{"id":6605,"date":"2025-03-29T09:03:00","date_gmt":"2025-03-29T08:03:00","guid":{"rendered":"https:\/\/nil.uniza.sk\/?p=6605"},"modified":"2026-03-26T12:30:17","modified_gmt":"2026-03-26T11:30:17","slug":"tacacs-for-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/tacacs-for-ubuntu-20-04\/","title":{"rendered":"Tacacs for Ubuntu 20.04"},"content":{"rendered":"<h1 class=\"wp-block-heading\"><a>TACACS for Ubuntu 20.04<\/a><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>This guide will walk you through the setup of a Linux based TACACS+ Authentication Server, using Ubuntu 20.04 that authenticates against a Windows Active Directory LDAP.<\/p>\n\n\n\n<p>This guide assumes that you are familiar with installing and configuring Ubuntu Server and can deploy or have already deployed a Windows Active Directory infrastructure.<\/p>\n\n\n\n<p>If not you can refer to <a href=\"https:\/\/nil.uniza.sk\/sk\/riesenie-autentifikacie-a-privilege-levels-v-cisco-ios-voci-windows-radius-serveru-na-win-2019\/\">https:\/\/nil.uniza.sk\/sk\/riesenie-autentifikacie-a-privilege-levels-v-cisco-ios-voci-windows-radius-serveru-na-win-2019\/<\/a> where you can install Active Directory Domain Services.<\/p>\n\n\n\n<p>For a guide in English you can use: <a href=\"https:\/\/computingforgeeks.com\/how-to-install-active-directory-domain-services-in-windows-server\/?utm_content=cmp-true\">https:\/\/computingforgeeks.com\/how-to-install-active-directory-domain-services-in-windows-server\/?utm_content=cmp-true<\/a><\/p>\n\n\n\n<p>This guide has been highly inspired by <a href=\"https:\/\/www.datai.net\/article\/tacacs-linux-auth-with-active-directory\/\">TACACS Linux Authentication with Active Directory<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows Server 2019 with Active Directory Services (Domain Controller or Read-Only Domain Controller)<\/li>\n\n\n\n<li>Ubuntu Server (tested on 20.04 LTS)<\/li>\n\n\n\n<li>Internet connection to all devices<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Basic Network Topology<\/h2>\n\n\n\n<p>Below is an example network topology used for testing the TACACS setup.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" decoding=\"async\" width=\"632\" height=\"376\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image.png\" class=\"wp-image-6617\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image.png 632w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-300x178.png 300w\" sizes=\"(max-width: 632px) 100vw, 632px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Windows Active Directory Requirements<\/h2>\n\n\n\n<p>First, we will setup the required items in our Active Directory system.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a service account that TACACS will use to bind and authenticate to our AD infrastructure.&nbsp; Be sure to use a secure password (16 characters or longer if used in a real environment).<br>The user do not need any special permissions or group memberships.<br><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" decoding=\"async\" width=\"511\" height=\"323\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-1.png\" class=\"wp-image-6618\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-1.png 511w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-1-300x190.png 300w\" sizes=\"(max-width: 511px) 100vw, 511px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img alt=\"\" decoding=\"async\" width=\"402\" height=\"218\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-2.png\" class=\"wp-image-6619\" style=\"width:461px;height:auto\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-2.png 402w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-2-300x163.png 300w\" sizes=\"(max-width: 402px) 100vw, 402px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We have created several user groups used for a different types of experiments. TACACS will match these groups against the Active Directory to identify what users and permission levels to assign authenticated users.&nbsp; In this example, we will create four security roles.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" decoding=\"async\" width=\"772\" height=\"116\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-3.png\" class=\"wp-image-6620\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-3.png 772w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-3-300x45.png 300w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-3-768x115.png 768w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><\/figure>\n\n\n\n<p>TACACS_ADMINS<\/p>\n\n\n\n<p>TACACS_STUDENTS_JRADMINS<\/p>\n\n\n\n<p>TACACS_STUDENTS_SRADMINS<\/p>\n\n\n\n<p>TACACS_STUDENTS_READ_ONLY_PRIV_LEVEL1<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Now create four user accounts, one for each type of user security level and add them to the security group associated with their account.<br>Username \u201cTACACS_ADMIN\u201d is a member of security group \u201c<a>TACACS_ADMINS<\/a>\u201d, username \u201cTACACS_JRADMIN\u201d is a member of security group \u201cTACACS_STUDENTS_JRADMINS\u201d and so on. I also recommend keeping these users in Domain Users or some other Windows pre-generated group as I had encountered issues with authenticating when users belonged only to \u201cTACACS_ADMINS\u201d or \u201cTACACS_JRADMIN\u201d group.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img alt=\"\" decoding=\"async\" width=\"409\" height=\"225\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-4.png\" class=\"wp-image-6621\" style=\"width:497px;height:auto\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-4.png 409w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-4-300x165.png 300w\" sizes=\"(max-width: 409px) 100vw, 409px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img alt=\"\" decoding=\"async\" width=\"406\" height=\"193\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-5.png\" class=\"wp-image-6622\" style=\"width:499px;height:auto\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-5.png 406w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-5-300x143.png 300w\" sizes=\"(max-width: 406px) 100vw, 406px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" decoding=\"async\" width=\"622\" height=\"86\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-6.png\" class=\"wp-image-6623\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-6.png 622w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-6-300x41.png 300w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">TACACS+ Server Installation<\/h2>\n\n\n\n<p>Before setting up a new TACACS+ Server we should talk about what TACACS and TACACS+ is.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TACACS<\/h3>\n\n\n\n<p>TACACS&nbsp;is defined in&nbsp;RFC 1492&nbsp;standard and supports both&nbsp;TCP&nbsp;and&nbsp;<a href=\"https:\/\/networkinterview.com\/udp-header\/\" target=\"_blank\" rel=\"noreferrer noopener\">UDP<\/a>&nbsp;protocols on port number&nbsp;49. TACACS permits a client to accept a username and password and send a query to a TACACS authentication server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TACACS+<\/h3>\n\n\n\n<p>TACACS+ has replaced TACACS and provides benefit by separating the functions of Authentication, Authorization and Accounting and by encrypting all traffic between the NAS and the daemon.<br><br>https:\/\/ipwithease.com\/tacacs-vs-tacacs\/<\/p>\n\n\n\n<p>I couldn\u2019t add new commands into privileged levels using TACACS configuration as is common with views concept directly on routers. I only could permit or deny existing commands which have been preadded in each privileged level. This means that we can only permit or deny commands contained in each privileged level. To enable specific command, we would have to add it in the router manually using view command in the configuration mode.<\/p>\n\n\n\n<p>Let\u2019s move onto the TACACS Server installation on our Ubuntu Server.&nbsp; First, SSH into your Ubuntu Server or in our case access Ubuntu via GNS and install the required packages.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n <p style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 20px;background-color: #fff\">\n        <span style=\"font-family: monospace;color: #008000\">sudo apt-get install -y build-essential libnet-ldap-perl libpcre3-dev ntp ntpdate<\/span>\n    <\/p>\n<\/div><\/div>\n\n\n\n<p>Next, we are going to download the TACACS+ Server packages that includes the MAVIS (LDAP) authentication packages.&nbsp; This is provided by Marc Huber at&nbsp;<a href=\"http:\/\/www.pro-bono-publico.de\/projects\/tac_plus.html\" target=\"_blank\" rel=\"noreferrer noopener\">pro-bono-publico.de<\/a>.<\/p>\n\n\n\n<p>You can download the source code from the GitHub repository at <a href=\"https:\/\/github.com\/MarcJHuber\/event-driven-servers\/\">https:\/\/github.com\/MarcJHuber\/event-driven-servers\/<\/a> .<\/p>\n\n\n\n<p>Documentation is available on the original site, <a href=\"https:\/\/www.pro-bono-publico.de\/projects\/\">https:\/\/www.pro-bono-publico.de\/projects\/<\/a> , too.<\/p>\n\n\n\n<p style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 20px;background-color: #fff\">\n        <span style=\"font-family: monospace;color: #333\">wget https:\/\/github.com\/MarcJHuber\/event-driven-servers\/archive\/refs\/heads\/master.zip<\/span>\n    <\/p>\n\n\n\n<p>In case you are unable to unzip .zip file, install zip package first.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>$ apt install zip<\/span><\/p>\n    <p style=\"color: #333\"><span>$ unzip master.zip -d .<\/span><\/p>\n    <p style=\"color: #333\"><span>$ mv event-driven-servers-master tac_plus<\/span><\/p>\n<\/div>\n\n\n\n<p>Now, we will configure and build the tac_plus packages to our server.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>$ cd tac_plus<\/span><\/p>\n    <p style=\"color: #333\"><span>$ sudo .\/configure &#8211;etcdir=\/etc\/tac_plus<\/span><\/p>\n    <p style=\"color: #333\"><span>$ sudo make<\/span><\/p>\n\t<p style=\"color: #333\"><span>$ sudo make install<\/span><\/p>\n<\/div>\n\n\n\n<p>We now need to create the logging directories on our server because the package build process does not build these out for us.