Rogierm's Blog » config http://rogierm.redbee.nl/blog Just another blog with technical stuff Mon, 28 Jun 2010 21:04:31 +0000 en hourly 1 http://wordpress.org/?v=3.0 restrict commands for rancid using tacacs http://rogierm.redbee.nl/blog/2009/07/23/restrict-commands-for-rancid-using-tacacs/ http://rogierm.redbee.nl/blog/2009/07/23/restrict-commands-for-rancid-using-tacacs/#comments Thu, 23 Jul 2009 14:38:33 +0000 admin http://rogierm.redbee.nl/blog/?p=19 When using rancid you have to store the username and password in a text file. When you don’t want to give the user privilege level 15 you have to store the enable password as well. Tacacs with authorization is the best solution to restrict access for the rancid user. Since the rancid user doesn’t need to change any configuration on the network devices, you can restrict the commands it is allowed to run.

When using tac_plus (http://www.shrubbery.net/tac_plus/) you can use the following definition for the rancid user:

user = rancid {
#    default service = permit
login = cleartext "XXX"
enable = cleartext "XXX"
name = "Rancid User"
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = write {
permit term
}
cmd = dir {
permit .*
}
cmd = admin {
permit .*
}
cmd = more {
permit .*
}

}

user = rancid {
#    default service = permit
login = cleartext “R4nc!d”
enable = cleartext “raNc1d_3naB1e”
name = “Rancid User”
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = write {
permit term
}
cmd = dir {
permit .*
}
cmd = admin {
permit .*
}
}T

The rancid user is automatically in enable mode because the privilege level is set to 15 in tacacs. You have to configure rancid no to enter enable mode. This is configured (for cisco devices) in ~rancid/.cloginrc

Enter the following details:

add user        *       rancid
add password    *       XXX
add method      *       telnet
add autoenable  *       1

]]> http://rogierm.redbee.nl/blog/2009/07/23/restrict-commands-for-rancid-using-tacacs/feed/ 1