[tac_plus] Re: before/after authorization scripts
john heasley
heas at shrubbery.net
Thu May 29 21:29:26 UTC 2008
Wed, May 28, 2008 at 04:25:02PM +0200, Fabrizio Gerardi:
> Dear sir,
>
> I really appreciate your tacacs+ daemon.
> I currently use it to get a centralized method to cope with AAA
>
> Now I'm facing a really tricky issue I could not solve as far.
> Basically I need to set a different privilege level depending on which
> device the user is trying to connect. This because we use devices from
> different brands which of course have different numbers standing for
> "privilege level".
> As far as I know current version of your daemon cannot do that by itself.
> Anyway I read on the user guide about the possibility to call a
> before/after authorization script. So I prepared a script: after some
> checks on device name it exits with exit code 2 and write a line on
> standard output that is supposed to change the privilege level. (i.e.
> echo "priv-lvl=15" in case of a Cisco device).
> Well, this script just doesn't work. I tried several combinations
> without success.
> There is no documentation about the syntax to be used nor I could find
> any examples.
have not tried this myself, but expect it to work. Enable authorization
debugging and examine the logs.
More information about the tac_plus
mailing list