<DIV>Hi Daniel</DIV>
<DIV> </DIV>
<DIV>I definitely agree with you to use Role-Based Access Control , And I'm sure the Role-Based Access Control is in effect to access the SAN switch ,what I want to achieve is at the base of the RBAC how can we forbid a specific command to be run ?</DIV>
<DIV> </DIV>
<DIV> user = stuser {<BR> member = usergroup<BR> login = file /etc/passwd service = exec {<BR> brcd-role = Admin<BR> brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"<BR> brcd-AV-Pair2 = "chassisRole=switchadmin"</DIV>
<DIV>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV style="FONT-SIZE: 12px; FONT-FAMILY: Arial Narrow; PADDING-BOTTOM: 2px; PADDING-TOP: 2px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px">------------------ Original ------------------</DIV>
<DIV style="FONT-SIZE: 12px; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px">
<DIV><B>From: </B> "Daniel Schmidt";<daniel.schmidt@wyo.gov>;</DIV>
<DIV><B>Send time:</B> Tuesday, Mar 20, 2018 5:15 AM</DIV>
<DIV><B>To:</B> "83358066"<83358066@qq.com>; <WBR></DIV>
<DIV><B>Cc:</B> "tac_plus"<tac_plus@shrubbery.net>; <WBR></DIV>
<DIV><B>Subject: </B> Re: [tac_plus] Need your help</DIV></DIV>
<DIV><BR></DIV>
<DIV dir=ltr>But not authorization. Look under "Role-Based Access Control"</DIV>
<DIV class=gmail_extra><BR>
<DIV class=gmail_quote>On Mon, Mar 19, 2018 at 9:33 AM, 83358066 <SPAN dir=ltr><<A href="mailto:83358066@qq.com" target=_blank>83358066@qq.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex">
<DIV>Hi Daniel </DIV>
<P> Thanks for the quick update, Please excuse me for i'm taking the liberty of writing to you. I checked Brocade FOS administrator guide ,and can confirmed that from the FOS 7.1.x Brocade FOS began to support the TACACS+. through the result of testing in lab I found it works well. </P>
<P>During the test ,I configured the file "tac_plus.conf" and tried to forbid some commands t"reboot" for example )to run for users in a explicit group, But it have no effect . So i'm taking the liberty of writing to you and intend to know if you have some experience on this hand or Would you kindly help to provide some advice .</P>
<P> </P>
<P>Best regards</P>
<P>----------------- Original ---<WBR>---------------</P>
<DIV>
<DIV style="FONT-SIZE: 12px; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px">
<DIV><B>From: </B> "Daniel Schmidt";<<A href="mailto:daniel.schmidt@wyo.gov" target=_blank>daniel.schmidt@wyo.<WBR>gov</A>>;</DIV>
<DIV><B>Send time:</B> Monday, Mar 19, 2018 10:49 PM</DIV>
<DIV><B>To:</B> "83358066"<<A href="mailto:83358066@qq.com" target=_blank>83358066@qq.com</A><WBR>>; </DIV>
<DIV><B>Cc:</B> "tac_plus"<<A href="mailto:tac_plus@shrubbery.net" target=_blank>tac_plus@<WBR>shrubbery.net</A>>; </DIV>
<DIV><B>Subject: </B> Re: [tac_plus] Need your help</DIV></DIV>
<DIV>
<DIV class=h5>
<DIV><BR></DIV>
<DIV dir=ltr>Are Brocade FOS switches capable of authorization? </DIV>
<DIV class=gmail_extra><BR>
<DIV class=gmail_quote>On Fri, Mar 16, 2018 at 11:42 PM, 83358066 <SPAN dir=ltr><<A href="mailto:83358066@qq.com" target=_blank>83358066@qq.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex">Hi Dear Shrubbery<BR><BR> Thank you very much for your contributes for the excellent TACACS plus tools ,Currently we plan to test the tacacs plus to manage Brocade SAN switch ,most of the functions are working well and very powerful, But only one point we still have some issue ,Would you kindly help to provide some advice ,Thanks in advance.<BR><BR><BR> The question we meet is that we defined the groups and users, for example ,I want to forbid the user in the group usergroup can not run the<BR>the explicit command "reboot" , as we know the brocade FOS command mode is not same as CISCO, We found the setting was not in effect and the command "reboot"still can be run after the user got authorized by Tacac_plus server daemon, So would you kindly let me know how can i configure that can forbid the explicit command like "reboot" be executed and took effect. Thanks for your support !<BR><BR><BR> our setting for the tac_plus config as follows :<BR><BR>group = usergroup {<BR> default service = permit<BR> login = file /etc/passwd<BR> enable = file /etc/passwd<BR> cmd = reboot {<BR> deny .*<BR>}<BR><BR><BR> user = stuser {<BR> member = usergroup<BR> login = file /etc/passwd service = exec {<BR> brcd-role = Admin<BR> brcd-AV-Pair1 = "homeLF=128;LFRoleList=1-128"<BR> brcd-AV-Pair2 = "chassisRole=switchadmin"<BR>-------------- next part --------------<BR>An HTML attachment was scrubbed...<BR>URL: <<A href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20180317/58bea644/attachment.html" rel=noreferrer target=_blank>http://www.shrubbery.net/pipe<WBR>rmail/tac_plus/attachments/<WBR>20180317/58bea644/attachment.<WBR>html</A>><BR>______________________________<WBR>_________________<BR>tac_plus mailing list<BR><A href="mailto:tac_plus@shrubbery.net" target=_blank>tac_plus@shrubbery.net</A><BR><A href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel=noreferrer target=_blank>http://www.shrubbery.net/mailm<WBR>an/listinfo/tac_plus</A><BR></BLOCKQUOTE></DIV><BR></DIV><BR><BR></DIV></DIV>E-Mail to and from me, in connection with the transaction <BR>of public business, is subject to the Wyoming Public Records <BR>Act and may be disclosed to third parties.<BR>
<DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV><BR><BR>E-Mail to and from me, in connection with the transaction <BR>of public business, is subject to the Wyoming Public Records <BR>Act and may be disclosed to third parties.<BR>
<DIV></DIV></DIV>