<html><body><p><font size="2" face="sans-serif">Hello</font><br><br><font size="2" face="sans-serif">I have configured TACPLUS to work with cisco nexus device. I am able to successfully authenticate, however, I am able to run all commands on router. It seems the router is not restricted to the commands specified in my group config. Has anyone gotten Cisco nexus to work properly with tacplus? I need to limit certain users and cannot get this working properly. Any help is greatly appreciated!!! Thanks.</font><br><br><font size="2" face="sans-serif">Group Config:</font><br><br><font size="2" face="sans-serif"> group = snm {</font><br><font size="2" face="sans-serif"> default service = deny</font><br><font size="2" face="sans-serif"> service = shell {</font><br><font size="2" face="sans-serif"> set shell:roles="\"network-admin\""</font><br><font size="2" face="sans-serif"> default command = deny</font><br><font size="2" face="sans-serif"> default attribute = deny</font><br><font size="2" face="sans-serif"> set priv-lvl = 15</font><br><font size="2" face="sans-serif"> cmd = configure {deny .*}</font><br><font size="2" face="sans-serif"> cmd = clear {</font><br><font size="2" face="sans-serif"> permit "counters"</font><br><font size="2" face="sans-serif"> permit "qos stat"</font><br><font size="2" face="sans-serif"> permit "mls qos int"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = disable {permit .*}</font><br><font size="2" face="sans-serif"> cmd = enable {permit .*}</font><br><font size="2" face="sans-serif"> cmd = end {permit .*}</font><br><font size="2" face="sans-serif"> cmd = exit {permit .*}</font><br><font size="2" face="sans-serif"> cmd = logout {permit .*}</font><br><font size="2" face="sans-serif"> cmd = ping {permit .*}</font><br><font size="2" face="sans-serif"> cmd = set {</font><br><font size="2" face="sans-serif"> permit "length 0"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = show {</font><br><font size="2" face="sans-serif"> deny "controllers vip"</font><br><font size="2" face="sans-serif"> permit .*</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = skip-page-display {permit .*}</font><br><font size="2" face="sans-serif"> cmd = terminal {</font><br><font size="2" face="sans-serif"> permit "length 0"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> cmd = write {</font><br><font size="2" face="sans-serif"> permit "network"</font><br><font size="2" face="sans-serif"> permit "terminal"</font><br><font size="2" face="sans-serif"> permit "memory"</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> }</font><br><font size="2" face="sans-serif"> }</font><br><br><br><font size="2" face="sans-serif"> user = testuser {</font><br><font size="2" face="sans-serif"> </font><br><font size="2" face="sans-serif"> member = snm</font><br><font size="2" face="sans-serif"> }</font><br><br><br><font size="2" face="sans-serif">Session output from router:</font><br><br><font size="2" face="sans-serif"> telnet labrouter</font><br><font size="2" face="sans-serif">Trying labrouter...</font><br><font size="2" face="sans-serif">Connected to labrouter.</font><br><font size="2" face="sans-serif">Escape character is '^]'.</font><br><font size="2" face="sans-serif">User Access Verification</font><br><font size="2" face="sans-serif">login: testuser</font><br><font size="2" face="sans-serif">Password:</font><br><font size="2" face="sans-serif">Cisco Nexus Operating System (NX-OS) Software</font><br><font size="2" face="sans-serif">TAC support: <a href="http://www.cisco.com/tac">http://www.cisco.com/tac</a></font><br><font size="2" face="sans-serif">Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.</font><br><font size="2" face="sans-serif">The copyrights to certain works contained in this software are</font><br><font size="2" face="sans-serif">owned by other third parties and used and distributed under</font><br><font size="2" face="sans-serif">license. Certain components of this software are licensed under</font><br><font size="2" face="sans-serif">the GNU General Public License (GPL) version 2.0 or the GNU</font><br><font size="2" face="sans-serif">Lesser General Public License (LGPL) Version 2.1. A copy of each</font><br><font size="2" face="sans-serif">such license is available at</font><br><font size="2" face="sans-serif"><a href="http://www.opensource.org/licenses/gpl-2.0.php">http://www.opensource.org/licenses/gpl-2.0.php</a> and</font><br><font size="2" face="sans-serif"><a href="http://www.opensource.org/licenses/lgpl-2.1.php">http://www.opensource.org/licenses/lgpl-2.1.php</a></font><br><font size="2" face="sans-serif">LABROUTER# configure <------------------------------------------------------------ This should be denied</font><br><font size="2" face="sans-serif">Enter configuration commands, one per line. End with CNTL/Z.</font><br><font size="2" face="sans-serif">LABROUTER(config)# interface ethernet 1/1 configure <------------------------------------------------------------ This should be denied</font><br><font size="2" face="sans-serif">LABROUTER(config-if)# shut <------------------------------------------------------------ This should be denied </font><br><font size="2" face="sans-serif">LABROUTER(config-if)# no shut <------------------------------------------------------------ This should be denied</font><br><font size="2" face="sans-serif">LABROUTER(config-if)# end</font><br><font size="2" face="sans-serif">LABROUTER#</font><br><font face="sans-serif"><div style="font-size:12px; font-style:italic; font-family:georgia,arial,sans-serif">
<br><br>
=========================================================================================================
<div style="font-size:12px; font-style:italic; font-family:georgia,arial,sans-serif">
<p>
<B><<<< Disclaimer >>>></B>
<p>
This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communication is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: <a href=" http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt"> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</a>
<p>
Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Singapore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.
<p>
<br><br>
=========================================================================================================
</div></font>
</body></html>