# Tac_plus authorization configuration issue



## Vincentd (Nov 5, 2015)

Hi,

How to give a user rights only to configure this line: “switchport access vlan 101” only on this interface: “interface GigabitEthernet2/0/1” ?

```
interface GigabitEthernet2/0/1
 switchport access vlan 101
 switchport mode access
```
Thank you very much for your help,

Vincent


Content of tac_plus.conf file:

```
user = appr2 {
member = group_1
login = cleartext appr2
}

group = group_1 {
  service = exec {
  priv-lvl = 0
  #default service = permit
  }
  cmd = enable {
  permit .*
  }
  cmd = show {
  deny "interfaces.*"
  permit "running.*"
  }
  cmd = configure {
  permit .*
  }
  cmd = switchport {
  permit "^access vlan [128][0-9][0-9] <cr>$"
  deny "^mode access <cr>$"
  }
```

Configuration of the network device (Cisco Catalyst 3750):

```
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting delay-start
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 192.168.10.121
tacacs-server directed-request
tacacs-server key 7 key
```


----------

