-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathtac_user.cfg
117 lines (96 loc) · 2.94 KB
/
tac_user.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# This configuration file is included in the primary config file. It's unlikely the primary configuration file requires modification.
# Detailed configuration options can be found here: http://www.pro-bono-publico.de/projects/tac_plus.html
host = world {
address = 0.0.0.0/0 # Which devices can use this server
key = ciscotacacskey # Modify this value to change TACACS key to device.
enable 15 = clear cisco # Added this to support ASAs which require enable secrets
}
# These groups are for IOS / IOS-XE
group = ios-priv-15 {
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = ios-priv-1 {
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
# These groups are for NX-OS
group = nxos-netadmin {
service = shell {
set cisco-av-pair = "shell:roles*'network-admin vdc-admin'"
}
}
group = nxos-netop {
service = shell {
set cisco-av-pair = "shell:roles*'network-operator'"
}
}
# These groups are for ACI / APIC
group = aci-admin {
service = shell {
set cisco-av-pair = "shell:domains=all/admin/"
}
}
group = aci-readonly {
service = shell {
set cisco-av-pair = "shell:domains=all//read-all"
}
}
# Users part of this group cannot execute any commands unless specified. Various messages can be sent depending on success or failure.
group = show-user {
service = shell {
message deny = "Try this again and your account will be revoked."
cmd = show {
deny "clock"
permit ""
message deny = "For some reason we will restrict clock access!"
}
cmd = show {
deny "^(running|startup)-config"
deny "tech-support"
permit ""
message permit = "This data is to be considered confidentional."
}
}
}
# This is the priv 15 user, linked to the priv-15 group.
user = iosadmin {
password = clear cisco
member = ios-priv-15
}
# This is the unpriv'd user, linked to the priv-1 group.
user = iosuser {
password = clear cisco
member = ios-priv-1
}
# This is the priv 15 user, linked to the priv-15 group.
user = nxosadmin {
password = clear cisco
member = nxos-netadmin
}
# This is the unpriv'd user, linked to the priv-0 group.
user = nxosuser {
password = clear cisco
member = nxos-netop
}
# This is the priv 15 user, linked to the priv-15 group.
user = aciadmin {
password = clear cisco
member = aci-admin
}
# This is the unpriv'd user, linked to the priv-0 group.
user = aciro {
password = clear cisco
member = aci-readonly
}
# This is the unpriv'd user who only has show commands, linked to the show-user group.
user = showuser {
password = clear cisco
member = show-user
}