<div dir="ltr">I use the following AAA for config on a few thousand Arista devices:<br><br><font face="monospace, monospace">!<br>aaa authentication login default group tacacs+ local<br>aaa authentication enable default group tacacs+ local<br>aaa authorization exec default group tacacs+ local<br>aaa authorization commands all default group tacacs+ none<br>aaa accounting exec default start-stop group tacacs+<br>aaa accounting system default start-stop group tacacs+<br>aaa accounting commands all default stop-only group tacacs+<br>!</font><br><br><br>And I use this config for tac_plus (Works for CatOS, IOS, EOS, Nexus & Junos):<br><br><font face="monospace, monospace">#<br># Default group to run all command authentication through do_auth.<br>#<br>group = doauthaccess {<br>        default service = permit<br><br>        service = exec {<br>                priv-lvl = 1<br>                optional idletime = 30<br>                optional acl = 2<br>                shell:roles="\"network-operator vdc-operator\""<br>                }<br><br>        service = junos-exec {<br>                bug-fix = "first pair is lost"<br>                local-user-name = "remote"<br>                allow-commands = "(.*exit)|(show cli auth.*)"<br>                deny-commands = ".*"<br>                allow-configuration = ""<br>                deny-configuration = ".*"<br>                }<br><br>    after authorization "/usr/bin/python /opt/sbin/do_auth.py -i $address -u $user -d $name -l /opt/log/do_auth.log -f /opt/etc/tacacs/do_auth.ini"<br>}<br><br>#<br># Default user - Used when no user specific stanza exists in tac_plus.conf.<br>#<br>user = DEFAULT {<br>    member = doauthaccess<br>    login = PAM<br>}<br></font><br><br><br><br><br><br>My do_auth.ini is set up as such:<br><br><font face="monospace, monospace">[users]<br><br>default =<br>     no_authority<br><br>joeengineer =<br>    engineering<br><br>rancid =<br>    rancid_group<br><br>#<br># Default group<br>#<br>[no_authority]<br>host_deny =<br><br>host_allow =<br>        .*<br>device_deny =<br><br>device_permit =<br>        .*<br><br>command_deny =<br>        .*<br><br>command_permit =<br>        exit.*<br><br>av_pairs =<br>        priv-lvl=0<br>        shell:roles="network-operator vdc-operator"<br>        local-user-name = remote<br>        allow-commands = (.*exit)|(show cli auth.*)<br>        deny-commands = .*<br>        allow-configuration =<br>        deny-configuration =<br><br><br>#<br># Rancid Group<br>#<br>[rancid_group]<br>host_deny =<br><br>host_allow =<br>        .*<br><br>device_deny =<br><br>device_permit =<br>        .*<br><br>command_deny =<br>        enable password.*<br>        enable secret.*<br><br>command_permit =<br>        show.*<br>        dir.*<br>        more.*<br>        copy .*<br>        terminal .*<br>        enable.*<br>        write t.*<br>        set length .*<br>        set logging session disable.*<br>        exit.*<br><br>av_pairs =<br>        priv-lvl=15<br>        shell:roles="network-admin vdc-admin"<br>        local-user-name = network<br>        allow-commands = (.*copy .*)|(.*show .*)|(.*write .*)|(.*exit)<br>        deny-commands = .*<br>        allow-configuration =<br>        deny-configuation = .*<br><br>#<br># Engineering Group<br>#<br>[engineering]<br><br>host_deny =<br><br>host_allow =<br>        .*<br><br>device_deny =<br><br>device_permit =<br>        .*<br><br>command_deny =<br><br>command_permit =<br>        .*<br><br>av_pairs =<br>        priv-lvl=15<br>        shell:roles="network-admin vdc-admin"<br>        local-user-name = remote<br>        allow-commands = .*<br>        deny-commands =<br>        allow-configuration = .*<br>        deny-configuration =<br></font><br><br>--<br>John Fraizer<br>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/">http://www.linkedin.com/in/johnfraizer/</a><br><br><br><br><br><br></div>