• Wie man eine Gruppenarbeit übersteht, ohne verrückt zu werden (Spiegel.de)

• https://retrotool.io/ - Feedback einholen

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization exec default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local
!
line con 0
 login authentication CONSOLE

Konfiguration: /etc/tacacs/tac_plus.conf

# The TACASC shared-secret
key = labtacacskey 

# A full admin user called 'tacacs'
user = tacacs {
    # allows everything that is not forbidden
    default service = permit

    # Create a DES encrypted password 'password' with the `tac_pwd` command  
    login = des Oy6FGC2LNE6ao
    # Create a cleartext password
    #login = cleartext cisco

    # Set priv 15 for user 
    service = exec {
        priv-lvl = 15
	}

    cmd = show {
        # deny show running-config, allow everything else (just a test)
	deny running-config
	}
    cmd = interface {
	deny "GigabitEthernet 0/1/0"
	permit "GigabitEthernet 0/0/1"
	permit "GigabitEthernet 0/0/0"
	}
}

• https://shrubbery.net/tac_plus/
• https://github.com/facebook/tac_plus
• https://freebsd.pkgs.org/13/freebsd-aarch64/tac_plus-F4.0.4.28.pkg.html

Tacacs starten:

sudo tac_plus -C /etc/tacacs/tac_plus.conf -d 8 -d 16 -l /var/log/tac_plus.log

Tacacs beenden (vor Neustart):

ps -aux | grep tac
sudo killall tac_plus

Paramiko installieren (ansible-pylibssh ist nicht in den Paketquellen):

apt install python3-paramiko

ansible-playbook -i inventory backup_router.yml

• Using a Raspberry Pi as a TACACS Server
• Command Authorization and Privilege Levels for Cisco
• TACACs+ Restrict enable mode