I am new to TACACS so please bear me with my novice level questions 🙂
I have configured TACACS+ on Ubuntu. now I can login to switch with users defined in TACACS+ server. I have created two users, one for support, one for admin purposes.
Q1-
I want to allow only fixed sets of CMD's for SUPPORT group.
Q2-
Log files in /var/log/tac* are empty. how can I enable logs that which user is logging to which switch using tacacs+ authentication?
Following is my TACACS server configuration key = testing123
accounting file = /var/log/tacplus.log
default authentication = file /etc/passwd
group = support { default service = denyservice = shell {priv-lvl = 15}cmd = interface { permit [faFAgiGI].* }}
group = unicorns {
default service = permit
service = exec {
priv-lvl = 15
}
}
user = mary {
name = "Network Support"
member = support
}
user = tina {
name = "Network Unicorn"
member = unicorns
}
Following is my switch configuration
aaa new-model
aaa authentication login default local group tacacs+ enable
tacacs-server host 2.3.4.5
tacacs-server key 0 testing123
Best Answer
This issue is two-fold:
There are some issues with this.
deny
and you only have aninterface
subcommand defined, users in thesupport
group won't be able to do anything at all - because they'd need to get intoconfigure
mode in order to use theinterface
subcommand.support
group to priv 15 in the config, they won't need toenable
. If you want them to have toenable
when they log in, then remove theset priv-lvl = 15
line in the config and configure AAA on the device to use TACACS for accessingenable
mode:cmd
definitions need to be moved inside of theservice = shell
block.Here's a revised config for you to try out:
This might depend on the tac_plus implementation you're using. Some implementations allow you to specify log files for authentication/authorization/accounting. Either way, you still need to configure the
accounting
portion on the device: