#key = "your key here"
accounting file = /var/log/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd

acl = default	{
		#permit = 192\.168\.0\.
		permit = 192\.168\.2\.1
}
	
# Example of host-specific configuration:
host = 192.168.2.1 {
	prompt = "Enter your Unix username and password, Username: "
	# Enable password for the router, generate a new one with tac_pwd
	#enable = des 4P8MBRmulyloo
}

# Group that is allowed to do most configuration on all interfaces etc.
group = admin {
	# group members who don't have their own login password will be
	# looked up in /etc/passwd
	#login = file /etc/passwd
	login = PAM

	# group members who have no expiry date set will use this one
	#expires = "Jan 1 1997"

	# only allow access to specific routers
	acl = default
	

	# Needed for the router to make commands available to user (subject
	# to authorization if so configured on the router
	service = exec {
		priv-lvl = 15
		#default service = permit
	}	

	cmd = username {
		permit .*
	}
	cmd = enable {
		permit .*
	}
	cmd = show {
		permit .*
	}
	cmd = exit {
		permit .*
	}
	cmd = configure {
		permit .*
	}
	cmd = interface {
		permit .*
	}
	cmd =  switchport  {
		permit .*
	}
	cmd = description {
		permit .*
	}
	cmd = no {
		permit shutdown
	}


}

# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = sysadmin {
	# group members who don't have their own login password will be
	# looked up in /etc/passwd:
	#login = file /etc/passwd
	# or authenticated via PAM:
	login = PAM
	acl = default

	# Needed for the router to make commands available to user (subject
	# to authorization if so configured on the router
	service = exec {
		priv-lvl = 15
	}
	cmd = enable {
		permit .*
	}
	cmd = show {
		permit .*
	}
	cmd = exit {
		permit .*
	}
	cmd = configure {
		permit .*
	}
	cmd = interface {
		permit FastEthernet.*
		permit GigabitEthernet.*
	}
	cmd =  switchport  {
		permit "access vlan.*"
		permit "trunk encapsulation.*"
		permit "mode.*"
		permit "trunk allowed vlan.*"
	}
	cmd = description {
		permit .*
	}

	cmd = no {
		permit shutdown
	}

}

user = joe {
	login = PAM
	#member = sysadmin
	member = admin
}

user = fred {
	login = PAM
	member = sysadmin
}

# User account configured for use with "rancid"
user = rancid {
	# Generate a new password with tac_pwd
	#login = des LXUxLCkFhGpwA

	service = exec {
		priv-lvl = 15
	}

	cmd = show { permit .* }
	cmd = exit { permit .* }
	cmd = dir { permit .* }
	cmd = write { permit term }
}

# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
	#login = des 97cZOIgSXU/4I
}

#user = DEFAULT {
#	login = PAM
#member = default
#}