Scribd
Upload
223 views

Tac Plus Config

The document contains configuration settings for TACACS+ authentication on a network device. It defines users, groups, and permissions for authentication, accounting, and authorization. Key settings include defining users like 'joe' and 'cs', groups like 'admin' and 'support' with different command permissions, and the default authentication method using PAM (Pluggable Authentication Modules).

Uploaded by

Amri Kurniawan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
223 views

Tac Plus Config

The document contains configuration settings for TACACS+ authentication on a network device. It defines users, groups, and permissions for authentication, accounting, and authorization. Key settings include defining users like 'joe' and 'cs', groups like 'admin' and 'support' with different command permissions, and the default authentication method using PAM (Pluggable Authentication Modules).

Uploaded by

Amri Kurniawan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

[root@localhost ~]# cat /etc/tac_plus.conf key = tes123 accounting file = /var/log/tac.

acct # authentication users not appearing elsewhere via # the file /etc/passwd #default authentication = file /etc/passwd acl = default { #permit = 192\.168\.0\. permit = 192\.168\.2\.1 permit = 1\.2\.2\.2

} # Example of host-specific configuration: host = 1.2.2.2 { prompt = "Berani masuk berani tanggung jawab ..!!!, Username: " # Enable password for the router, generate a new one with tac_pwd #enable = des 4P8MBRmulyloo } # Group that is allowed to do most configuration on all interfaces etc. group = admin { # group members who don't have their own login password will be # looked up in /etc/passwd #login = file /etc/passwd login = PAM # group members who have no expiry date set will use this one #expires = "Jan 1 1997" # only allow access to specific routers acl = default # Needed for the router to make commands available to user (subject # to authorization if so configured on the router service = exec { priv-lvl = 15 #default service = permit } cmd = username { permit .* } cmd = enable { permit .* } cmd = show { permit .* } cmd = exit { permit .* } cmd = configure { permit .* } cmd = interface { permit .* } cmd = switchport {

permit .* } cmd = description { permit .* } cmd = no { permit shutdown } cmd = write { permit memory } } # A group that can change some limited configuration on switchports # related to host-side network configuration group = support { # group members who don't have their own login password will be # looked up in /etc/passwd: #login = file /etc/passwd # or authenticated via PAM: login = PAM acl = default # Needed for the router to make commands available to user (subject # to authorization if so configured on the router service = exec { priv-lvl = 15 } cmd = show { permit Interfaces.* permit cdp.* permit arp.* permit logging.* deny .* } cmd = exit { permit .* } cmd = interface { permit FastEthernet.* permit GigabitEthernet.* } cmd = switchport { permit "access vlan.*" permit "trunk encapsulation.*" permit "mode.*" permit "trunk allowed vlan.*" } cmd = description { permit .* } cmd = no { permit shutdown }

# # # # # # # # # # # # # # # # # }

user = joe {

login = PAM #member = sysadmin member = admin } user = cs { login = cleartext cs123 enable = cleartext cs1234 member = support } user = amri { login = cleartext amri123 enable = cleartext amri1234 member = admin } # User account configured for use with "rancid" user = rancid { # Generate a new password with tac_pwd #login = des LXUxLCkFhGpwA service = exec { priv-lvl = 15 } cmd cmd cmd cmd } # Global enable level 15 password, generate a new one with tac_pwd #user = $enab15$ { #login = des 97cZOIgSXU/4I #} #user = DEFAULT { # login = PAM #member = default #} = = = = show { permit .* } exit { permit .* } dir { permit .* } write { permit term }

You might also like