ok so here is what i have<br><br>user tom { <br> login = cleartext 'tom'<br> enable = cleartext 'tom12'<br>}<br><br>
acl = badmatt {<br>
login = cleartext 'matt'<br> enable = cleartext 'matt12'<br> deny 192\.168\.0\.1 # disallow enable on this tacacs client<br>
permit .*<br>
}<br>
user matt { enableacl = badmatt }<br><br>Will this work so that Tom and Matt can both enable on all things except the 192.168.0.1 that matt is acl from?<br><br>Tom <br><br><div class="gmail_quote">On Tue, Aug 4, 2009 at 3:21 PM, Schmidt, Daniel <span dir="ltr"><<a href="mailto:dan.schmidt@uplinkdata.com">dan.schmidt@uplinkdata.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Why would you want to do such a thing? The enable password should be<br>
linked to the account, with enable = cleartext 'badmatt' or enable =<br>
file /etc/passwd. He should have the same enable password, but<br>
different levels of access. You should be able to do this in the<br>
tac_plus config, but if you really want to get granular, you can use an<br>
after authentication script like mine on <a href="http://tacacs.org" target="_blank">tacacs.org</a>.<br>
<div><div></div><div class="h5"><br>
-----Original Message-----<br>
From: <a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a><br>
[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Tom Murch<br>
Sent: Tuesday, August 04, 2009 6:22 AM<br>
To: john heasley<br>
Cc: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] Re: tac_plus config<br>
<br>
great that worked so the only other thing I do not understand is how to<br>
let<br>
tom enable on all routers and switches when there are 5 different enable<br>
passwords between all the equipment?<br>
<br>
On Mon, Aug 3, 2009 at 11:46 AM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>
wrote:<br>
<br>
> Mon, Aug 03, 2009 at 10:55:32AM -0400, Tom Murch:<br>
> > Hello<br>
> ><br>
> > so I am trying to get this up and running correctly but I am not<br>
sure<br>
> on a<br>
> > few things. What I am trying to accomplish is as follows:<br>
> ><br>
> > user tom would have access to switches 1-5 and routers 1-10. Tom<br>
will<br>
> also<br>
> > be able to enable on all these switches and routers. The enable<br>
password<br>
> is<br>
> > different on some routers how do I define that?<br>
> ><br>
> > user matt would have access to switches 1-5 and routers 1-10 but<br>
only<br>
> able<br>
> > to enable on switches 1-5 and routers 1-4.<br>
><br>
> user tom { }<br>
> acl = badmatt {<br>
> deny 192\.168\.0\.1 # disallow enable on this tacacs client<br>
> permit .*<br>
> }<br>
> user matt { enableacl = badmatt }<br>
><br>
> > Any help would be greatly appreciated as I am a tad confused on how<br>
to do<br>
> > this or if it is even possible.<br>
> ><br>
> > Thanks in advance<br>
> ><br>
> > Tom<br>
> > -------------- next part --------------<br>
> > An HTML attachment was scrubbed...<br>
> > URL:<br>
><br>
<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14%0Ad/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20090803/0eb0a14<br>
d/attachment.html</a><br>
> > _______________________________________________<br>
> > tac_plus mailing list<br>
> > <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> > <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL:<br>
</div></div><a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20090804/5fb5440" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20090804/5fb5440</a><br>
<div><div></div><div class="h5">4/attachment.html<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br>