[rancid] Rancid vs tac_plus for IOS XR
heasley
heas at shrubbery.net
Sun Aug 26 19:09:16 UTC 2018
Sun, Aug 26, 2018 at 03:14:37AM +0000, Piegorsch, Weylin William:
> aaa authorization exec default group TACACS_GROUP local
> aaa authorization commands default group TACACS_GROUP
>
> I have this configured in tacacs_plus (among a bunch of other things, but zero deny statements):
>
> but I’m getting this result in rancid:
>
> RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram:
>
> % This command is not authorized
that is not the same error that tacacs authorization failure creates,
afaik. maybe remove the task thing and try only the tacacs author. if
that works, then you know to complain to cisco. sth like this from/for
ios-classic:
group = RO {
service = exec {
priv-lvl=15
}
cmd = show {
permit run
permit version
permit install
permit env
permit gsr
permit boot
permit bootvar
permit flash
permit controllers
permit controllers
permit diagbus
permit diag
permit c7200
deny .*
}
cmd = write {
permit term
deny .*
}
cmd = dir {
permit /all
deny .*
}
}
More information about the Rancid-discuss
mailing list