You'll just need to fix your expressions in your tacacs config.
e.g. cmd = set { permit "^blah blah .*" }
--raymondh
On Nov 25, 2008, at 12:16 AM, Christian Koch wrote:
Rich- thanks and sorry i guess i was a little vague...
i meant to say i am looking for configuration for the tac_plus.conf
side
On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies
<[EMAIL PROTECTED]> wrote:
Here is an example CatOS config for TACACS auth. It's been awhile
since I
used a CatOS device however if I remember correctly this config was
structured so that if the device can't talk to the TACACS server it
would
fail back to a local userid (by using "if-authenticated" in the
#authorization section).
#tacacs+
set tacacs server 1.1.1.1 primary
set tacacs server 2.2.2.2
set tacacs key [tacacs key]
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
#accounting
set accounting exec enable stop-only tacacs+
set accounting connect enable stop-only tacacs+
set accounting system enable stop-only tacacs+
set accounting commands enable all stop-only tacacs+
#authorization
set authorization exec enable tacacs+ if-authenticated console
set authorization exec enable tacacs+ if-authenticated telnet
set authorization enable enable if-authenticated none console
set authorization enable enable if-authenticated none telnet
set authorization commands enable all if-authenticated none console
set authorization commands enable all if-authenticated none telnet
Hope it helps.
-Rich
On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch <[EMAIL PROTECTED]
>
wrote:
on a side note -
has anyone had any success getting older catos switches and enable
mode to work with the newer versions of tacplus?
christian
On Mon, Nov 24, 2008 at 10:41 AM, <[EMAIL PROTECTED]> wrote:
Hi,
The fork based on Cisco's code over at shrubbery has worked out
well
for me.
http://www.shrubbery.net/tac_plus/
agreed. also note, theres been hints of TACACS+ being part of
future FreeRADIUS capability for some time too.
alan
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/