<div>Hello;</div><div><br></div><div>Thank you for your reply, I want to provide more details for the issues I'm facing, any suggestion will be wellcome.</div><div><br></div><div>Someone accidentally removed the existing Allowed VLANs on trunk while adding new Vlan, he forgets to type "switchport trunk allowed vlan add X" but type "switchport trunk allowed vlan X".<br><br>How can I prevent this using tac_plus<br>My goal is to deny "switchport trunk allowed vlan X" and permit "switchport trunk allowed vlan add X", "switchport trunk allowed vlan none", "switchport trunk allowed vlan all" and all any others configuration commands.<br><br>Ours cisco equipments are already integrated to tac_plus and work fine, below is the current extract tac_plus configuration file with user test belongs to networkadmin, is there someone who can point me how to modify below file in order to achieve my goal<br><br>root@lab:~# more /etc/tacacs+/tac_plus.conf<br><br>....<br>....<br>accounting file = /var/log/tac_plus.acct<br><br>group = networkadmin {<br> default service = permit<br> #enable = cleartext "test"<br> enable = nopassword<br> service = exec {<br> priv-lvl = 15<br> idletime = 10<br> optional shell:roles="\"network-admin vdc-admin\""<br> <br>}<br><br>user = test {<br> login = PAM<br> member = networkadmin<br>}<br><br>...<br>...<br><br>root@lab:~# <br><br>The second problem, is between my switch and tacacs server, there is NAT, so on tacacs all requests come with same IP, in this situation no way to know which request or logs come to which network equipement, is there the way to configure aaa on cisco equipment so that the for example the hostname or management IP of the cisco equipment can be include into accounting file send to tac_plus server.</div><div><br></div><div>Best regards;<br></div><br><br><blockquote type="cite" style="margin:0 0 0 0.5em;border-left:1px #00f solid;padding-left:1em;">De : heasley <heas@shrubbery.net><br>
À : sambill@netcourrier.com<br>
Sujet : Re: [tac_plus] deny a particular command and allow all others<br>
Date : 04/04/2019 16:43:23 Europe/Paris<br>
Copie à : tac_plus@shrubbery.net<br>
<br>
Thu, Apr 04, 2019 at 12:41:33PM +0200, sambill@netcourrier.com:<br>
> Hello;<br>
> <br>
> We use tac_plus into our network working fine (Cisco and juniper equipments), I want to allow a particular commands and allow all others.<br>
> <br>
> how can I set tac_plus config file to achieve this ?<br>
<br>
there are three ways, depending upon the equipment.<br>
1) use cmd authorization in tac_plus, like the user fred in the example config,<br>
assuming the device supports command authorization<br>
2) use an external authorization script, like do_auth which comes with tac_plus,<br>
assuming the device supports command authorization<br>
3) create roles (or whatever the jargon the vendor uses) on the equipment<br>
and assign users to those roles via tacacs AVPs<br>
<br>
i suppose, a variation of 3,<br>
4) create roles (or whatever the jargon the vendor uses)<br>
and assign users to those roles on the equipment and just do authentication<br>
via tacacs<br></blockquote>