&nbsp; We will also make sure to set the permission on these directories so that our TACACS Server software can write to them.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>$ sudo mkdir -p \/var\/log\/tac_plus \/var\/log\/tac_plus\/access \/var\/log\/tac_plus\/accounting \/var\/log\/tac_plus\/authentication<\/span><\/p>\n    <p style=\"color: #333\"><span>$ sudo chmod -R 755 \/var\/log\/tac_plus<\/span><\/p>\n<\/div>\n\n\n\n<p>You can verify that the permissions were set correctly by running the following command:<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>stat &#8211;format &#8218;%a&#8216; \/var\/log\/tac_plus<\/span><\/p>\n<\/div>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>$ &gt;&gt; OUTPUT &lt;&lt; <\/span><\/p>\n\t<p style=\"color: #333\"><span>755<\/span><\/p>\n<\/div>\n\n\n\n<p>We now need to verify that our MAVIS packages are working correctly.&nbsp; To do this execute the below command.&nbsp; You should see output as exampled.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>\/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl &lt; \/dev\/null<\/span><\/p>\n<\/div>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>&gt;&gt; OUTPUT &lt;&lt;<\/span><\/p>\n\t<p style=\"color: #333\"><span>Default server type is &#8218;tacacs_schema&#8216;. You *may* need to change that to &#8218;generic&#8216; or &#8218;microsoft&#8216;.<\/span><\/p>\n    <p style=\"color: #333\"><span>LDAP_HOSTS not defined at \/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl line 277,  line 755.<\/span><\/p>\t\n<\/div>\n\n\n\n<p>If there are error messages saying \u201cCan\u2019t locate Net\/LDAP.pm in @INC\u201d, you need to double-check the&nbsp;configure&nbsp;and&nbsp;make&nbsp;commands at the beginning of the guide. Make sure they all completed successfully without any errors. When I had this issue, I googled it and found that I must install Net\/LDAP.pm.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.nntp.perl.org\/group\/perl.ldap\/2014\/04\/msg3760.html\">https:\/\/www.nntp.perl.org\/group\/perl.ldap\/2014\/04\/msg3760.html<\/a><\/p>\n\n\n\n<p>If your output above matches, then we can continue with adding the configuration for the TACACS server.&nbsp; Create a file&nbsp;tac_plus.cfg&nbsp;in the&nbsp;\/etc\/tac_plus&nbsp;folder.<br>Once created, we will open that file to add our configuration template.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>sudo touch \/etc\/tac_plus\/tac_plus.cfg<\/span><\/p>\n\t<p style=\"color: #333\"><span>sudo chmod 755 \/etc\/tac_plus\/tac_plus.cfg<\/span><\/p>\n    <p style=\"color: #333\"><span>sudo nano \/etc\/tac_plus\/tac_plus.cfg<\/span><\/p>\t\n<\/div>\n\n\n\n<p>Next, we will copy and paste in the below template configuration into the&nbsp;tac_plus.cfg&nbsp;file.&nbsp; You will need to replace the variables that are specific to your configuration.&nbsp; These are identified by&nbsp;{{VARIABLE-NAME}}&nbsp;in the template configuration.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n\t<p style=\"color: #333\"><span>#!\/usr\/local\/sbin\/tac_plus<\/span><\/p>\n\t<p style=\"color: #333\"><span>#The following spawnd configuration stanza accepts connections on TCP ports 49 and<\/span><\/p>\n\t<p style=\"color: #333\"><span>#forwards these to one of the tac_plus processes. The tac_plus configuration<\/span><\/p>\n\t<p style=\"color: #333\"><span>#configures a couple of user groups and users (that are commented) and relies on the<\/span><\/p>\n\t<p style=\"color: #333\"><span>#MAVIS backend for additional users.<\/span><\/p>\n\t<p style=\"color: #333\"><span>id = spawnd {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 listen = { address = 0.0.0.0 port = 49 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #Uncomment the line below for IPv6 support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #listen = { address = :: port = 49 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 spawn = {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 instances min = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 instances max = 10<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 background = yes<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n\t<p style=\"color: #333\"><span>#We are assigning logging folders for future monitoring.<\/span><\/p>\n\t<p style=\"color: #333\"><span>id = tac_plus {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 access log = \/var\/log\/tac_plus\/access\/%Y\/%m\/access-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 accounting log = \/var\/log\/tac_plus\/accounting\/%Y\/%m\/accounting-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 authentication log = \/var\/log\/tac_plus\/authentication\/%Y\/%m\/authentication-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>#Mavis module<\/span><\/p>\n\t<p style=\"color: #333\"><span>#The distribution comes with various MAVIS modules, of which the external module is<\/span><\/p>\n\t<p style=\"color: #333\"><span>#probably the most interesting, as it interacts with simple Perl scripts to<\/span><\/p>\n\t<p style=\"color: #333\"><span>#authenticate and authorize requests.<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 mavis module = external {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_SERVER_TYPE = &#8222;microsoft&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #If you are using Microsoft Global Catalog with secure LDAP (SSL)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #setenv LDAP_HOSTS = &#8222;ldaps:\/\/{{AD-SERVER-IP}}:3269&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #If you are using Microsoft Global Catalog with regular LDAP (non-SSL)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_HOSTS = &#8222;ldap:\/\/{{AD-SERVER-IP}}:3268&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_BASE = &#8222;{{LDAP-BASE-DN}}&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_SCOPE = sub<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ## Username ONLY Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_FILTER = &#8222;(&amp;(objectClass=user)(objectClass=person)(sAMAccountName=%s))&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ## Username + UPN Authentication [example: user@mydomain.lan]<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 # setenv LDAP_FILTER = &#8222;(&amp;(objectClass=user)(objectClass=person)(userPrincipalName=%s))&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_USER = &#8222;{{LDAP-SERVICE-ACCOUNT-USERNAME}}&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_PASSWD = &#8222;{{LDAP-SERVICE-ACCOUNT-PASSWORD}}&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #I&#8217;m not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv EXPAND_AD_GROUP_MEMBERSHIP = 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Clear default setting of tacplus for AD_GROUP_PREFIX<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv AD_GROUP_PREFIX = &#8222;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv REQUIRE_TACACS_GROUP_PREFIX = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #DO NOT SET THE USE_TLS ENVIRONMENT VARIABLE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #TLS WILL AUTOMATICALLY BE ENABLED IF NEEDED<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #FORCING THIS VARIABLE TO 1 WILL BREAK MAVIS IF TLS IS NEEDED<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #setenv USE_TLS = 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 exec = \/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 login backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 user backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 pap backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 skip missing groups = yes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 host = world {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Allow any IPv4 device<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 address = 0.0.0.0\/0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Uncomment the line below for IPv6 support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #address = ::\/0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Uncomment the line below to inject a login prompt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #prompt = &#8222;Put your custom welcome message here.\\n&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Change this to your own secure TACACS+ key<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 key = &#8222;{{TACACS-ENCRYPTION-KEY}}&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 group = {{AD-ADMIN-GROUP}} {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default command = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Juniper JunOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = junos-exec {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set local-user-name = {{AD-ADMIN-GROUP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 group = {{AD-STUDENTS_JRADMINS-GROUP}} {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default command = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Juniper JunOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = junos-exec {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set local-user-name = {{AD-STUDENTS_JRADMINS-GROUP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 ### BEGIN USER ACCOUNT MAPS ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #Users have priority over groups, they are inheriting privileges from the group and<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #are enabling you to do additional changes.