<div dir="ltr">does anyone have an example of av_pairs? <div><br></div><div>I have arista, juniper and hp gear I want to auth with. I would really like to just have it pull from /etc/passwd and use multiple groups per user so I dont need to have a huge config for only the 5 people I work with. Any help or example configs would be amazing. Thanks to everyone for the help. </div>
<div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 13, 2013 at 4:57 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Yeah, Cisco does NOT like to get pairs it doesn't understand. If your Juniper and Cisco networks are on different IP spaces, then it should be possible by creating a group to match them by IP (device_permit/deny). If not, well....<br>
<br>I don't use a lot of Juniper - I think the tac pairs they send are same - you can un-comment the part that says "for item in av_pairs:" and take a look at the initial pairs they send. If they are, in fact, different than Juniper, I can kluge something to tell the difference like I did with Nexus.<br>
<br></div>On a side note, I added '/' notation via netaddr to do_auth if anybody wants to try it out. Makes a lot more sense than the regular expressions, but requires an egg. <br>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 13, 2013 at 11:45 AM, Tom Murch <span dir="ltr"><<a href="mailto:tmurch@tommurch.com" target="_blank">tmurch@tommurch.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Daniel, <div><br></div><div>This worked very well thank you. Is it possible to have multiple service entries? I am not sure how to get around that as I use both juniper and cisco gear I have an issue with auth using both. </div>
<div><br></div><div>Tom </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Checkout do_auth.py. Several people have reported it to be very useful.<br>
I've been meaning to do some more work on it and Jathan had some excellent<br>
ideas.<br>
<br>
<a href="http://tacacs.org" target="_blank">tacacs.org</a><br>
<div><div><br>
-----Original Message-----<br>
From: <a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a><br>
[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net" target="_blank">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Tom Murch<br>
Sent: Thursday, March 14, 2013 12:43 PM<br>
To: <a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] multiple groups per user<br>
<br>
Hello I am trying to get this working. Reading the mailing list I was<br>
under the impression this was fixed. I am trying to have the same users<br>
admin both juniper and hp gear.<br>
<br>
#<br>
# tacacs configuration file<br>
# xxxxx -<br>
# /etc/tac_plus.conf<br>
<br>
# set the key<br>
key = xxxxx<br>
<br>
accounting file = /var/log/tac_plus.acct<br>
<br>
#group accounts<br>
<br>
group = admins {<br>
## cli service for junipers<br>
service = junos-exec<br>
{<br>
local-user-name = admins<br>
allow-commands = "all"<br>
allow-configuration = "all"<br>
deny-commands = ""<br>
deny-configuration = ""<br>
}<br>
}<br>
<br>
group = admins2 {<br>
default service = permit<br>
service = exec {<br>
priv-lvl = 15<br>
}<br>
}<br>
<br>
# users accounts<br>
user = tom {<br>
<br>
member = admins<br>
login = des "xxxxx"<br>
enable = cleartext "xxxxx"<br>
name = "Thomas Murch"<br>
}<br>
<br>
user = tomhp {<br>
member = admins2<br>
login = des "xxxxxx"<br>
enable = cleartext "xxxx"<br>
name = "Thomas Murch"<br>
}<br>
</div></div>-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL:<br>
<<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13<br>
/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
<br>
E-Mail to and from me, in connection with the transaction<br>
of public business, is subject to the Wyoming Public Records<br>
Act and may be disclosed to third parties.<br>
<br>
</blockquote></div><br></div>
</blockquote></div><br></div>
<pre>E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
</pre></div></div></blockquote></div><br></div>