[tac_plus] Re: Privilege Level / Configuration Changes

JCharlton at DataPointInc.com JCharlton at DataPointInc.com
Wed Nov 14 18:29:22 UTC 2007 

Thanks a lot for the help, that worked how I thought it would.





Jason Charlton, CCNA
DataPoint Inc.
410-209-6770
noc at datapointinc.com


-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Tuesday, November 13, 2007 7:19 PM
To: Jason Charlton
Cc: heas at shrubbery.net; tac_plus at shrubbery.net
Subject: Re: [tac_plus] Privilege Level / Configuration Changes

Tue, Nov 13, 2007 at 11:23:01AM -0500, JCharlton at DataPointInc.com:
> John,
> 
> We had spoke a few weeks back, the suggestion you made to my question
in
> the email below did not seem to work.
> 
> I may be using the wrong command on my Cisco gear, can you verify if
> this is the command I need to work in conjuction with the TACACS+
server
> commands you provided.
> 
> aaa authorization exec default group tacacs+

yes, but may want:
aaa authorization exec default group tacacs+ none 

> I am trying to be able to use TACACS+, but not have to type in the
> enable password when logging in, for some users, not all.

this does not work on the console.  only vtys.  ask cisco TAC why.

> Thanks. 
> 
> Jason Charlton, CCNA
> DataPoint Inc.
> 410-209-6770
> noc at datapointinc.com
> 
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Monday, October 22, 2007 4:12 PM
> To: Jason Charlton
> Cc: heas at shrubbery.net; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Privilege Level / Configuration Changes
> 
> the device must also be configured for authorizatoin.
> 
> Mon, Oct 22, 2007 at 03:49:17PM -0400, JCharlton at DataPointInc.com:
> > Thank You, The restarting command works great, but I still can't
login
> > and have a user be in enable mode without having to type the enable
> > password.
> > 
> > 
> > The statement for this user looks like:
> > 
> > user = jcharlton {
> >         login = des *****
> >         member = staff
> > }
> > 
> > 
> > With the commands you provided me, my file looks like this, but not
> > acting as I thought it would.
> > 
> > user = jcharlton {
> >         login = des sK7fnk8/W5Cvc
> >         member = staff
> > 		service = exec {
> > 			priv-lvl=15
> > 	}
> > 
> > }
> > 
> > 
> > Thanks for any further help.
> > 
> > 
> > 
> > 
> > 
> > Jason Charlton, CCNA
> > DataPoint Inc.
> > 410-209-6770
> > noc at datapointinc.com
> > 
> > -----Original Message-----
> > From: john heasley [mailto:heas at shrubbery.net] 
> > Sent: Monday, October 22, 2007 3:23 PM
> > To: Jason Charlton
> > Cc: tac_plus at shrubbery.net
> > Subject: Re: [tac_plus] Privilege Level / Configuration Changes
> > 
> > Mon, Oct 22, 2007 at 03:15:29PM -0400, JCharlton at DataPointInc.com:
> > > Hello,
> > > 
> > >  
> > > 
> > > I have 2 questions.  First one is, I am using tacacs+-F4.0.4.10,
on
> > > CentOS 5.  I am trying to make it so on a per user basis, when
they
> > > authenticate to our Cisco gear, they go into enable mode instead
of
> > > starting in user mode, like you are able to do when you configure
> > > usernames with privilege 15 on a Cisco router or switch.
> > 
> > user = name {
> >         service = exec {
> >                 priv-lvl=15
> >         }
> > }
> > 
> > > Another thing is that I am trying to make a script or make it so
> that
> > if
> > > you change the configuration file, that you do not have to restart
> the
> > > box to make the change go though, because unfortunately that is
the
> > only
> > > way I have found to make it apply the configuration changes in the
> > conf
> > > file, and I still have to do tac_plus -C /(file) after restart.
> > 
> > kill -1 `cat /var/run/tac_plus.pid`

More information about the tac_plus mailing list