<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # user = user@example.net {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # \u00a0\u00a0password = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #\u00a0 \u00a0member = {{AD-ADMIN-GROUP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # user = DEFAULT {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # \u00a0\u00a0password = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # \u00a0\u00a0member = {{AD-STUDENTS_JRADMINS-GROUP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 ### END USER ACCOUNT MAPS ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n<\/div>\n\n\n\n<p>Here is an example of our working&nbsp;tac_plus.cfg&nbsp;file on our lab servers.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n\t<p style=\"color: #333\"><span>#!\/usr\/local\/sbin\/tac_plus<\/span><\/p>\n\t<p style=\"color: #333\"><span>id = spawnd {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 listen = { address = 0.0.0.0 port = 49 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #Uncomment the line below for IPv6 support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 #listen = { address = :: port = 49 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 spawn = {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 instances min = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 instances max = 10<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 background = yes<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n\t<p style=\"color: #333\"><span>id = tac_plus {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 access log = \/var\/log\/tac_plus\/access\/%Y\/%m\/access-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 accounting log = \/var\/log\/tac_plus\/accounting\/%Y\/%m\/accounting-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 authentication log = \/var\/log\/tac_plus\/authentication\/%Y\/%m\/authentication-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 mavis module = external {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_SERVER_TYPE = &#8222;microsoft&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #If you are using Microsoft Global Catalog with secure LDAP (SSL)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #setenv LDAP_HOSTS = &#8222;ldaps:\/\/172.16.10.10:3269&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #If you are using Microsoft Global Catalog with regular LDAP (non-SSL)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_HOSTS = &#8222;ldap:\/\/172.16.1.2:3268&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_BASE = &#8222;DC=mylab,DC=local&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_SCOPE = sub<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ## Username ONLY Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_FILTER = &#8222;(&amp;(objectClass=user)(objectClass=person)(sAMAccountName=%s))&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ## Username + UPN Authentication [example: user@mydomain.lan]<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 # setenv LDAP_FILTER = &#8222;(&amp;(objectClass=user)(objectClass=person)(userPrincipalName=%s))&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_USER = &#8222;tacacs@mylab.local&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv LDAP_PASSWD = &#8222;Password123!&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #I&#8217;m not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv EXPAND_AD_GROUP_MEMBERSHIP = 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Clear default setting of tacplus for AD_GROUP_PREFIX<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv AD_GROUP_PREFIX = &#8222;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 setenv REQUIRE_TACACS_GROUP_PREFIX = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #DO NOT SET THE USE_TLS ENVIRONMENT VARIABLE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #TLS WILL AUTOMATICALLY BE ENABLED IF NEEDED<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #FORCING THIS VARIABLE TO 1 WILL BREAK MAVIS IF TLS IS NEEDED<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #setenv USE_TLS = 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 exec = \/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 login backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 user backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 pap backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 skip missing groups = yes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 host = mgmtnet {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Allow any IPv4 device<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 address = 192.168.255.0\/24<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Uncomment the line below for IPv6 support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #address = ::\/0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Uncomment the line below to inject a login prompt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #prompt = &#8222;Put your custom welcome message here.\\n&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Change this to your own secure TACACS+ key<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 key = &#8222;cisco&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 group = TACACS_ADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default command = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Juniper JunOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = junos-exec {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set local-user-name = TACACS_ADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 group = TACACS_STUDENTS_JRADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default command = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### Juniper JunOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = junos-exec {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 set local-user-name = TACACS_STUDENTS_JRADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 ### BEGIN USER ACCOUNT MAPS ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # user = user@example.net {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # password = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # member = TACACS_ADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # user = DEFAULT {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # password = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # member = TACACS_STUDENTS_JRADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 # }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 ### END USER ACCOUNT MAPS ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p>Now we need to validate the configuration file. After you have saved and exited the&nbsp;tac_plus.cfg&nbsp;file, run the following command to verify everything was setup correctly.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff\">\n    <p style=\"color: #333\"><span>\/usr\/local\/sbin\/tac_plus -P \/etc\/tac_plus\/tac_plus.cfg<\/span><\/p>\n<\/div>\n\n\n\n<p>If tac_plus reports any errors, you will need to edit the&nbsp;tac_plus.cfg&nbsp;file again and correct the errors. Do not proceed further until you have corrected all the reported errors. See&nbsp;<a href=\"http:\/\/www.pro-bono-publico.de\/projects\/tac_plus.html\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/www.pro-bono-publico.de\/projects\/tac_plus.html<\/a>&nbsp;for a complete configuration reference. You may also want to view the file&nbsp;\/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl&nbsp;for a detailed explanation of the available LDAP variables.<\/p>\n\n\n\n<p>Now we need to create a SystemD service startup script for our TACACS server.&nbsp; Copy\/Paste the below command into your SSH session.&nbsp; It will automatically create the required service startup script.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>sudo cat &lt; \/etc\/systemd\/system\/tac_plus.service<\/span><\/p>\n\t<p style=\"color: #333\"><span># systemd configuration unit for tac_plus.<\/span><\/p>\n\t<p style=\"color: #333\"><span># $Id: tac_plus.service,v 1.1 2011\/07\/22 17:04:03 marc Exp $<\/span><\/p>\n\t<p style=\"color: #333\"><span>#<\/span><\/p>\n\t<p style=\"color: #333\"><span># To enable the service:<\/span><\/p>\n\t<p style=\"color: #333\"><span># sudo cp tac_plus.service \/etc\/systemd\/system\/<\/span><\/p>\n\t<p style=\"color: #333\"><span># sudo systemctl enable tac_plus.service<\/span><\/p>\n\t<p style=\"color: #333\"><span># sudo systemctl start tac_plus.service<\/span><\/p>\n\t<p style=\"color: #333\"><span>#<\/span><\/p>\n\t<p style=\"color: #333\"><span>[Unit]<\/span><\/p>\n\t<p style=\"color: #333\"><span>Description=TACACS+ Service<\/span><\/p>\n\t<p style=\"color: #333\"><span>After=syslog.target<\/span><\/p>\n\t<p style=\"color: #333\"><span>[Service]<\/span><\/p>\n\t<p style=\"color: #333\"><span>ExecStart=\/usr\/local\/sbin\/tac_plus -f \/etc\/tac_plus\/tac_plus.cfg<\/span><\/p>\n\t<p style=\"color: #333\"><span>KillMode=process<\/span><\/p>\n\t<p style=\"color: #333\"><span>Restart=always<\/span><\/p>\n\t<p style=\"color: #333\"><span>ExecReload=\/bin\/kill -HUP $MAINPID<\/span><\/p>\n\t<p style=\"color: #333\"><span>[Install]<\/span><\/p>\n\t<p style=\"color: #333\"><span>WantedBy=multi-user.target<\/span><\/p>\n\t<p style=\"color: #333\"><span>EOF<\/span><\/p>\n<\/div>\n\n\n\n<p>Now you can enable the service for auto-startup and manually start the service.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>sudo systemctl enable tac_plus.service<\/span><\/p>\n\t<p style=\"color: #333\"><span>sudo systemctl start tac_plus.service<\/span><\/p>\n<\/div>\n\n\n\n<p>To verify that the service started, you can run the following two commands.