<div dir="ltr">It is likely that one of two things is causing the 'reboot' command to succeed even though you have it forbidden in your tac_plus config.<div><br></div><div>(1) The TACACS+ implementation on your brocade devices is not sending command authorization requests and is only doing login authorization.</div><div><br></div><div><span style="font-size:12.8px">(2) Another possibility is that the brocade does RBAC. This can make things a bit more difficult but, its not a show-stopper. At least with JUNOS, you can do some very fancy things using AV-PAIRS. It is much easier to use an "after authorization" script like do_auth.py. See <a href="http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html">http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html</a> for a detailed example.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Note: With RBAC, once a user has logged in and the AV-PAIRS have been passed to the device, it will never ask permission for anything else for the duration of that login session. So, if you are tinkering with your tac_plus/do_auth config and not seeing changes in device behavior, remember that you need to log out and then back in to get the new AV_PAIRS.</span></div><div><span style="font-size:12.8px"><br></span></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>--</div>John Fraizer<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">http://www.linkedin.com/in/johnfraizer/</a></div><div><br><div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br></span></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Mar 19, 2018 at 8:33 AM, 83358066 <span dir="ltr"><<a href="mailto:83358066@qq.com" target="_blank">83358066@qq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">During the test ,I configured the file "tac_plus.conf" and tried to forbid some commands t"reboot" for example )to run for users in a explicit group, But it have no effect . So i'm taking the liberty of writing to you and intend to know if you have some experience on this hand or Would you kindly help to provide some advice .<br></blockquote></div></div></div>