[tac_plus] After authorization scripting

[Ben Kennedy]

Hello,

I have been looking into a more dynamic way of doing command 
authorization.  I wanted to find a way to intelligently filter commands 
based on the device that a person was logging into (ie a switch allows 
for different commands than a router).  From what I can tell the best 
way to go is to use the "after authorization" command in the conf file.  
Then in the script I can dymaically create a list of devices.  However 
In all the forums/documentation and I have went through no one seems to 
have given example of the format for any of this.  They merely describe 
it and show the conf file command.  I have played around with the format 
but haven't had any success to date, it is mainly trial and error.  Any 
help would be greatly appreciated.

Example of switch config:
aaa new-model
aaa authentication login default local group tacacs+ enable
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+

Here is an example of the config file:
user = test {
  after authorization "/etc/tac-plus/authen $user $address"
}

Example of script:
#!/bin/sh

if [ "$1" = 'test' ]
then
  if [ "$2" = 'X.X.X.X' ] #ip of switch
  then
     echo default service=permit
     echo login=cleartext XXX
     echo service=exec
     echo {
       echo priv-lvl=15
     echo
     echo cmd=arp
     echo {
     echo permit timeout
     echo }
     echo cmd=no
     echo {
     echo permit arp
     echo }
     echo cmd=show
     echo {
     echo permit run
     echo permit start
     echo }
     echo cmd=configure
     echo {
     echo permit terminal
     echo permit interface
     echo deny .*
     echo }
   exit 2
  fi
fi
exit 1

-- 

Ben Kennedy
Network Engineer
PEER 1
1000-555 West Hastings Street
Vancouver, BC, Canada V6B 4N5
24/7 Support: 1.866.484.2588
T: 604.484.2588
F: 604.683.4634
bkennedy at peer1.net
www.peer1.com <http://www.peer1.com>

NETWORK | CO-LOCATION | DEDICATED HOSTING