# Set up accounting file if enabling accounting on NAS
# key = sifrujpakety
accounting file = /home/cnap/wal056/tac.log

# Enable password setup for everyone:
user = $enable$ {
        login = cleartext "enable"
        }

# Group listings must be first:
group = admin {
# Users in group 'admin' have cleartext password
        login = cleartext "admin"
        expires = "Dec 31 2007"
}

group = operators {
# Users in group 'operators' have cleartext password
        login = cleartext "operator"
        expires = "Dec 31 2007"
}

group = transients {
# Users in group 'transient' have cleartext password
        login = cleartext "transient"
        expires = "Dec 31 2007"
}

group = ipchangers {
    login = cleartext "ipchanger"
    expires = "Dec 31 2007"
    cmd = configure {
	permit terminal
    }

}


# moje skupina
group = testers {
    login = cleartext "tester"
    expires = "Dec 31 2007"
    cmd = show {
        permit .*
    }
    cmd = ping {
	permit 2\.0\.0\.[0-9]+
    }
}

user = interface {
    member = ipchangers
}

# This user is a member of group 'admin' & uses that group's password to log in.
#  The $enable$ password is used to enter enable mode.  The user can perform all commands.
 user = authenuser {
        default service = permit
        member = admin
        }

# This user is limitted in allowed commands when aaa authorization is enabled:
 user = telnet {
        login = cleartext "telnet"
        cmd = telnet {
        permit .*
        }
        cmd = logout {
        permit .*
        }
        }

user = transient {
       member = transients
       service = exec {
        # When transient logs on to the NAS, he's immediately
        # zipped to another site
       autocmd = "telnet 2.0.0.2"
       }
       cmd = logout {
        permit .*
        }
       }

user = wal056 {
    member = testers
} 
       
user = superuser {
    # implicitne povoli veskere prikazy
    default service = permit
    # heslo "superuser" v MD5
    login = cleartext "superuser"
}

# This user is a member of group 'operators' 
# & uses that group's password to log in 
# prejmenovat na authoruser
 user = authenuser2 {
        member = operators
# Since this user does not have 'default service = permit' when command 
# authorization through TACACS+ is on at the router, this user's commands
# are limited to:
        cmd = show { 
        permit ver
        permit ip
        }
        cmd = traceroute {
        permit .*
        }
        cmd = logout {
        permit .*
        }
}