[tac_plus] Re: before/after authorization scripts

Dan Schmidt dan.schmidt at uplinkdata.com
Thu May 29 21:18:56 UTC 2008


See, now here's another person who would like to have different levels
of access depending on the device. 

Short answer is that you can't.  Bitman was thinking about making a
patch. 

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Fabrizio Gerardi
Sent: Wednesday, May 28, 2008 8:25 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] before/after authorization scripts

Dear sir,

I really appreciate your tacacs+ daemon.
I currently use it to get a centralized method to cope with AAA

Now I'm facing a really tricky issue I could not solve as far.
Basically I need to set a different privilege level depending on which  
device the user is trying to connect. This because we use devices from  
different brands which of course have different numbers standing for  
"privilege level".
As far as I know current version of your daemon cannot do that by
itself.
Anyway I read on the user guide about the possibility to call a  
before/after authorization script. So I prepared a script: after some  
checks on device name it exits with exit code 2 and write a line on  
standard output that is supposed to change the privilege level. (i.e.  
echo "priv-lvl=15" in case of a Cisco device).
Well, this script just doesn't work. I tried several combinations  
without success.
There is no documentation about the syntax to be used nor I could find  
any examples.

Could you please give me a piece of advise?

Kind regards,
Fabrizio Gerardi




_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list