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>sudo systemctl status tac_plus.service<\/span><\/p>\n\t<p style=\"color: #333\"><span>&gt;&gt; OUTPUT &lt;&lt;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u25cf tac_plus.service &#8211; TACACS+ Service<\/span><\/p>\n\t<p style=\"color: #333\"><span>Loaded: loaded (\/etc\/systemd\/system\/tac_plus.service; enabled; vendor preset: enabled)<\/span><\/p>\n\t<p style=\"color: #333\"><span>Active: active (running) since Tue 2019-01-01 16:13:57 UTC; 1h 8min ago<\/span><\/p>\n\t<p style=\"color: #333\"><span>Main PID: 21795 (tac_plus)<\/span><\/p>\n\t<p style=\"color: #333\"><span>Tasks: 3 (limit: 4662)<\/span><\/p>\n\t<p style=\"color: #333\"><span>CGroup: \/system.slice\/tac_plus.service<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u251c\u250021795 tac_plus: 0 connections, accepting up to 600 more<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u251c\u250021796 tac_plus: 0 connections<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u2514\u250021797 perl \/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl<\/span><\/p>\n\t<p style=\"color: #333\"><span>Jan 01 16:13:57 tacacs01 tac_plus[21795]: startup (version 201811291931)<\/span><\/p>\n\t<p style=\"color: #333\"><span>Jan 01 16:13:57 tacacs01 systemd[1]: Started TACACS+ Service.<\/span><\/p>\n\t<p style=\"color: #333\"><span>Jan 01 16:13:57 tacacs01 tac_plus[21795]: epoll event notification mechanism is being used<\/span><\/p>\n\t<p style=\"color: #333\"><span>Jan 01 16:13:57 tacacs01 tac_plus[21795]: bind to [0.0.0.0]:49 succeeded<\/span><\/p>\n\t<p style=\"color: #333\"><span>Jan 01 16:13:57 tacacs01 tac_plus[21796]: &#8211; Version 201811291931 initialized<\/span><\/p>\n\t<p style=\"color: #333\"><span>Jan 01 16:13:57 tacacs01 tac_plus[21796]: epoll event notification mechanism is being used<\/span><\/p>\n\t<p style=\"color: #333\"><span># netstat -antp | grep &#8222;:49&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>&gt;&gt; OUTPUT &lt;&lt;<\/span><\/p>\n\t<p style=\"color: #333\"><span>tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 21673\/tac_plus: 0 c<\/span><\/p>\n<\/div>\n\n\n\n<p>We are now ready to verify that the TACACS services are authentication against our Active Directory server.&nbsp; Run the below commands on&nbsp; your Ubuntu server.&nbsp; You should get output similar to our example.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>### Test Admin Account Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\/usr\/local\/bin\/mavistest -d -1 \/etc\/tac_plus\/tac_plus.cfg tac_plus TACPLUS test.admin Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>&gt;&gt; OUTPUT &lt;&lt;<\/span><\/p>\n\t<p style=\"color: #333\"><span>{{ bunch of debug output &#8230;}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>Input attribute-value-pairs:<\/span><\/p>\n\t<p style=\"color: #333\"><span>TYPE TACPLUS<\/span><\/p>\n\t<p style=\"color: #333\"><span>TIMESTAMP mavistest-21804-1546360707-0<\/span><\/p>\n\t<p style=\"color: #333\"><span>USER test.admin<\/span><\/p>\n\t<p style=\"color: #333\"><span>PASSWORD Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>TACTYPE AUTH<\/span><\/p>\n\t<p style=\"color: #333\"><span>Output attribute-value-pairs:<\/span><\/p>\n\t<p style=\"color: #333\"><span>TYPE TACPLUS<\/span><\/p>\n\t<p style=\"color: #333\"><span>TIMESTAMP mavistest-21804-1546360707-0<\/span><\/p>\n\t<p style=\"color: #333\"><span>USER test.admin<\/span><\/p>\n\t<p style=\"color: #333\"><span>RESULT ACK<\/span><\/p>\n\t<p style=\"color: #333\"><span>PASSWORD Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>SERIAL OwS74pPKAjcEH89PojinNQ=<\/span><\/p>\n\t<p style=\"color: #333\"><span>DBPASSWORD password123$<\/span><\/p>\n\t<p style=\"color: #333\"><span>TACMEMBER &#8222;R_ADMINS&#8220; (You might also see some other Microsoft groups)<\/span><\/p>\n\t<p style=\"color: #333\"><span>TACTYPE AUTH<\/span><\/p>\n\t<p style=\"color: #333\"><span>### Test student Junior admin Account Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\/usr\/local\/bin\/mavistest -d -1 \/etc\/tac_plus\/tac_plus.cfg tac_plus TACPLUS TACACS_JRADMIN Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>&gt;&gt; OUTPUT &lt;&lt;<\/span><\/p>\n\t<p style=\"color: #333\"><span>{{ bunch of debug output &#8230;}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>Input attribute-value-pairs:<\/span><\/p>\n\t<p style=\"color: #333\"><span>TYPE TACPLUS<\/span><\/p>\n\t<p style=\"color: #333\"><span>TIMESTAMP mavistest-21806-1546360743-0<\/span><\/p>\n\t<p style=\"color: #333\"><span>USER TACACS_JRADMIN<\/span><\/p>\n\t<p style=\"color: #333\"><span>PASSWORD Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>TACTYPE AUTH<\/span><\/p>\n\t<p style=\"color: #333\"><span>Output attribute-value-pairs:<\/span><\/p>\n\t<p style=\"color: #333\"><span>TYPE TACPLUS<\/span><\/p>\n\t<p style=\"color: #333\"><span>TIMESTAMP mavistest-21806-1546360743-0<\/span><\/p>\n\t<p style=\"color: #333\"><span>USER TACACS_JRADMIN<\/span><\/p>\n\t<p style=\"color: #333\"><span>RESULT ACK<\/span><\/p>\n\t<p style=\"color: #333\"><span>PASSWORD Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>SERIAL gydnsgXHXyjeQaR2JaBlhw=<\/span><\/p>\n\t<p style=\"color: #333\"><span>DBPASSWORD Password123!<\/span><\/p>\n\t<p style=\"color: #333\"><span>TACMEMBER &#8222;TACACS_STUDENTS_JRADMINS&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>TACTYPE AUTH<\/span><\/p>\n<\/div>\n\n\n\n<p>From the output above, look specifically at the RESULT output and the TACMEMBER output.&nbsp; These should be \u201cACK\u201d in the RESULT field, which means Active Directory responded and was successful, and the TACMEMBER value should match the security group associated with the user account. If you got NACK, BFD, or ERR in the RESULT field, that means something went wrong. You\u2019ll want to double-check your Active Directory environment variables in the&nbsp;tac_plus.cfg&nbsp;file. There also might be an issue with your groups in Microsoft Server user groups.<\/p>\n\n\n\n<p>Do not continue further until you can run the above tests and get a valid response from the user authentication.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Juniper (JunOS) Device Configuration<\/h2>\n\n\n\n<p>We are now ready to configure one of our Juniper devices for TACACS authentication.&nbsp; For a full en-depth understanding on setting up Juniper TACACS Authentication, we would recommend that you read the&nbsp;<a href=\"https:\/\/www.juniper.net\/documentation\/en_US\/junos\/topics\/task\/configuration\/tacacs-authentication-configuring.html\" target=\"_blank\" rel=\"noreferrer noopener\">Juniper documentation<\/a>&nbsp;for your specific device and version of software.&nbsp; To learn more about the different permissions flags and users classes, we would recommend reading the&nbsp;<a href=\"https:\/\/www.juniper.net\/documentation\/en_US\/junos\/topics\/concept\/access-login-class-overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">Junos OS Login Classes<\/a>&nbsp;documentation.&nbsp; ~ In this example, we will be using a Juniper vMX Router running JunOS v14.1<\/p>\n\n\n\n<p>First, we will configure our Juniper device to utilize the TACACS authentication server as the primary source for account authorizations, with the standard \u201cpassword\u201d (local user accounts) as a fall-back in the event the TACACS server is offline or networking is unavailable.&nbsp; You will need to replace the variables that are specific to your configuration.&nbsp; These are identified by&nbsp;{{VARIABLE-NAME}}&nbsp;in the template configuration.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>## Set the system authentication order<\/span><\/p>\n\t<p style=\"color: #333\"><span>##<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system authentication-order tacplus<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system authentication-order password<\/span><\/p>\n\t<p style=\"color: #333\"><span>## Set the TACACS server and encryption key<\/span><\/p>\n\t<p style=\"color: #333\"><span>##<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system tacplus-server {{TACACS-SERVER-IP}} secret &#8222;{{TACACS-ENCRYPTION-KEY}}&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system tacplus-server {{TACACS-SERVER-IP}} single-connection<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system tacplus-server {{TACACS-SERVER-IP}} source-address {{ROUTER-SOURCE-IP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>## Set the accounting logging services<\/span><\/p>\n\t<p style=\"color: #333\"><span>##<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting events login<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting events change-log<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting events interactive-commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting destination tacplus<\/span><\/p>\n<\/div>\n\n\n\n<p>Here is an example configuration from our lab equipment.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\t\n<p style=\"color: #333\"><span>set system authentication-order tacplus<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system authentication-order password<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system tacplus-server 172.16.10.11 secret &#8222;dXVHBUYX36nqd3hA&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system tacplus-server 172.16.10.11 single-connection<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system tacplus-server 172.16.10.11 source-address 172.16.10.15<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting events login<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting events change-log<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting events interactive-commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system accounting destination tacplus<\/span><\/p>\n\t<p style=\"color: #333\"><span>## SHOW SYSTEM &gt;&gt; OUTPUT &lt;&lt; ##<\/span><\/p>\n\t<p style=\"color: #333\"><span>authentication-order [ tacplus password ];<\/span><\/p>\n\t<p style=\"color: #333\"><span>tacplus-server {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 172.16.10.11 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 secret &#8222;$9$q.PQApOcrKNdw24aji1IEhKWxNdgaZLxUHk.zFSrleMX7NV&#8220;; ## SECRET-DATA<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 single-connection;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 source-address 172.16.10.15;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n\t<p style=\"color: #333\"><span>accounting {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 events [ login change-log interactive-commands ];<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 destination {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 tacplus;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n<\/div>\n\n\n\n<p>Next, we need to add the configuration to the Juniper device that map the user account to the user class.