This site is now 100% read-only, and retired.

Network Administration : Installation of Tacacs+, Rancid, Cvsweb

Posted by pymaunier on Tue 15 Aug 2006 at 09:34

This article will describe you how to install a complete solution to manage users that have access to your network devices and also how to automatically backup your network devices configurations with a cvs based storage in order to have diffs on it. You'll also be able to script commands you want to run on your routers/switches to have easier administration.

Introduction

This document is in constant evolution, do not hesitate to check it sometimes. If you see something that have to be added/corrected, feel free to contact me.
Follow this document step by step and it will work without problems, do not jump a section, read it carrefully.

  • Tacacs+ : is an authentication server that will allow you to manage users that have to access network devices and give them different access level (super user or mortal user). You also could have for each user a list of commands he can use.
  • Rancid : is a tool which automatically backup your network devices configuration and store them in text and cvs format. It also allow you to script commands that have to be executed on your network devices using clogin described in this article. clogin is also used to automate the connection to the network devices
  • Cvsweb : will display cvs stored configurations in a web page that will allow you to compare different versions of your configurations.
Note : This document has been written for cisco devices only using IOS software. It should work with other network devices vendor (such as Juniper, Foundry...) but you should read vendor's documentation and rancid one to see how to configure it properly. It also works with Cisco using catos software but no catos commands are provided in this document.

Installation

Tacacs+
First of all you'll need to get the latest version of tacacs+ here : http://www.shrubbery.net/tac_plus
Note : Don't do an apt-get install tac-plus, it's the cisco version which should not work with the configuration file of this manual. The shrubbery version is also more updated.
This document has been written using tacacs+-F4.0.4.10.
You'll need to install the tcp wrappers and compilation tools if they're not yet installed.
# apt-get install libwrap0-dev gcc make libc6-dev
Once you've got the tacacs+ archive, you have to uncompress it (in /usr/src for example).
Before installing tacacs+ I kindly advise you to read the INSTALL file in the tacacs+ uncompressed directory if you want more informations.
# cp tacacs+-F4.0.4.10.tar.gz /usr/src
# cd /usr/src
# tar xvfz tacacs+-F4.0.4.10.tar.gz
# cd tacacs+-F4.0.4.10
# ./configure
# make install
Installation directories are the following :
/usr/local/bin : for the binaries tac_plus and tac_pwd
/usr/local/man : for the manuals
man tac_plus and man tac_pwd are now available for more informations.

Now we have to create the tacacs configuration file : /etc/tac_plus.conf
#
# tacacs configuration file
# Pierre-Yves Maunier - 20060713
# /etc/tac_plus.conf

# set the key
key = cle_tacacs

accounting file = /var/log/tac_plus.acct

# users accounts
user = tifrere {
        login = cleartext "normal"
        enable = cleartext "enable"
        name = "Pierre-Yves Maunier"
}
For the moment you have an user called "tifrere". His password to get connected on the device is "normal" and the password to get in priviliged mode is "enable".
As his passwords are in clear text, it should be safe to encrypt them, so we use the tool tac_pwd.
# tac_pwd
Password to be encrypted: normal
yrVMIa532Sy.2
# tac_pwd
Password to be encrypted: enable
Elwo6gXCbVulw
So we change tifrere's account like this :
user = tifrere {
        login = des "yrVMIa532Sy.2"
        enable = des "Elwo6gXCbVulw"
        name = "Pierre-Yves Maunier"
}
For more security, we change the permissions of the configuration file :
# chmod 600 /etc/tac_plus.conf
Cisco configuration
Now we have to configure the cisco device in order for it to look for users in the tacacs+ server.
Note : We will create a local user on the cisco device which be usable only if the tacacs server is unreachable. This user account will be disabled when the tacacs server is reachable.
In this example, the local user account will be :
username : local_user
password : local_password
enable : local_secret
aaa new-model
aaa authentication login telnet group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated none
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
!
enable secret local_secret
!
username local_user secret local_password
!
line con 0
login authentication console
line vty 0 4
login authentication telnet
line vty 5 15
!
tacacs-server host 192.168.10.64
tacacs-server key cle_tacacs
Note : 192.168.10.64 is the ip address of the tacacs+ server
---------- Explainations ----------
Creation of an authentication list
Router(config)# aaa authentication login {default | list-name} method1
[method2...]
list-name is a char string used to give a name to the authentication list. The argument method allow to list the authentication methods that have to be used ('group tacacs+' and 'local' here). The first method will always be used and the second one will be used only if the first method return an error, not if the authentication fails : usefull when you want to have the local authentication only if the tacacs+ server is unreachable.
If we use default instead of an named list, the default authentication list will be used for all 'line' that don't have the configuration line 'login authentication {list-name}'.
Router(config)# aaa authentication enable default method1 [method2...]
The same as above but for the privilege mode password, we look in the tacacs+ server and the local authentication is used only if the tacacs+ server is unreachable.

