#!/usr/bin/env -S /usr/local/bin/tactrace.pl --user demo --conf id = spawnd { background = no # single process = yes listen { port = 4949 } # TACACS+, non-standart port listen { port = 1812 protocol = UDP } # RADIUS listen { port = 1813 protocol = UDP flag = accounting } # RADIUS spawn { instances min = 1 instances max = 32 } } id = tac_plus-ng { log accesslog { destination = /tmp/tac/access.log } log authorlog { destination = /tmp/tac/author.log } log acctlog { destination = /tmp/tac/acct.log } log rad-accesslog { destination = /tmp/rad/access.log } log rad-acctlog { destination = /tmp/rad/acct.log } log connlog { destination = /tmp/conn.log } access log = accesslog authorization log = authorlog accounting log = acctlog radius.access log = rad-accesslog radius.accounting log = rad-acctlog connection log = connlog include = "$CONFDIR/radius-dict.cfg" host world { address = 0.0.0.0/0 key = demo radius.key = demo } dacl demoacl { data = " deny ip host 10.0.0.0 any permit ip any any " } profile admin { enable 15 = login script { if (aaa.protocol == tacacs) { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } } if (aaa.protocol == radius) { if (radius[Service-Type] == Administrative-User) { set radius[Cisco:Cisco-AVPair] = "shell:priv-lvl=15" permit } set radius[Cisco:Cisco-AVPair] = "shell:priv-lvl=7" set radius[Cisco:Cisco-AVPair] = "ACS:CiscoSecure-Defined-ACL=${dacl:demoacl}" permit } } } user demo { password login = clear demo password pap = login profile = admin } user demo2 { password login = clear demo password pap = login profile { script { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } } } } user demo3 { password login = clear demo password pap = login } ruleset { rule demorule { script { if (user == "demo3") { profile = admin permit } deny } } } }