&nbsp; This portion is very important and miss-understood very easily. The \u201cuser class\u201d attributes can be built out however works best for your organization.&nbsp; However, you need to pay special attention to the \u201clogin user\u201d accounts that are created.<\/p>\n\n\n\n<p>The \u201clogin user\u201d accounts that are created are&nbsp;<strong>NOT<\/strong>&nbsp;the \u201cusernames\u201d for every user that will be logging into the devices.&nbsp; These \u201cnames\u201d are the direct mapping names that match what was created in the&nbsp;tac_plus.cfg&nbsp;GROUP attributes.&nbsp; This is where the \u201cmagic\u201d happens on the username &gt; group&nbsp; mappings.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>service = junos-exec {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0 set local-user-name = R_TECHS<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n<\/div>\n\n\n\n<p>Add the following configuration to your Juniper device.&nbsp; If you named your security groups differently, then you will have to adjust the configuration to match your changes.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>set system login class administrators permissions all<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login class technicians permissions network<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login class technicians permissions view<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login class technicians permissions view-configuration<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login user R_ADMINS full-name &#8222;TACACS Administrators&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login user R_ADMINS class administrators<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login user R_TECHS full-name &#8222;TACACS Technicians&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>set system login user R_TECHS class technicians<\/span><\/p>\n<\/div>\n\n\n\n<p>Once you have your configuration changes added to your device, commit them.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n    <p style=\"color: #333\"><span>commit check<\/span><\/p>\n\t<p style=\"color: #333\"><span>commit<\/span><\/p>\n<\/div>\n\n\n\n<p>You are now ready to test your TACACS authentication with the different user accounts.&nbsp;&nbsp; SSH into your Juniper device on the management address and enter the username \/ password that you setup.&nbsp; For this example, we will be using \u201ctest.admin\u201d and \u201ctest.tech\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" decoding=\"async\" width=\"975\" height=\"318\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-7.png\" class=\"wp-image-6631\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-7.png 975w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-7-300x98.png 300w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-7-768x250.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" decoding=\"async\" width=\"975\" height=\"318\" src=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-8.png\" class=\"wp-image-6632\" srcset=\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-8.png 975w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-8-300x98.png 300w, https:\/\/nil.uniza.sk\/wp-content\/uploads\/2024\/04\/image-8-768x250.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<p>Upon a successful login, your TACACS server should be recording the accounting packets sent from the Juniper device.&nbsp; These accounting logs are located in&nbsp;\/var\/log\/tac_plus\/*<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cisco Device Configuration<\/h2>\n\n\n\n<p>We are now ready to configure one of our Cisco devices for TACACS authentication.&nbsp; For a full in-depth understanding on setting up Cisco AAA \/ TACACS Authentication, we would recommend that you read the&nbsp;<a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios\/12_2\/security\/configuration\/guide\/fsecur_c\/scftplus.html\" target=\"_blank\" rel=\"noreferrer noopener\">Cisco Documentation<\/a>&nbsp;for your specific device and version of software. Unfortunately, Cisco has done a very poor job on standardizing the configuration of the AAA settings per version and again per device type.&nbsp; ~ In this example, we will be using a Cisco IOS Router running version 15.2<\/p>\n\n\n\n<p>First, we will configure our Cisco device to utilize the TACACS authentication server as the primary source for account authorizations, with the \u201clocal\u201d user account as a fall-back in the event the TACACS server is offline, or networking is unavailable.&nbsp; You will need to replace the variables that are specific to your configuration.&nbsp; These are identified by&nbsp;{{VARIABLE-NAME}}&nbsp;in the template configuration.<br>Do not forget to create an RSA key and enable ssh encryption in case you do not have it enabled yet. Make sure you also have at least one local user account, if not create one please.<\/p>\n\n\n\n<p>In case you are not able to log into your cisco devices via SSH please check your SSH configuration. You can use the following link. <a href=\"https:\/\/mpxxuk.wordpress.com\/2016\/06\/05\/configure-ssh-login-with-tacacs-cisco\/\">https:\/\/mpxxuk.wordpress.com\/2016\/06\/05\/configure-ssh-login-with-tacacs-cisco\/<\/a><\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211; SET THE TACACS AUTHENTICATION SERVER<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>tacacs-server host {{TACACS-SERVER-IP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>tacacs-server directed-request<\/span><\/p>\n\t<p style=\"color: #333\"><span>tacacs-server key 0 {{TACACS-ENCRYPTION-KEY}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211; ESTABLISH A SECRET PASSWORD FOR CONSOLE<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>service password-encryption<\/span><\/p>\n\t<p style=\"color: #333\"><span>enable secret 0 {{SECURE-SECRET-PASSWORD}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211; SET THE AAA SECURITY ROLES<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa new-model<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authentication login default group tacacs+ local<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authentication login console local<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authorization config-commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authorization exec default group tacacs+ local if-authenticated<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authorization exec console if-authenticated<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authorization commands 1 default group tacacs+ local if-authenticated<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa authorization commands 15 default group tacacs+ local if-authenticated<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa accounting exec default start-stop group tacacs+<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa accounting commands 1 default start-stop group tacacs+<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa accounting commands 15 default start-stop group tacacs+<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>aaa session-id common<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211; CONFIGURE CONSOLE FOR LOCAL AUTHENTICATION ONLY<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>line con 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>logging synchronous<\/span><\/p>\n\t<p style=\"color: #333\"><span>login authentication console<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211; CONFIGURE VTY FOR AAA AUTHENTICATION VIA SSH ONLY<\/span><\/p>\n\t<p style=\"color: #333\"><span>!&#8211;<\/span><\/p>\n\t<p style=\"color: #333\"><span>line vty 0 4<\/span><\/p>\n\t<p style=\"color: #333\"><span>logging synchronous<\/span><\/p>\n\t<p style=\"color: #333\"><span>transport input ssh<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n\t<p style=\"color: #333\"><span>!<\/span><\/p>\n<\/div>\n\n\n\n<p>Upon a successful login, your TACACS server should be recording the accounting packets sent from the Cisco device.&nbsp; These accounting logs are in&nbsp;\/var\/log\/tac_plus\/*<\/p>\n\n\n\n<p>You can connect to the Cisco device from your Microsoft server using the following command:<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>ssh -c aes256-cbc -l TACACS_ADMIN {{IP_ADDRESS}}<\/span><\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Cisco Command Access Control<\/h2>\n\n\n\n<p>Below is a&nbsp;tac_plus.cfg&nbsp;configuration file that includes settings to allow restrictive ( permit | deny ) commands for the groups that we have created in our Active Directory.&nbsp; This was put together to show how to restrict or permit access to specific commands to users.<br>Keep in mind that you should access the router via ssh from the device in the network. Do not use console as it is not permitted.<\/p>\n\n\n\n<p>First, let\u2019s talk about what is each user group allowed or denied doing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">TACACS_ADMINS<\/h2>\n\n\n\n<p>TACACS_ADMINS user group has full permissions and is allowed to use every command in the Cisco device within privileged level 15. All commands are allowed by default.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>group = TACACS_ADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell\u00a0 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default command = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">TACACS_STUDENTS_JRADMINS<\/h2>\n\n\n\n<p>The group is permitted to do ping, traceroute and to show everything except running-config command. I also has a limited ability to change configuration settings and therefore to also access global configuration mode . Users in this group can save the configuration and to remove limited lines of the config. For more information, please see commands below. All commands are denied by default.