I have a test box running TAC_Plus and a test switch for AAA at work. The switch is accessing the TACACS+ server just fine. Every time someone from the networking team moves on with another job we have to reset the passwords. The network has 250+ devices on it so a local database would be very tedious to manage. This is my first time working with AAA and TACACS+. I just need two accounts one with limited access to commands defined by us and then a full level 15 Admin account. Below is the test setup am I even going the right direction with this or is there a better way?
Summery:
Define Users with different privilege levels(support and admin).
Fall back to line login if TACACS+ is not functional.
Code:
!
version 12.2
!
enable secret 5 $1$.x.E$eIZdDoxO0Axcilulx15bE.
enable password 7 00071A150754
!
username test privilege 15 secret 5 $1$GYVq$W9kLLPHEtaCl23VDVLG1B1
aaa new-model
aaa authentication login telnet group tacacs+ line
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
!
aaa session-id common
!
tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key 7 071B245F5A021C1C
!
line con 0
password 7 045802150C2E
login authentication console
line vty 0 4
password 7 02050D4808095E
login authentication telnet
line vty 5 15
password 7 14141B180F0B
!
Code:
### tac_plus.conf file
key = testkey
accounting file = /var/log/tac_plus.acct
user = tester {
loging = cleartext "loSpjp7SWwDy6" #logtest
enable = cleartext "N1J88Idk0aNTE" #entest
name = "test"
cmd = show {
permit .*
}
}
Thanks,
Kyle