For more informations about Cisco AAA (very good docs) :
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm

---------- End of Explainations ----------

Now we launch the tacacs+ server :
# tac_plus -C /etc/tac_plus.conf
Now the device should use the tacacs+ server for the authentication, we can use the users created in the tacacs+ configuration file.
# telnet switch
Trying 192.168.10.111...
Connected to switch.
Escape character is '^]'.
User Access Verification
Username: tifrere
Password:               // password : normal
switch>en
Password:               // password : enable
switch#
If you have any problem, use the command "debug aaa authentication" on the cisco to troubleshoot the tacacs server and verify what happens when you try to connect.
You can also try :
# tail -f /var/log/tac_plus.acct

Rancid

First of all, you have to get the latest rancid sources from http://www.shrubbery.net/rancid/
We install rancid dependances and create the rancid user.
rancid-2.3.1 has been used in this document.
Rancid require installation of expect and cvs before being installed.
# apt-get install expect cvs
rancid user creation (this user will launch all rancid related process)
# adduser --home /home/rancid rancid
Once you've got the rancid archive, you have to uncompress it ... (in /usr/src for example)
# cp rancid-2.3.1.tar.gz /usr/src
# cd /usr/src
# tar xvfz rancid-2.3.1.tar.gz
# cd rancid-2.3.1
... and install it
Note : The following commands have to be typed as root. But once Rancid is installed, rancid user MUST be owner of his directory (chown -R rancid:rancid /home/rancid).
# ./configure -prefix=/home/rancid -localstatedir=/home/rancid/var/rancid
# make install
The README file in rancid archive is very well written and contain detailled informations, I kindly advise you to read it.

Now it's time to configure rancid.
We create a group in the rancid configuration :
File: /home/rancid/etc/rancid.conf
LIST_OF_GROUPS="mouarf"
---------- Explainations ----------
Groups creation
Groups permit to seperate diffents categories of devices, it just organize the way to get the configurations back.
Example : You have 3 groups
  • Paris which will have all devices located in Paris.
  • London which will have all devices located in London.
  • Amsterdam which will have all devices located in Amsterdam.
You will use :
LIST_OF_GROUPS="Paris London Amsterdam"

