key = "<somekey>"

accounting file = /var/log/tacacs-accounting.log
logging = local5

# Access-list to cover certain switches
acl = access-sw-only {
	# 10.230.0.0/15, 10.232.0.0/14
	permit = ^10\.23[012345]\.
}

# Group that can only view configuration (careful, not audited!)
group = view-only {
	default service = permit
	login = PAM
	service = exec {
		priv-lvl = 15
	}
	cmd = clear {
		deny "."
	}
	cmd = configure {
		deny "."
	}
	cmd = copy {
		deny "startup"
		deny "running"
		permit "."
	}
	cmd = write {
		permit "terminal( <cr>)?$"
	}
	cmd = diagnostic {
		deny "."
	}
	cmd = debug {
		deny "."
	}
}

# Group with certain privileges on certain devices (comments inline)
group = operator {
	default service = deny
	login = PAM
	service = exec {
		priv-lvl = 15
	}
	#### Exec level commands ####
	cmd = show {
		permit "."
	}
	cmd = exit {
		permit "^(<cr>)?$"
	}
	cmd = quit {
		permit "^(<cr>)?$"
	}
	cmd = write {
		permit "terminal( <cr>)?$"
		permit "memory( <cr>)?$"
	}
	#### Configure commands ####
	cmd = configure {
		permit "^terminal( <cr>)?$"
	}
	#--- Allow the exec level commands from configure mode ---#
	cmd = do {
		permit "^show .*"
		permit "^sh .*"
	}
	#--- Allow entering interfaces ---#
	cmd = interface {
		#--- Disallow configuring uplinks (23-28) ---#
		deny "^GigabitEthernet [12]/0/2[345678]( <cr>)?$"
		deny "^GigabitEthernet 0/2[345678]( <cr>)?$"
		#--- Allow configuring physical interfaces ---#
		permit "^(Gigabit|Fast)Ethernet.*"
	}
	#--- Allow a range of specific interface configuration commands ---#
	cmd = switchport {
		permit "^access vlan [128][0-9][0-9]( <cr>)?$"
		permit "^mode access( <cr>)?$"
		permit "^trunk allowed vlan add [128][0-9][0-9]( <cr>)?$"
		permit "^trunk allowed vlan remove [128][0-9][0-9]( <cr>)?$"
	}
	cmd = description {
		permit "."
	}
	cmd = shutdown {
		permit "^(<cr>)?$"
	}
	cmd = spanning-tree {
		permit "^portfast( <cr>)?$"
		permit "^bpduguard enable( <cr>)?$"
	}
	cmd = mls {
		permit "^qos cos [01234]( <cr>)?$"
		permit "^qos cos override( <cr>)?$"
	}
	#--- Allow creation and naming of VLANs 100-299 + 800-899 ---#
	cmd = vlan {
		permit "^[128][0-9][0-9]( <cr>)?$"
	}
	cmd = name {
		permit "."
	}
	#--- Allow unshutting interfaces, and clearing descriptions ---#
	cmd = no {
		permit "^shutdown( <cr>)?$"
                permit "^description"
	}
	acl = access-sw-only
}

user = operator1 {
	member = view-only
}

user = operator2 {
	member = operator
}