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>group = TACACS_STUDENTS_JRADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell\u00a0 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default command = deny<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_usr_radcfg\/configuration\/xe-16-7\/sec-usr-radcfg-xe-16-7-book\/sec-loc-aaa-serv.html<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = deny<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ## COMMAND ACCESS CONTROL RULES\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0# Enter enable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = enable {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enter global configuration of terminal<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = configure {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit terminal.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Exit disable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = disable {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Exit any configuration mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = exit {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Jump back to enable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = end {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \\r<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enable ping<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ping {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Traceroute<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = traceroute {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Show any configuration parameter<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = show {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 deny &#8222;running-config&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Save running-configuration<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = copy {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;running-config startup-config &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Write running-configuration to memory<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = write {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;memory &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Clear commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = clear {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters FastEthernet.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters GigabitEthernet.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters Vlan.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters Port-channel.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # &#8222;Do&#8220; commands run from configuration mode. Since &#8222;do&#8220; commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # don&#8217;t autoexpand, the shortest forms possible have to be allowed.<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = do {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow shortened form of &#8222;ping&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit pi.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow shortened form of &#8222;traceroute&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit tr.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 deny &#8222;sh run.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow shortened form of &#8222;show&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit sh.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enter interface configuration mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = interface {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit FastEthernet.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit GigabitEthernet.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # IP commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ip {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit route.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit address.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;verify unicast.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Removing configuration parameters<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = no {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip route.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit description.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip address.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip verify unicast.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;cdp enable &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;shutdown &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport mode &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport access vlan .*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit nonegotiate.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport private-vlan host-association.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;spanning-tree portfast edge &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow adding descriptions<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = description {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow IP commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ip {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit address.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;verify unicast.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow switchport commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = switchport {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow the &#8218;switchport&#8216; command without allowing all<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # other switchport commands.<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit ^<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;mode access&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;access vlan.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;mode private-vlan host&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit nonegotiate<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;private-vlan host-association.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit host<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow spanning-tree commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = spanning-tree {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;portfast edge&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;portfast disable&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">TACACS_STUDENTS_PRIV_LVL1<\/h2>\n\n\n\n<p>The group is permitted to do ping, traceroute and to use limited amount of show commands. As privileged level enables us to use most show commands, there is no need to use privileged level 15. For more information, please see commands below. All commands are denied by default.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\">group = TACACS_STUDENTS_READ_ONLY_PRIV_LEVEL1 {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell\u00a0 {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all commands<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default command = deny<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_usr_radcfg\/configuration\/xe-16-7\/sec-usr-radcfg-xe-16-7-book\/sec-loc-aaa-serv.html<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all command attributes<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = deny<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 1 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 1<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ## COMMAND ACCESS CONTROL RULES\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Exit any configuration mode<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = exit {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Jump back to enable mode<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = end {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \\r<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enable ping<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ping {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Traceroute<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = traceroute {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Show any configuration parameter<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = show {<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201csh ip route\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201cshow ospf databases\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201cshow cdp neighbors\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201cshow ip interface brief.*\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201cshow interfaces.*\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201cshow dhcp.*\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \u201cshow vlans.*\u201d<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 deny .*<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\">\u00a0\u00a0\u00a0 }<\/span><\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Users and Groups inheritance<\/h2>\n\n\n\n<p>Users and groups can inherit their parent configuration here is an example on how you can use the inheritance to your own advantage.<\/p>\n\n\n\n<p>Let\u2019s say that you need junior admin student to create a new access list mentioned below, but JRADMINS permissions are not sufficient.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\">#Create an extended ACL to permit traffic from a specific device to multiple ports<\/span><\/p>\n\t<p style=\"color: #333\">access-list 101 permit tcp host 192.168.1.2 eq 80<\/span><\/p>\n\t<p style=\"color: #333\">access-list 101 permit tcp host 192.168.1.2 eq 443<\/span><\/p>\n\t<p style=\"color: #333\">access-list 101 permit udp host 192.168.1.2 eq 123<\/span><\/p>\n\t<p style=\"color: #333\">access-list 101 deny ip any any<\/span><\/p>\n<\/div>\n\n\n\n<p>You would like to allow this specific feature only for the one student, you can use the inheritance and enable the command.