#!/usr/bin/env -S /usr/local/bin/tactrace.pl --user demo --conf id = spawnd { background = no # single process = yes listen { port = 2083 tls = yes } # radsec listen { port = 2083 protocol = UDP tls = yes } # radius-dtls listen { port = 1812 protocol = UDP } # radius-udp authc listen { port = 1813 protocol = UDP flag = accounting } # radius-udp acct listen { port = 4949 } # TACACS -- should be 49, but binding to a high port # doesn't require root privileges listen { port = 4950 tls = yes } # TACACSS -- IANA standard is 300 spawn { instances min = 1 instances max = 32 } } id = tac_plus-ng { log accesslog { destination = /tmp/tac/access.log } log authorlog { destination = /tmp/tac/author.log } log acctlog { destination = /tmp/tac/acct.log } log rad-accesslog { destination = /tmp/rad/access.log } log rad-acctlog { destination = /tmp/rad/acct.log } log connlog { destination = /tmp/conn.log } access log = accesslog authorization log = authorlog accounting log = acctlog radius.access log = rad-accesslog radius.accounting log = rad-acctlog connection log = connlog include = $CONFDIR/radius-dict.cfg tls cert-file = $CONFDIR/democa/server-chain.pem tls key-file = $CONFDIR/democa/server.key tls ca-file = $CONFDIR/democa/root.crt # tls auto-detect = yes # Enable auto-fallback to plain-text on TLS port host world { address = 0.0.0.0/0 key = demo radius.key = demo } profile admin { script { if (aaa.protocol == tacacs) { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } } else { if (radius[Service-Type] == Administrative-User) { set radius[Cisco:Cisco-AVPair] = "shell:priv-lvl=15" permit } set radius[Cisco:Cisco-AVPair] = "shell:priv-lvl=7" permit } } } user demo { password login = clear demo password pap = login profile = admin } user demo2 { password login = clear demo password pap = login profile { script { if (service == shell) { if (cmd == "") set priv-lvl = 15 permit } } } } }