[rancid] Rancid vs tac_plus for IOS XR

heasley heas at shrubbery.net
Sun Aug 26 19:09:16 UTC 2018


Sun, Aug 26, 2018 at 03:14:37AM +0000, Piegorsch, Weylin William:
> aaa authorization exec default group TACACS_GROUP local
> aaa authorization commands default group TACACS_GROUP
> 
> I have this configured in tacacs_plus (among a bunch of other things, but zero deny statements):
> 

> but I’m getting this result in rancid:
> 
> RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram:
> 
> % This command is not authorized

that is not the same error that tacacs authorization failure creates,
afaik.  maybe remove the task thing and try only the tacacs author.  if
that works, then you know to complain to cisco.  sth like this from/for
ios-classic:

group = RO {
        service = exec {
                priv-lvl=15
        }
        cmd = show {
                permit run
                permit version
                permit install
                permit env
                permit gsr
                permit boot
                permit bootvar
                permit flash
                permit controllers
                permit controllers
                permit diagbus
                permit diag
                permit c7200
                deny .*
        }
        cmd = write {
                permit term
                deny .*
        }
        cmd = dir {
                permit /all
                deny .*
        }
}



More information about the Rancid-discuss mailing list