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>### BEGIN USER ACCOUNT MAPS ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #this way you can override group permissions<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 user = TACACS_JRADMIN {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Inheriting from the group<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 member = TACACS_STUDENTS_JRADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0#default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = access-list {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n<\/div>\n\n\n\n<p>On the other hand, If you would like to create a group of student senior administrators that will inherit everything from junior administrators plus are permitted to create access lists you can use similar approach. Don\u2019t forget to create a new group in AD and assign new administrators to it.<\/p>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>group = TACACS_STUDENTS_SRADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 member = TACACS_STUDENTS_JRADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0cmd = access-list {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Full tac_plus.cfg configuration file<\/h2>\n\n\n\n<div style=\"border: 2px solid #333;border-radius: 5px;padding: 10px;margin: 10px;background-color: #fff;font-family: monospace\">\n\t<p style=\"color: #333\"><span>#!\/usr\/local\/sbin\/tac_plus<\/span><\/p>\n\t<p style=\"color: #333\"><span>id = spawnd {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 listen = { address = 0.0.0.0 port = 49 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Uncomment the line below for IPv6 support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #listen = { address = :: port = 49 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 spawn = {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 instances min = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 instances max = 10<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 background = yes<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n\t<p style=\"color: #333\"><span>id = tac_plus {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 access log = \/var\/log\/tac_plus\/access\/%Y\/%m\/access-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 accounting log = \/var\/log\/tac_plus\/accounting\/%Y\/%m\/accounting-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 authentication log = \/var\/log\/tac_plus\/authentication\/%Y\/%m\/authentication-%m-%d-%Y.txt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 mavis module = external {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_SERVER_TYPE = &#8222;microsoft&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #If you are using Microsoft Global Catalog with secure LDAP (SSL)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #setenv LDAP_HOSTS = &#8222;ldaps:\/\/{{AD-SERVER-IP}}:3269&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #If you are using Microsoft Global Catalog with regular LDAP (non-SSL)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_HOSTS = &#8222;ldap:\/\/172.16.1.2:3268&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_BASE = &#8222;DC=mylab,DC=local&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_SCOPE = sub<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ## Username ONLY Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_FILTER = &#8222;(&amp;(objectClass=user)(objectClass=person)(sAMAccountName=%s))&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ## Username + UPN Authentication [example: user@mydomain.lan]<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # setenv LDAP_FILTER = &#8222;(&amp;(objectClass=user)(objectClass=person)(userPrincipalName=%s))&#8220;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_USER = &#8222;tacacs@mylab.local&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv LDAP_PASSWD = &#8222;Password123!&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #I&#8217;m not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv EXPAND_AD_GROUP_MEMBERSHIP = 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Clear default setting of tacplus for AD_GROUP_PREFIX<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv AD_GROUP_PREFIX = &#8222;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 setenv REQUIRE_TACACS_GROUP_PREFIX = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #DO NOT SET THE USE_TLS ENVIRONMENT VARIABLE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #TLS WILL AUTOMATICALLY BE ENABLED IF NEEDED<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #FORCING THIS VARIABLE TO 1 WILL BREAK MAVIS IF TLS IS NEEDED<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #setenv USE_TLS = 0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 exec = \/usr\/local\/lib\/mavis\/mavis_tacplus_ldap.pl<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 login backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 user backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 pap backend = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 skip missing groups = yes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 host = world {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Allow any IPv4 device<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 address = 0.0.0.0\/0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IPv6 support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #address = ::\/0<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below to inject a login prompt<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #prompt = &#8222;Put your custom welcome message here.\\n&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Change this to your own secure TACACS+ key<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 key = &#8222;cisco&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #Full privileges with every command enabled<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 group = TACACS_ADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell\u00a0 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default command = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>group = TACACS_STUDENTS_JRADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell\u00a0 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default command = deny<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_usr_radcfg\/configuration\/xe-16-7\/sec-usr-radcfg-xe-16-7-book\/sec-loc-aaa-serv.html<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = deny<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 15 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 15<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ## COMMAND ACCESS CONTROL RULES\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enter enable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = enable {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enter global configuration of terminal<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = configure {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit terminal.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Exit disable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = disable {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Exit any configuration mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = exit {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Jump back to enable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = end {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \\r<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enable ping<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ping {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Traceroute<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = traceroute {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Show any configuration parameter<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = show {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 deny &#8222;running-config&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Save running-configuration<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = copy {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;running-config startup-config &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Write running-configuration to memory<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = write {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;memory &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Clear commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = clear {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters FastEthernet.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters GigabitEthernet.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters Vlan.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;counters Port-channel.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # &#8222;Do&#8220; commands run from configuration mode. Since &#8222;do&#8220; commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # don&#8217;t autoexpand, the shortest forms possible have to be allowed.<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = do {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow shortened form of &#8222;ping&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit pi.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow shortened form of &#8222;traceroute&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit tr.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 deny &#8222;sh run.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow shortened form of &#8222;show&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit sh.