "load-threshold" } cmd = ppp { permit "pap sent-username" permit "multilink" } cmd = no { permit "dialer string" permit "dialer load-threshold" permit "ppp pap sent-username" permit "ppp multilink" } cmd = write { permit . }} |