Discussion:
[c-nsp] tac_plus and cisco ASA
Erik Witkop
2010-03-30 00:13:06 UTC
Permalink
Hi all,

I am looking to do AAA on a Cisco ASA firewall and a tac_plus server.
And my ASA config is fine. My issue is on the tac_plus.conf side. I want
to allow every possible command for a group users. But of course I don't
want to list out every single command in my tac_plus.conf file. Are we
allow to wildcard the cmd? The man files did not say. And I couldn't
find any help using the google. How are people wildcarding the cmd,
without listing every possible command?


group = network {
service = exec {
priv-lvl = 15
}
cmd = write {
permit terminal
}
cmd = configure {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}

For reference, my ASA config:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (xxxxxxx) host x.x.x.x
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Yuri Bank
2010-03-30 00:58:05 UTC
Permalink
group = somegroup {
default service = permit
login = file /etc/passwd # or PAM, or other method.
enable = cleartext "cisco" # you obviously can leave this out.
}


This will allow all commands.
Post by Erik Witkop
Hi all,
I am looking to do AAA on a Cisco ASA firewall and a tac_plus server. And
my ASA config is fine. My issue is on the tac_plus.conf side. I want to
allow every possible command for a group users. But of course I don't want
to list out every single command in my tac_plus.conf file. Are we allow to
wildcard the cmd? The man files did not say. And I couldn't find any help
using the google. How are people wildcarding the cmd, without listing every
possible command?
group = network {
service = exec {
priv-lvl = 15
}
cmd = write {
permit terminal
}
cmd = configure {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
} }
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (xxxxxxx) host x.x.x.x
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Loading...