---------- End of Explainations ----------

We create a rancid user in the tacacs+ configuration file :
File : /etc/tac_plus.conf
user = rancid {
login = cleartext "rancid_login"
enable = cleartext "rancid_enable"
name = "Rancid User"
}
Note : You could (strongly recommanded) use DES encryption for the passwords with the command tac_pwd (see previous section).
No we create rancid .cloginrc at the rancid root home directory (/home/rancid/.cloginrc).
This file will allow rancid to get logged automaticaly on the devices.
# /home/rancid/.cloginrc
add user * {rancid}
add password * {rancid_login} {rancid_enable}
As this file contains clear text passwords (you can't crypt them) you have to protect it. (And make sure rancid is the owner)
# chmod 600 .cloginrc
# chown rancid:rancid .cloginrc
Note : For more informations about clogin, a section at the end of this document describes it.
For the next section, for more informations, please read the rancid documentation which is very well written.
Now we launch rancid-cvs. This command MUST be launched by rancid user !
# su - rancid
$ /home/rancid/bin/rancid-cvs
This command create all necessary files and directories for every groups of the option LIST_OF_GROUPS et import them into CVS. This command MUST be launched every time a new group is added. Do not create directories or CVS repository manualy.
You can read man -M /home/rancid/man rancid-cvs for more informations.
The directories created will be :
  • /home/rancid/var/rancid/group_name
  • /home/rancid/var/rancid/CVS/group_name
Note : If /home/rancid/var/ranvid/CVS/group_name is not created : check the permissions, rancid has to be owner of his entire directory.
- delete /home/rancid/var/rancid/group_name
- relaunch rancid-cvs (as rancid user)
For each group, modify the file router.db
Each group has a directory in /home/rancid/var/rancid
In our example the file is : /home/rancid/var/rancid/mouarf/router.db
#hostname:os:status
switch1.office:cisco:up
router1.office:cisco:up
Note : Hostname MUST resolve ! Don't forget to add them in /etc/hosts
Launch rancid-run (as rancid user !! I will never say it too much)
$ /home/rancid/bin/rancid-run
rancid-run will connect automatically to switch1 and router1, will retrieve the configuration and will store it in /home/rancid/var/rancid/mouarf/configs/.
If you experience errors, check /var/log/rancid and correct errors until it's ok.
CvsWeb
You need a webserver installed before installing/using cvsweb. Apache was used for this document.
# apt-get install cvsweb
Modify the cvsweb configuration file to create the group "mouarf" : File : /etc/cvsweb.conf
@CVSrepositories = (
        'local' => ['Local Repository', '/var/lib/cvs'],
        'mouarf' => ['mouarf devices', '/home/rancid/var/rancid/CVS'],
);
If the directory containing the cvsweb icons and css files is not in /var/www, you have to add a symbolic link :
# ln -s /usr/share/cvsweb /var/www/cvsweb
Configuration history is now available via cvsweb at the following url :
http://server_url/cgi-bin/cvsweb/mouarf/configs/?cvsroot=mouarf
To finish
You have to cron the rancid-run every hours (for example, up to you the decide the frequency) to have the history of the configurations.
You have two methods to do it : Up to you to decide the one you want to use
1. Editing the file /etc/crontab
# RANCID
# run config differ hourly
1 * * * *       rancid  /home/rancid/bin/rancid-run
# clean out config differ logs
50 23 * * *     rancid  /usr/bin/find /home/rancid/var/logs -type f -mtime +2 -exec rm {} \;
2. Using the command crontab -e (as rancid user)
# RANCID
# run config differ hourly
1 * * * *       /home/rancid/bin/rancid-run
# clean out config differ logs
50 23 * * *     /usr/bin/find /home/rancid/var/logs -type f -mtime +2 -exec rm {} \;
Now you need tacacs+ server to be launched when the machine start.
Create the file /etc/init.d/tac_plus
#!/bin/sh
#file /etc/init.d/tac_plus
/usr/local/bin/tac_plus -C /etc/tac_plus.conf
Make it executable
# chmod 755 /etc/init.d/tac_plus
Create a symbolic link in rc2.d and rc3.d (depending your default init level, see /etc/inittab)
# cd /etc/rc2.d
# ln -s ../init.d/tac_plus S92tac_plus
# cd /etc/rc3.d
# ln -s ../init.d/tac_plus S92tac_plus
Add /home/rancid/bin in your environment variables (for easier use of clogin)
Or you can create a symbolic link in /usr/bin
# cd /usr/bin
# ln -s /home/rancid/bin/clogin clogin
Important Note : It seems that clogin fails when there is a motd banner on cisco devices, if you want to be sure that rancid will properly backup your configs, make sure that there is no motd banner on your equipment.
You can add the alias rancid-rancid_group in the local mail server to receive the cvs diff by mail every time there is a configuration change.
How to use clogin
To have a better way to log into your network device we will create a user account per administrator that have rights to connect to the devices.
# adduser --home /home/foobar foobar
Edit the /etc/tac_plus.conf file and add the following lines
user = foobar {
        login = des "the_DES_crypted password"
        enable = des "the_DES_crypted password"
        name = "Foobar User"
}
Note : You can prevent the user to be in priviliged mode if you comment or delete the "enable..." line.
create the file /home/foobar/.cloginrc
# if the user dont have a privileged account
# add noenable * {1}
add user * {foobar}
add password * {pass_login} {pass_enable}
Note : Password are in clear text in this file, it has to be in chmod 600 and user foobar has to be owner of this file. Only root and foobar will be able to read it.
Information :
The line "add noenable * {1}" concern only the users which don't have priviliged acces on the devices.
Even if the user remove this line on his .cloginrc file, he won't have a priviliged access because it's not specified in his tacacs+ account.
This line is just to prevent clogin to try to get priviliged access because user don't have this right.

Once this file is created, the user will just have to do "clogin device_name" and will be automatically logged in. And if this user has a privileged account, he will be directly logged in the privileged mode.
The advantage of clogin is to script commands :
clogin -c "sh ver" equipment_name > file.txt
This command will make the user logged into the equipment and will execute the "show version" command and will disconnect the user.
The result of the command will be stored in file.txt
You can also do automatic configuration on multiple equipement :
clogin -c "conf t;interface g0/1;no shut; end; wr mem" router1 router2
This command will enable gigabitethernet port 0/1 on both router1 and router2.
You can also specify a file with multiple commands in parameter of clogin.
See man -M /home/rancid/man clogin for more informations.

 

 


Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (194.88.xx.xx) on Wed 16 Aug 2006 at 00:32
Very nice article, thanks for sharing!