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enter interface configuration mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = interface {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit FastEthernet.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit GigabitEthernet.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # IP commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ip {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit route.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit address.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;verify unicast.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Removing configuration parameters<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = no {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip route.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit description.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip address.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip verify unicast.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;cdp enable &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;shutdown &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport mode &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport access vlan .*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit nonegotiate.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;switchport private-vlan host-association.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;spanning-tree portfast edge &#8222;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow adding descriptions<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = description {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow IP commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ip {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit address.*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;verify unicast.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow switchport commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = switchport {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow the &#8218;switchport&#8216; command without allowing all<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # other switchport commands.<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit ^<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;mode access&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;access vlan.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;mode private-vlan host&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit nonegotiate<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;private-vlan host-association.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit host<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Allow spanning-tree commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = spanning-tree {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;portfast edge&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;portfast disable&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 group = TACACS_STUDENTS_READ_ONLY_PRIV_LEVEL1 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Permit all services by default<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Users will need to re-enter their AD password for the enable password (feel free to customize this however you want)<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 enable = login<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ### Cisco IOS Authentication<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell\u00a0 {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all commands<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default command = deny<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_usr_radcfg\/configuration\/xe-16-7\/sec-usr-radcfg-xe-16-7-book\/sec-loc-aaa-serv.html<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Deny all command attributes<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default attribute = deny<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Set privilege level to 1 on IOS\/XE<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set priv-lvl = 1<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ## COMMAND ACCESS CONTROL RULES\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ##========================================##<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Exit any configuration mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = exit {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Jump back to enable mode<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = end {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit \\r<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Enable ping<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = ping {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Traceroute<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = traceroute {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # Show any configuration parameter<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = show {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip route&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ospf databases&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;cdp neighbors&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;ip interface brief.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;interfaces.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;dhcp.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit &#8222;vlans.*&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 deny .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for NX-OS support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set shell:roles=&#8220;\\&#8220;network-admin vdc-admin\\&#8220;&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Uncomment the line below for IOS XR support<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #set task = &#8222;#root-system&#8220;<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 group = TACACS_STUDENTS_SRADMINS {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 member = TACACS_STUDENTS_JRADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = access-list {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### BEGIN USER ACCOUNT MAPS ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 #this way you can override group permissions<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 user = TACACS_JRADMIN {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Inheriting from the group<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 member = TACACS_STUDENTS_JRADMINS<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0#default service = permit<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0service = shell {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmd = access-list {<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permit .*<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>#Creating a custom user in the tacacs, without AD<\/span><\/p>\n\t<p style=\"color: #333\"><span>#\u00a0\u00a0 user = DEFAULT {<\/span><\/p>\n\t<p style=\"color: #333\"><span>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 password = mavis<\/span><\/p>\n\t<p style=\"color: #333\"><span>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #Inheriting configuration from the group<\/span><\/p>\n\t<p style=\"color: #333\"><span>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 member = {{AD-TECH-GROUP}}<\/span><\/p>\n\t<p style=\"color: #333\"><span>#\u00a0\u00a0 }<\/span><\/p>\n\t<p style=\"color: #333\"><span>\u00a0\u00a0\u00a0 ### END USER ACCOUNT MAPS\u00a0 ###<\/span><\/p>\n\t<p style=\"color: #333\"><span>}<\/span><\/p>\n<\/div>\n\n\n\n<p>You can now try to authenticate with the new configuration. Do not forget to restart tac_plus service after configuration changes.<\/p>\n\n\n\n<p>Tac_plus package has much more features that have not been mentioned in this guide. For more information please see the documentation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>This article is the result of the project: \u201cA multitenant cybersecurity operations center implemented as an open cloud service with machine learning capabilities.\u201d Project code \u2013 09I05-03-V02-00010.<\/p>","protected":false},"excerpt":{"rendered":"<p>TACACS for Ubuntu 20.04 Introduction This guide will walk you through the setup of a Linux based TACACS+ Authentication Server, using Ubuntu 20.04 that authenticates against a Windows Active Directory LDAP. This guide assumes that you are familiar with installing and configuring Ubuntu Server and can deploy or have already deployed a Windows Active Directory&#8230;<\/p>","protected":false},"author":47,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[685],"tags":[],"class_list":["post-6605","post","type-post","status-publish","format-standard","hentry","category-linux_-_howto-en"],"taxonomy_info":{"category":[{"value":685,"label":"Linux - HOWTO"}]},"featured_image_src_large":false,"author_info":{"display_name":"grexa","author_link":"https:\/\/nil.uniza.sk\/en\/author\/grexa\/"},"comment_info":23,"category_info":[{"term_id":685,"name":"Linux - HOWTO","slug":"linux_-_howto-en","term_group":0,"term_taxonomy_id":683,"taxonomy":"category","description":"","parent":0,"count":71,"filter":"raw","cat_ID":685,"category_count":71,"category_description":"","cat_name":"Linux - HOWTO","category_nicename":"linux_-_howto-en","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/6605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/47"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=6605"}],"version-history":[{"count":1,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/6605\/revisions"}],"predecessor-version":[{"id":7322,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/6605\/revisions\/7322"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=6605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=6605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=6605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}