Tacacs+ Super-User issue.

[Gilmour, Scott]

Hi
 I am having an issue with my tacacs+ server.
I login as my super-user tacacssu and rather than getting super-user access
I am getting read-only access.  I checked the logs and there wasn't
anything useful
given to why I was getting logged in through telnet or the console with
read-only access.
I even kill the freeradius process and still no luck.  Anybody have any
ideas?
Scott



# Created by Devrim SERAL(devrim at tef.gazi.edu.tr)
# It's very simple configuration file
# Please read user_guide and tacacs+ FAQ to more information to do more
# complex tacacs+ configuration files.
#
# Put your NAS key below
key = tacacs

# Use /etc/passwd.loc file to do authentication
# it's must be in passwd file format. So you must mix shadow-passwd files
to do it

default authentication = file /etc/passwd.loc

# Where is the accounting records to go

accounting file = /var/log/tacacs.log

# Permit all authorization request

default authorization = permit

# End config file



#Users & Groups Setup
group = NOCadmin {
service = exec {
    priv-lvl = 15
  }
}



user = SSHlan {
default service = permit
member = NOCadmin
login = cleartext SSHlan
}

user = kiwi {
default service = deny
member = NOCadmin
login = cleartext kiwi
#cmd = configure {
        #deny .*
        #}
cmd = show {
permit running-config
permit config
 deny .*
        }
}


user = aorellanop {
default service = permit
member = NOCadmin
login = file /etc/passwd

}



#Default Users and Groups
group = "Default Super-User" {
service = exec {
    priv-lvl = 15
  }
}

user = tacacssu {
default service = permit
member = "Default Super-User"
login = cleartext tacacs
}
group = "Default Read-Write" {
service = exec {
    priv-lvl = 1
  }
}

user = tacacsrw {
default service = permit
member = "Default Read-Write"
login = cleartext tacacs
}
group = "Default Read-Only" {
service = exec {
    priv-lvl = 0
  }
}

user = tacacsro {
default service = permit
member = "Default Read-Only"
login = cleartext tacacs
}

# You can use feature like per host key with different enable passwords
#host = 127.0.0.1 {
#       key = tacacs
#        type = cisco
#        enable = <des|cleartext> enablepass
#        prompt = "Welcome XXX ISP Access Router \n\nUsername:"
#}

# We also can define local users and specify a file where data is stored.
# That file may be filled using tac_pwd
#user = test1 {
#    name = "Test User"
#    member = staff
#    login = file /etc/tacacs/tacacs_passwords
#}

# We can also specify rules valid per group of users.
#group = group1 {
# cmd = conf {
# deny
# }
#}

# Another example : forbid configure command for some hosts
# for a define range of clients
#group = group1 {
# login = PAM
# service = ppp
# protocol = ip {
# addr = 10.10.0.0/24
# }
# cmd = conf {
# deny .*
# }
#}

#user = DEFAULT {
# login = PAM
# service = ppp protocol = ip {}
#}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
-- 

Scott Gilmour | SQA Engineer

Enterasys Networks | A Siemens Enterprise Communications Company

Office: 978.684.1236

Email: sgilmour at enterasys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121018/55672f9b/attachment-0001.html>