Tacacs ConfigFile Syntax

[plshlpme]

Hello does anybody have an example of a good tacacs config file?

we have set up our lab at work and i need to make sure people can't change certain attributes.. like for example...

router bgp XXX is ok...
bt i don't want them running
router bgp YYYY

here is what i have so far.. very early in the stages of developing the file.

group = regularusers
{
default service = permit

service = exec
{
priv-lvl = 15
}
cmd = router
{
deny bgp YYY
permit .*
}

the problem is this does not work...
users can still freely type in router bgp YYY and gain access to the bgp configuration.

has anybody else done something similar?

 

[plshlpme]

nobody familiar with tacacs+ syntax?

 

[3wsparky]

well its all about privilage levels

i see priv 15 in your example above this gives them full access to any device they connect to and enter exec mode

there are very commands that can be run depending on your priv level but from your example i dont think you can be that restrictive tac is only an authentication app once your on the box your on the box tac has done it work !

im no expert on tac and would love someone to prove me wrong but i dont think it can be done sadly. if it can i would love to know about it ....................

 

[plshlpme]

well every command typed byt the user is going back to the tacacs server for authorization so i thought it would be possible to do it.

basically i want them to login to enable mode...
but i only want them to be able to play with the customer bgp connections, not the core connections..

hence allowing router bgp XXX but denying bgp YYY

ive searched around the net and it seems to be hard to find good tacacs config examples.