Configurations below should work with all
CISCO ROUTER
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 1 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
aaa accounting network default start-stop tacacs+
aaa accounting connection default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host 172.16.0.1
tacacs-server key bdsltd
enable secret spicegirls
For Local Authentication
aaa authentication login default tacacs+ local
username bill password ben
LINUX
Files Below From
tac_plus-F4.0.3.alpha-5.i386.rpm
tac_plus-F4.0.3.alpha-6.i386.rpm
tac_plus-F4.0.3.alpha-7.i386.rpm
tac_plus-F4.0.3.alpha-7 src
/etc/tacacs/tac_plus.cfg
key = bdsltd
# Use /etc/shadow file to do authentication
default authentication = file /etc/shadow
# Where is the accounting records to go
accounting file = /var/log/tac_acc.log
# Profile for enable access, username is $enab15$. Used to be $enable$
user = $enab15$ {
login = cleartext "spicegirls"
}
# Profiles for user accounts
user = bill {
default service = permit
login = file /etc/shadow
}
user = idiot {
login = cleartext ohno
cmd = show {
permit "interface*"
permit "ip interface*"
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
}
# Profile for script altering config on router
user = script {
login = cleartext passwd
cmd = configure {
permit "terminal"
}
cmd = interface { permit "Dialer 1" }
cmd = description { permit .* }
cmd = dialer {
permit "string"
permit "load-threshold"
}
cmd = ppp {
permit "pap sent-username"
permit "multilink"
}
cmd = no {
permit "dialer string"
permit "dialer load-threshold"
permit "ppp pap sent-username"
permit "ppp multilink"
}
cmd = write { permit . }
}
|
