[tac_plus] before/after authorization scripts

Fabrizio Gerardi fabrizio.gerardi at eng.it
Wed May 28 14:25:02 UTC 2008


Dear sir,

I really appreciate your tacacs+ daemon.
I currently use it to get a centralized method to cope with AAA

Now I'm facing a really tricky issue I could not solve as far.
Basically I need to set a different privilege level depending on which  
device the user is trying to connect. This because we use devices from  
different brands which of course have different numbers standing for  
"privilege level".
As far as I know current version of your daemon cannot do that by itself.
Anyway I read on the user guide about the possibility to call a  
before/after authorization script. So I prepared a script: after some  
checks on device name it exits with exit code 2 and write a line on  
standard output that is supposed to change the privilege level. (i.e.  
echo "priv-lvl=15" in case of a Cisco device).
Well, this script just doesn't work. I tried several combinations  
without success.
There is no documentation about the syntax to be used nor I could find  
any examples.

Could you please give me a piece of advise?

Kind regards,
Fabrizio Gerardi






More information about the tac_plus mailing list