ต้วอย่างการ config cisco กับ tacacs+ เพื่อ authen, authorize user ที่ login เข้ามาใช้งาน อุปกรณ์
aaa new-model
aaa authentication login default none
aaa authentication login AUTH_TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default none
aaa authorization exec AUTH_TACACS group tacacs+ local none
aaa authorization commands 1 AUTH_TACACS group tacacs+ local none
aaa authorization commands 15 AUTH_TACACS group tacacs+ local none
aaa accounting exec AUTH_TACACS start-stop group tacacs+
aaa accounting commands 1 AUTH_TACACS start-stop group tacacs+
aaa accounting commands 15 AUTH_TACACS start-stop group tacacs+
tacacs-server host 192.168.1.2
tacacs-server key TACACS_KEY
line vty 0 4
authorization commands 1 AUTH_TACACS
authorization commands 15 AUTH_TACACS
authorization exec AUTH_TACACS
login authentication AUTH_TACACS
!-----------------------------------------
! tac_plus.cfg
key = TACACS_KEY
default authentication = file /etc/passwd
accounting file = /var/log/tac_acc.log
user = $enab15$ {
login = cleartext "enable15"
}
######### GROUP DECLARATION #########
group = Administrator {
default service = permit
# example configuration for authorize commands
cmd = ping {
permit .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = show {
deny config
deny running
permit .*
}
cmd = ip {
deny "route 0.0.0.0 0.0.0.0"
permit .*
}
cmd = username {
deny .*
}
cmd = enable {
deny password
deny secret
permit .*
}
cmd = no {
deny "ip route 0.0.0.0 0.0.0.0"
deny "username .*"
deny "enable password .*"
deny "enable secret .*"
permit .*
}
}
user = kitti { service = exec { priv-lvl =15 } member = Administrator }
