The easiest way to understand the authorization function is to examine a configuration file that
controls authorized services. Look at the following sample configuration file that controls
authorized services:
#TACACS+ V2.1 configuration file
#created 5/14/03
#edited 8/26/03
#
#If user doesn't appear in the config file user/etc/password
default authentication = file /etc/passwd
accounting file = /home1/logs/tacacs+.accounting
#Must be same as router IOS "tacacs-server key"
key = tjelkprp
#
user=netops {
member=operator
login=cleartext dilbert
}
user=rpadjen {
# Robert Padjen
default service=permit
login=cleartext yummy
}
group=operator {
name="Network Operator"
cmd=debug {
permit .*
}
cmd=write {
permit terminal
}
cmd=clear {
permit .*
}
cmd=show {
#permit show commands
permit .*
}
}
user=shayna {
# Shayna Padjen
member=operator_plus
login=cleartext flatshoe
}
group=operator_plus {
name="Network Operator Plus"
cmd=debug {
permit .*
}
cmd=write {
permit terminal
}
cmd=clear {
permit .*
}
#permit show commands
cmd=show {
permit .*
}
cmd=configure {
permit terminal
}
cmd=interface {
permit .*
}
cmd=shutdown {
permit .*
}
cmd=no {
permit shutdown
}
}
This file establishes a number of user accounts and authorization rights. The first group,
operator, is provided with basic diagnostic and administrative functions, while the operator_
plus group is enhanced with shutdown, interface, and configure commands. All commands
are available to one administrator. Note that Shayna is a member of operator_plus,
and Rob is allowed full access.
Pay particular attention to a few additional items about this specific configuration file. First,
the passwords are in cleartext, meaning that anyone with access to the server can obtain them.
Most configuration files are encrypted. Second, observe that restrictions can be quite granular
and could include functions such as Ping while blocking extended ping.
Please refer to the documentation that accompanies your server for syntax and
configuration instructions specific to your installation.