LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   TACACS+ with privilege levels. (https://www.linuxquestions.org/questions/linux-server-73/tacacs-with-privilege-levels-647438/)

lifeforce4 06-06-2008 10:18 AM
TACACS+ with privilege levels.
 
I have a test box running TAC_Plus and a test switch for AAA at work. The switch is accessing the TACACS+ server just fine. Every time someone from the networking team moves on with another job we have to reset the passwords. The network has 250+ devices on it so a local database would be very tedious to manage. This is my first time working with AAA and TACACS+. I just need two accounts one with limited access to commands defined by us and then a full level 15 Admin account. Below is the test setup am I even going the right direction with this or is there a better way?

Summery:
Define Users with different privilege levels(support and admin).
Fall back to line login if TACACS+ is not functional.

Code:
!
version 12.2
!
enable secret 5 $1$.x.E$eIZdDoxO0Axcilulx15bE.
enable password 7 00071A150754
!
username test privilege 15 secret 5 $1$GYVq$W9kLLPHEtaCl23VDVLG1B1
aaa new-model
aaa authentication login telnet group tacacs+ line
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
!
aaa session-id common
!
tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key 7 071B245F5A021C1C
!
line con 0
password 7 045802150C2E
login authentication console
line vty 0 4
password 7 02050D4808095E
login authentication telnet
line vty 5 15
password 7 14141B180F0B
!
Code:
### tac_plus.conf file

key = testkey

accounting file = /var/log/tac_plus.acct

user = tester {
        loging = cleartext "loSpjp7SWwDy6" #logtest
        enable = cleartext "N1J88Idk0aNTE" #entest
        name = "test"

        cmd = show {
                permit .*
        }
}
Thanks,
Kyle

bmarx 06-07-2008 12:32 PM
Your configuration looks pretty good to me, although you probably also want to add in aaa authorization commands so the network devices check what authenticated users can/cannot do. This page looked to be very similar to what you are trying to do:

http://bdsltd.co.uk/network/cisco/tacacs.htm

lifeforce4 06-07-2008 03:08 PM
Quote:
Originally Posted by bmarx (Post 3177659)
Your configuration looks pretty good to me, although you probably also want to add in aaa authorization commands so the network devices check what authenticated users can/cannot do. This page looked to be very similar to what you are trying to do:

http://bdsltd.co.uk/network/cisco/tacacs.htm
My question is do I have to add to one user the cmd = command { permit .*} for every single command to have a privilege level of 15 full administrative rights for one user? Basically the three network admins will know the line passwords and if the tacacs goes down thats still fine they will be able to access it. What I am worried about is if the tacacs is up and they dont have full functional control or worse yet. The limited account has commands not assigned to it.

I guess I'm just trying to see the links between who gets defined 15 access and who gets limited privileges.

Thank for the help,
Kyle


All times are GMT -5. The time now is 12:17 AM.