Hi I am having an issue with my tacacs+ server. I login as my super-user tacacssu and rather than getting super-user access I am getting read-only access. I checked the logs and there wasn't anything useful given to why I was getting logged in through telnet or the console with read-only access. I even kill the freeradius process and still no luck. Anybody have any ideas? Scott # Created by Devrim SERAL(devrim@tef.gazi.edu.tr) # It's very simple configuration file # Please read user_guide and tacacs+ FAQ to more information to do more # complex tacacs+ configuration files. # # Put your NAS key below key = tacacs # Use /etc/passwd.loc file to do authentication # it's must be in passwd file format. So you must mix shadow-passwd files to do it default authentication = file /etc/passwd.loc # Where is the accounting records to go accounting file = /var/log/tacacs.log # Permit all authorization request default authorization = permit # End config file #Users & Groups Setup group = NOCadmin { service = exec { priv-lvl = 15 } } user = SSHlan { default service = permit member = NOCadmin login = cleartext SSHlan } user = kiwi { default service = deny member = NOCadmin login = cleartext kiwi #cmd = configure { #deny .* #} cmd = show { permit running-config permit config deny .* } } user = aorellanop { default service = permit member = NOCadmin login = file /etc/passwd } #Default Users and Groups group = "Default Super-User" { service = exec { priv-lvl = 15 } } user = tacacssu { default service = permit member = "Default Super-User" login = cleartext tacacs } group = "Default Read-Write" { service = exec { priv-lvl = 1 } } user = tacacsrw { default service = permit member = "Default Read-Write" login = cleartext tacacs } group = "Default Read-Only" { service = exec { priv-lvl = 0 } } user = tacacsro { default service = permit member = "Default Read-Only" login = cleartext tacacs } # You can use feature like per host key with different enable passwords #host = 127.0.0.1 { # key = tacacs # type = cisco # enable = <des|cleartext> enablepass # prompt = "Welcome XXX ISP Access Router \n\nUsername:" #} # We also can define local users and specify a file where data is stored. # That file may be filled using tac_pwd #user = test1 { # name = "Test User" # member = staff # login = file /etc/tacacs/tacacs_passwords #} # We can also specify rules valid per group of users. #group = group1 { # cmd = conf { # deny # } #} # Another example : forbid configure command for some hosts # for a define range of clients #group = group1 { # login = PAM # service = ppp # protocol = ip { # addr = 10.10.0.0/24 # } # cmd = conf { # deny .* # } #} #user = DEFAULT { # login = PAM # service = ppp protocol = ip {} #} # Much more features are availables, like ACL, more service compatibilities, # commands authorization, scripting authorization. # See the man page for those features. -- Scott Gilmour | SQA Engineer Enterasys Networks | A Siemens Enterprise Communications Company Office: 978.684.1236 Email: sgilmour@enterasys.com