<div>Hi</div><div> I am having an issue with my tacacs+ server.</div><div>I login as my super-user tacacssu and rather than getting super-user access </div><div>I am getting read-only access. I checked the logs and there wasn't anything useful</div>
<div>given to why I was getting logged in through telnet or the console with read-only access.</div><div>I even kill the freeradius process and still no luck. Anybody have any ideas?</div><div>Scott</div><div><br></div><div>
<br></div><br clear="all"><div><div># Created by Devrim SERAL(<a href="mailto:devrim@tef.gazi.edu.tr">devrim@tef.gazi.edu.tr</a>)</div><div># It's very simple configuration file</div><div># Please read user_guide and tacacs+ FAQ to more information to do more </div>
<div># complex tacacs+ configuration files. </div><div># </div><div># Put your NAS key below</div><div>key = tacacs</div><div><br></div><div># Use /etc/passwd.loc file to do authentication </div><div># it's must be in passwd file format. So you must mix shadow-passwd files to do it</div>
<div><br></div><div>default authentication = file /etc/passwd.loc</div><div><br></div><div># Where is the accounting records to go </div><div><br></div><div>accounting file = /var/log/tacacs.log</div><div><br></div><div># Permit all authorization request </div>
<div> </div><div>default authorization = permit</div><div><br></div><div># End config file</div><div><br></div><div><br></div><div><br></div><div>#Users & Groups Setup</div><div>group = NOCadmin {</div><div>service = exec {</div>
<div> priv-lvl = 15</div><div> }</div><div>}</div><div><br></div><div><br></div><div><br></div><div>user = SSHlan {</div><div>default service = permit</div><div>member = NOCadmin</div><div>login = cleartext SSHlan</div>
<div>}</div><div><br></div><div>user = kiwi {</div><div>default service = deny</div><div>member = NOCadmin</div><div>login = cleartext kiwi</div><div>#cmd = configure {</div><div> #deny .*</div><div> #}</div>
<div>cmd = show {</div><div>permit running-config</div><div>permit config</div><div> deny .*</div><div> }</div><div>}</div><div><br></div><div><br></div><div>user = aorellanop {</div><div>default service = permit</div>
<div>member = NOCadmin</div><div>login = file /etc/passwd</div><div><br></div><div>}</div><div><br></div><div><br></div><div><br></div><div>#Default Users and Groups </div><div>group = "Default Super-User" {</div>
<div>service = exec {</div><div> priv-lvl = 15</div><div> }</div><div>}</div><div><br></div><div>user = tacacssu {</div><div>default service = permit</div><div>member = "Default Super-User"</div><div>login = cleartext tacacs</div>
<div>}</div><div>group = "Default Read-Write" {</div><div>service = exec {</div><div> priv-lvl = 1</div><div> }</div><div>}</div><div><br></div><div>user = tacacsrw {</div><div>default service = permit</div>
<div>member = "Default Read-Write"</div><div>login = cleartext tacacs</div><div>}</div><div>group = "Default Read-Only" {</div><div>service = exec {</div><div> priv-lvl = 0</div><div> }</div><div>}</div>
<div><br></div><div>user = tacacsro {</div><div>default service = permit</div><div>member = "Default Read-Only"</div><div>login = cleartext tacacs</div><div>}</div></div><div><br></div><div><div># You can use feature like per host key with different enable passwords</div>
<div>#host = 127.0.0.1 {</div><div># key = tacacs </div><div># type = cisco</div><div># enable = <des|cleartext> enablepass</div><div># prompt = "Welcome XXX ISP Access Router \n\nUsername:"</div>
<div>#}</div><div><br></div><div># We also can define local users and specify a file where data is stored.</div><div># That file may be filled using tac_pwd</div><div>#user = test1 {</div><div># name = "Test User"</div>
<div># member = staff</div><div># login = file /etc/tacacs/tacacs_passwords</div><div>#}</div><div><br></div><div># We can also specify rules valid per group of users.</div><div>#group = group1 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>cmd = conf {</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>deny</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div>#}</div><div><br></div><div># Another example : forbid configure command for some hosts</div>
<div># for a define range of clients</div><div>#group = group1 {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>login = PAM</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>service = ppp</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>protocol = ip {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>addr = <a href="http://10.10.0.0/24">10.10.0.0/24</a></div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>}</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>cmd = conf {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>deny .*</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>}</div>
<div>#}</div><div><br></div><div>#user = DEFAULT {</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>login = PAM</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>service = ppp protocol = ip {}</div>
<div>#}</div><div><br></div><div># Much more features are availables, like ACL, more service compatibilities,</div><div># commands authorization, scripting authorization.</div><div># See the man page for those features.</div>
</div>-- <br><p style="MARGIN:0in 0in 0pt"><span style="COLOR:black"><font size="3"><font face="Calibri">Scott Gilmour | SQA Engineer</font></font></span></p>
<p style="MARGIN:0in 0in 0pt"><span style="COLOR:black"><font size="3"><font face="Calibri">Enterasys Networks | A Siemens Enterprise Communications Company</font></font></span></p>
<p style="MARGIN:0in 0in 0pt"><span style="COLOR:black"><font size="3"><font face="Calibri">Office: 978.684.1236 </font></font></span></p>
<p style="MARGIN:0in 0in 0pt"><font face="Calibri"><span style="COLOR:black"><font size="3">Email: </font></span><span style="COLOR:blue"><a href="mailto:sgilmour@enterasys.com" target="_blank"><font size="3">sg</font><font size="3">ilmour@enterasys.com</font></a></span></font></p>
<br>