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (217.153.xx.xx) on Thu 17 Aug 2006 at 23:29
Do You know how to connect tacacs to linux pam subsystem? This would be very useful.


br

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by pymaunier (62.4.xx.xx) on Wed 23 Aug 2006 at 17:17
I think that tacacs documentation talk about this, but I've never tried.

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (80.8.xx.xx) on Thu 2 Nov 2006 at 15:28
Thanks a lot, very useful !
Keep up the good work !

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (41.202.xx.xx) on Fri 21 Mar 2008 at 12:28
Hi sir,
First of all I want to congratulate you for your very nice howto. I send you this message because I have a problem to log on my router. Below you can see the different configuration I have.

====== Error message =======

marina:~# telnet routeur1
Trying 192.168.2.10...
Connected to routeur1.rekkoconcept.ci.
Escape character is '^]'.


User Access Verification

Username: admins
Password:

% Authentication failed.


User Access Verification

Username: admins
Password:

% Authentication failed.


User Access Verification

Username: admins
Password:

% Authentication failed.
Connection closed by foreign host.
marina:~#

====== Files configuration ========

1°- marina:/etc# cat tac_plus.conf
#
# fichier de configuration tacacs
# Dominique Claver KOUAME - 19032008
#/etc/tac_plus.conf

#set the key
key = cle_tacacs

accounting file = /var/log/tac_plus.acct

#compte utilisateurs
user = admins {
login = cleartext "manager"
enable = cleartext "manager"
name = "Dominique Claver Kouame"
}

marina:/etc#

I have use the cleartext mode because it doesn't work with des. When I use crypted password (with tac_pwd) I get the same error.


2°- marina:/etc# ls -l tac_plus.conf
-rw------- 1 root root 300 2008-03-21 11:28 tac_plus.conf
marina:/etc#

3°- marina:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.2.1 marina.rekkoconcept.ci marina
192.168.2.10 routeur1.rekkoconcept.ci routeur1

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
marina:~#

=========== Log messages =============
marina:~# tail -f /var/log/tac_plus.acct
Fri Mar 21 11:42:32 2008 192.168.2.10 superviseur tty0 async stop task_id=5 timezone=UTC service=shell start_time=117929282disc-cause=4 disc-cause-ext=47 pre-session-time=30 elapsed_time=662

You can see that I can connect in console mode with the local user "superviseur".

===== Cisco router configuration for tacacs+ =============

aaa new-model
aaa authentication login telnet group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated none
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
!
enable secret superman
!
username superviseur secret manager
!
line con 0
login authentication console
line vty 0 4
login authentication telnet
line vty 5 15
!
tacacs-server host 192.168.2.1
tacacs-server key cle_tacacs


Thanks more for your help.

Regards

PS: I use Debian etch server.

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by pymaunier (2a01:0xx:0xx:0xxx:0xxx:0xxx:xx) on Fri 21 Mar 2008 at 21:56
If you can connect using local authentication it's because your router can't reach the tacacs server.

But it's strange that /var/log/tac_plus.acct get the informations for your router.
Is there a firewall running on the tacacs server ?

You can contact me via email if you wan't me to help you on this.
My email is in my profile (I speak french if this is better for you as you seems to be from Côte d'Ivoire).

Pierre-Yves

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (41.202.xx.xx) on Sat 22 Mar 2008 at 15:01
Est-ce que ceci est votre adresse email : debian-administration@maunier.org ? si oui alors je vous ai écrit par deux fois déjà là .

Merci pour votre retour.
Mon mail est kdclaver@yahoo.fr

A bientôt et merci pour votre retour de mail

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by kdclaver (41.202.xx.xx) on Mon 28 Jul 2008 at 17:13
Bonsoir M. Maunier,
Je reviens encore une fois vers vous parce que je n'arrive pas à faire prendre en compte les restrictions sur les comptes utilisateurs. Je m'explique; je voudrais par exemple qu'un utilisateur user1 ne puisse avoir que les commandes show et rien d'autre. J'ai lu le user guide du taré mais à l'application cela ne marche pas.
Merci de m'aider à aller plus loin avec la solution TACACS+

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (202.175.xx.xx) on Wed 26 Nov 2008 at 04:09
Hi,
It's very useful article.
I have a problem to collect routers and switches' configuration. Currently, I collect information from HQ and branch hourly.
# 0 * * * * rancid /home/rancid/bin/rancid-run
But I want to collect data from HQ hourly and from branch daily. So I try to create two GROUPs to contain HQ and Branch's switch.
# LIST_OF_GROUP="HQ BRANCH" (In /etc/rancid/rancid.conf)
Then
# 0 * * * * rancid /home/rancid/bin/rancid-run -r HQ
# 0 23 * * * rancid /home/rancid/bin/rancid-run -r Branch

Is it correct?
Thanks for your help.

