Friday, April 11, 2008

[Cisco] config cisco กับ tacacs+

ต้วอย่างการ config cisco กับ tacacs+ เพื่อ authen, authorize user ที่ login เข้ามาใช้งาน อุปกรณ์

aaa new-model
aaa authentication login default none
aaa authentication login AUTH_TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default none
aaa authorization exec AUTH_TACACS group tacacs+ local none
aaa authorization commands 1 AUTH_TACACS group tacacs+ local none
aaa authorization commands 15 AUTH_TACACS group tacacs+ local none
aaa accounting exec AUTH_TACACS start-stop group tacacs+
aaa accounting commands 1 AUTH_TACACS start-stop group tacacs+
aaa accounting commands 15 AUTH_TACACS start-stop group tacacs+

tacacs-server host 192.168.1.2
tacacs-server key TACACS_KEY

line vty 0 4
authorization commands 1 AUTH_TACACS
authorization commands 15 AUTH_TACACS
authorization exec AUTH_TACACS
login authentication AUTH_TACACS

!-----------------------------------------
! tac_plus.cfg

key = TACACS_KEY

default authentication = file /etc/passwd
accounting file = /var/log/tac_acc.log

user = $enab15$ {
login = cleartext "enable15"
}

######### GROUP DECLARATION #########

group = Administrator {
default service = permit

# example configuration for authorize commands
cmd = ping {
permit .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = show {
deny config
deny running
permit .*
}

cmd = ip {
deny "route 0.0.0.0 0.0.0.0"
permit .*
}
cmd = username {
deny .*
}
cmd = enable {
deny password
deny secret
permit .*
}

cmd = no {
deny "ip route 0.0.0.0 0.0.0.0"
deny "username .*"
deny "enable password .*"
deny "enable secret .*"
permit .*
}

}
user = kitti { service = exec { priv-lvl =15 } member = Administrator }

1 comment:

Anonymous said...

Hello. This post is likeable, and your blog is very interesting, congratulations :-). I will add in my blogroll =). If possible gives a last there on my blog, it is about the Perfume, I hope you enjoy. The address is http://perfumes-brasil.blogspot.com. A hug.