Regards,
David

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by pymaunier (83.167.xx.xx) on Thu 27 Nov 2008 at 10:58
Hello David, thanks for your thought.

Your crontab command is not correct.

rancid-run -r blabla is to only get configuration for the device blabla
rancid-run foobar will get configuration for all devices in the grop foobar.

Referring to the rancid-run man page :


SYNOPSIS
rancid-run [-m mail_rcpt] [-r device_name] [group [group ...]]

Pierre-Yves

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (207.180.xx.xx) on Mon 4 May 2009 at 16:58
Hello,

Isn't the following:

# RANCID
# run config differ hourly
1 * * * * rancid /home/rancid/bin/rancid-run



Set to not run hourly, but every minute? I believe it should be:

0 * * * * rancid /home/rancid/bin/rancid-run

Is this not correct?

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (196.210.xx.xx) on Tue 7 Dec 2010 at 07:44
No, a cron which runs every minute would be:

* * * * * rancid /home/rancid/bin/rancid-run

The '1' in the minute field in the example means it would run at 1 minute past every hour, i.e. hourly, but on minute 1, as opposed to your example with the '0', which would run every hour on the 0'th minute :)

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (200.107.xx.xx) on Mon 1 Sep 2014 at 20:38
Hi I am trying to carry Rancid on a Laptop's VirtualMachine.
my rancid's crontab -l:
# m h dom mon dow command
00 12 * * * /usr/bin/rancid-run

this cron will run daily but if the Laptop/VM is off @12:00 task will not start reading, anacron can run missed crons, but only for root, any help/direction will be greatly appreciated.

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (84.228.xx.xx) on Sun 3 Jul 2011 at 21:07
installation also require gnu flex
use apt-get install flex

checking whether lex is flex in disguise...
configure: error: registry requires gnu flex. sorry

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (24.234.xx.xx) on Wed 1 Aug 2012 at 03:04
I can't get the cron job to work. I've tried other methods such as executing crontab -e as root and adding rancid username. Do I need the absolute path to the command? If so what is it? FYI, rancid-run is fine if I execute it manually.

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (41.224.xx.xx) on Thu 9 Aug 2012 at 10:07
hi,
i have installed Tacacs+ as it is described but i have problems with managing authorizations.
this is my configuration:

aaa new-model
aaa authentication login telnet group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+

user = supervisor {
login = cleartext "normal"
enable = cleartext "enable"
service = exec {
priv-lvl=1
}
service = shell {
priv-lvl=1
}
}

I want to limit access of user "supervisor" to privilege 15 for example. I'm desperate,can any one help me?

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (186.15.xx.xx) on Tue 19 Nov 2013 at 21:13
works like a charm! thanks!

I only have problems with the delete logs task, don't work for me:

00 00 * * 0 rancid /usr/bin/find /home/rancid/var/logs -type f -mtime +2 -exec rm {} \;

I put this task to delete log files every sunday at 00:00, but all the logs still here.

thanks!

[ Parent ]

Re: Network Administration : Installation of Tacacs+, Rancid, Cvsweb
Posted by Anonymous (193.63.xx.xx) on Mon 22 Jun 2015 at 10:41
I have to thank you a million times over for this Rancid install help. I have been bashing away at it for a few days now and as of 10 mins ago I now have it all running, pulling config from my Junipers and accessible with CVSWEB. Beautiful - and thanks.

P.s. I had to find rancid 2.3.8 as the newer 3.2 variant does not seem to play nice, I had many false starts with it.

[ Parent ]

Config of Tacacs
Posted by Anonymous (217.156.xx.xx) on Thu 5 Nov 2015 at 14:37
Hi,

When a user is logged and on (conf) mode on the Cisco switch, he is able to execute all the existing commands.
On my configuration file (tac_plus.conf) I only allow him to execute “interfaceÃ&ce nt;€ on (conf) mode.
How to define allowed commands on (conf) mode?

Thank you very much for your help,

Vincent


Content of tac_plus.conf file:
#User appr2
user = appr2 {
member = group_1
login = cleartext appr2
}

#Group_1
group = group_1 {

service = exec {
priv-lvl = 0
#default service = permit
}
cmd = enable {
permit .*
}
cmd = show {
deny "interfaces.*"
permit "running.*"
}
cmd = configure {
permit .*
}
cmd = interface {
allow "^GigabitEthernet2/0/2[5678] <cr>$"
}

Configuration of the network device (Cisco Catalyst 3750):
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting delay-start
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 192.168.10.121
tacacs-server directed-request
tacacs-server key 7 key


[ Parent ]